Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm in the process of setting up a linux/samba server to replace a netware server at the school where I work. The problem I have is that I would like to be able to enable something along the lines of novell's volatile dynamic local user. I want to be able to set groups so that teacher/staff logins are non-volatile, but student logins are.
We've also considered just using roaming profiles, but we would want to be able to set it so there isn't a copy of the profile kept locally. Even if the profiles aren't saved on the local machine roaming profiles could still be a pain for us with teachers and students saving large files in their my documents folders.
I did something like that some time ago for an Internet cafe. All clients (Win2K) used the same profile and could not save any changes to the profile.
1. Make sure clients don't save local copies of profile: I don't exactly remember where that was set up. You have to use mmc on the Windows client and sift through the settings. It's somewhere in there. (And there you'll also find some other interesting restriction-possibilites for a setup like yours.)
2. Create a "superclient" user with roaming profile and admin rights. Use this user to setup everything for the client. Also remember for the future to always use this superclient to install software etc. Use the normal admin account only for things that don't/shouldn't influence the clients' profiles.
3. When done, as the superclient copy the profile to a template directory. (put this template directory in the same server directory where the real profiles are kept). Use Windows' profile copying function for that, don't just copy the files (somewhere in Workplace-Properties). Set permissions to allow Everyone. (You might have to create the directory on the server, first. Not sure). Set file permissions for the template directory so that clients can read only, superclient has full permissions.
4. Here comes the magic: In the template profile, rename ntconfig.pol to ntconfig.man. This effectively makes the profile read only. (Gotta love that one...) -- Obviously, don't do this in the superclient profile yet, but only after copying it to the template directory.
5. On the server create symbolic links to the template profile for every user. (Except for the teachers, of course -- they get their own "real" profile directories)
6. Done.
This goes together well with cloned workstations.
When you later make updates to the profile, make sure that you first delete all files/directories in the template profile before copying your new superclient profile. And don't forget to rename ntconfig.pol!
You can still give the clients a "real" home directory so that they can save some files there.
As you can tell, my memory of how I did that is slightly fuzzy, but this should roughly be it.
You also need to configure Windows not to check ownership of the profile, otherwise login will fail. This is also done via mmc.
The relevant snap-in for mmc (I'm using a German version, so these are my back-translations, actual wording may be different): "Policies for Local Machine".
Inside the snap-in you need:
- Administrative Templates
- System
- User Profiles
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.