Re: [Bug 1064] samba configuration needs to be corrected for domain logons

To: Florian Reitmeir <florian@reitmeir.org>
Cc: debian-edu@lists.debian.org
Subject: Re: [Bug 1064] samba configuration needs to be corrected for domain logons
From: Ronny Aasen <ronny@skolelinux.no>
Date: Wed, 31 Oct 2007 10:13:08 +0100
Message-id: <[🔎] 47284724.1000905@skolelinux.no>
In-reply-to: <[🔎] 20071031084144.GT27501@asa.multi24.com>
References: <[🔎] E1ImxOb-0005CW-Ik@maintainer.skolelinux.no> <[🔎] 20071031084144.GT27501@asa.multi24.com>

Sorry about reordering the mail, but i usualy read from the top down.
>   
>> ------- Additional Comments From ronny@skolelinux.org  2007-10-30 21:09 -------
>> I'm not too fond of too many changes in the samba config. Reasons are manyt,
>> i'll try to explain some.
>>
>> In order not to encourage the use of a operating system without security updates
>> for a long time (like win98) we should realy keep support to the new (NT and
>> later) way of dealing with profiles only. Most of this bug is about win9x.
>>
>>  - profile dir includes desktop and myfiles which are synced at logon
>> This is the windows default, and many sites may very well wish this to be the
>> behaviour, especialy for desktop. I do not have statistics showing how many of
>> the sites would want this feature or not. My point beeing: If we change the
>> default behaviour, a different group of admins must implement changes to get
>> their desiered behavior. And this group would have a harder time implementing
>> common changes from online documentation and howto's since the starting point of
>> samba's configuration would divert a lot more from the samba default.
>>
>>
>>  - profile directory should be put to its own share (especially if
>>    you are interested in one centralised mandatory profile).
>> This is also very site spesific, unix users get their own homedir, with their
>> own configuration for various software, why should samba users be different ?
>> Personaly i want the profile dir within the homedir, to keep user files in one
>> location and ease quota management. I find it better to stick with samba's
>> default then to invent our own default, that admins anyway must tweak into their
>> desired configuration. 
>>
>> Most importantly. Keep the number of changes as low as possible between default
>> and our own. 
>>
>> the only change i dont mind is changing  profile into  .profile, But I do not
>> see the big advantage, (security by obscurity = no security)
>>
>> I suggest closing as WONTFIX 
>>
>> Ronny Aasen
>>     
>
>   
Florian Reitmeir wrote:

> Hi,
>
> i only had troubles using "roaming" profiles. I think thats the correct
> samba-term for the feature.
>
> roaming profiles, are really bad.
> - if no quota is uses, users will use massive space on the server
>
> - if quota on the server is used:
> 	- normal users aren't aware that their windows profile is accounted as
> 		space for their profile
> 	- users wonder why their login will take sometimes minutes..
> 	- users wonder why their quota is exceeded
>
> 	really bad:
> 	- if the quota is exceed, no login is possible on the windows machine, it
> 		will login in some "rescue mode" with an new empty profile
> 	
> 	- there are no good tools to my knowledge to "clean" a windows profile
> 		from garbage, like local "outlook" folders, an endless growing registry..
>
> 	- some windows programms are really broken, they simple do not work when
> 		profiles are active, worse, they break completly.
>
>
> i believe "best practise" would be, to disable profiles at all, and tell the
> users to save their work in the home directory on the server.
>
> And if someone has many windows machines, and whats to use profiles, document
> it in the wiki how to do it right.
>   

we use roaming profiles for all the windows machienes and realy do
depend on it.
In my opinion the best solution is to educate the users, yes it's the
most work.

the second best is to exclude some things from the profile. eg redirect
my documents to home/priv, and not sync things like IE cache, local
settings and temp areas. (this is very site/application spesific so a
sane default is hard to do)

the third (worst) to disable roming profiles.  for other sites this is
perhaps the best solution :)

Alas needs are allways different, and if some school can afford lisence
costs for windows they should be able to  afford the cost of maintaining
them as well. It's not like this is any less a problem on a pure windows
system.

And in the end. it's better to stick close to the default and have the
benefit of the huge amount of documentation online, then to create our
own defaults that will be very debian edu spesific, and only change the
group of users that must do manual tweaks.

ofcourse if 99% wanted to disable profiles i would be inclined to agree,
but i do not think that's the case.


Ronny

Reply to:

Follow-Ups:
- Re: [Bug 1064] samba configuration needs to be corrected for domain logons
  - From: RalfGesellensetter <rgx@gmx.de>
- Re: [Bug 1064] samba configuration needs to be corrected for domain logons
  - From: Florian Reitmeir <florian@reitmeir.org>

References:
- [Bug 1064] samba configuration needs to be corrected for domain logons
  - From: bugzilla-skolelinux@maintainer.skolelinux.no
- Re: [Bug 1064] samba configuration needs to be corrected for domain logons
  - From: Florian Reitmeir <florian@reitmeir.org>

Prev by Date: [Bug 1270] samba groupmaps are missing after installation
Next by Date: [Bug 1265] bashims in apache2 startscript
Previous by thread: Re: [Bug 1064] samba configuration needs to be corrected for domain logons
Next by thread: Re: [Bug 1064] samba configuration needs to be corrected for domain logons
Index(es):
- Date
- Thread