[KLUG Members] samba user permissions

[Adam Tauno Williams]

> > We use policies to control roaming profiles, and it works quite well.
> > You can defined some folders to be excluded from propogation (they are
> > always local) and other can be redirected - so for instance the
> > "desktop" is really a folder on a server, "My Document" is a folder in
> > their home directories, same with "Images", etc...
> > This makes it easy to also do things like drop items onto user's
> > desktops.
> Oh. That sounds nice. Is that configured in the smb.conf file. I'll
> check the Samba docs. Do you have an example snippet to look at?

If you mean policies, no.  You create them with poledit.exe, and save
the resulting file into the NETLOGON share as NTCONFIG.POL giving users
read access.  The clients will automagically load these policies into
their registries.

Folders such as for the desktop are created using %magicks in the
smb.conf and perhaps some preexec slight-of hand.  For instance,  the
the first share the workstation connects to is NETLOGON, so we have a
little .NET app set as the preexec that creates a %u.%m directory that
the user sees as PERSESSION, and then populates it with various files
based upon configuration information in the Dit.  Then simply set the
background image and what-not via policies to \\PERSESSION
\background.bmp (for example) and wal-la, you can manage at least some
aspects of the *@^$&@* things without loosing your mind, or even create
straight-forward web pages (in PHP or whatever) so that non-gurus can
change things around in a controlled, auditted, and somewhat
idiot-proofed manner.

NT4 policies (those created with poledit.exe) work with 2000, XP, and
2003.  They have some limitations and problems, but one of the Samba
uber-geniuses is currently working on getting GPOs and AD/XP policies to
work with Samba 3.x.x; and we're outright salivating over those
possibilities.

> > Some (many... most?) applications that are poorly designed (the one in
> > question clearly is) walk all over the registry;  but their are several
> Stupid question 2. Is the Windows user's hive the HKEY_CURRENT_USER
> tree? Is this the tree that uses are supposed to be able to edit?
> If so, is this part of the roaming profile so that they don't have to
> setup database access every time?

Yes, it exists in the root of the profile as a .DAT file.