[K12OSN] disable roaming profiles samba/ldap

Tue Jan 3 16:34:37 UTC 2006

On Tue, 3 Jan 2006, David Trask wrote:

> So, here's what you do.  Use DeepFreeze and freeze the windows machines. 
> (This is what we do)  We use roaming profiles as we want kids and staff to
> be able to roam freely.  DeepFreeze is installed on all windows machines
> for obvious reasons (to keep Windows intact and to prevent viruses from
> "sticking").  I have the machines set to login automatically as an admin
> user (who cares if they do anything...it's frozen and thus won't
> stick)....to login as themselves they simply log off and login (the
> auto-login allows me to do admin tasks in bulk such as "thaw-all" and push
> packages)  anyway.....the profiles get written locally as well as to the
> server, but once the machine reboots all the profiles are gone from the
> local machine.  No worries!  :-)   DeepFreeze is very inexpensive and
> worth EVERY penny!
> 

The only hole in this method is that you have no way of restricting 
students who don't follow your AUP.  They can just sit down at any 
computer that is already logged in and go wherever they want and do 
whatever they want, unrestricted.

Our method requires them to have a valid username before they can use any 
computer, and therefore, we have the ability to lock accounts if needed. 
Can also unlock automatically for classes where computer use is required, 
like Word Processing.

With DriveShield, you can unlock the computer no matter who is logged in, 
or even if there is no one logged in on it, from a remote location. In the 
case of updates, we do not leave autoupdate turned on.  We just unlock and 
update once in awhile.  They may be vulnerable, but they are also locked 
to any ghoulies that get in there are gone upon reboot, anyway.

> "Support list for opensource software in schools." <k12osn at redhat.com> on
> Tuesday, January 03, 2006 at 10:36 AM +0000 wrote:
> >Profiles have to be allowed to be written by XP or you'll get profile 
> >errors everytime you login and logout, shutdown, etc.
> >
> >Teacher's profiles are left to work because they generally sit at the
> >same 
> >computers regularly, so their profile isn't that much to deal with.
> >
> >But with student computers, it is another story.  Every time they login, 
> >they get a profile and if they haven't logged in on a computer, that 
> >computer then gets a copy of their profile to waste drive space on the 
> >local computer, as well as the server drive space. So you have 6 students 
> >that use every computer in a classroom over the course of a day.  But the 
> >students also login on other computers like library and classrooms,
> >which, 
> >guess what, also get copies of the wasting-space profiles.
> >
> >Simply turning off profiles in samba will not alleviate this problem 
> >anywhere except server drivespace. Every computer that a student logs
> >into 
> >gets a profile from somewhere, and likely it is the default profile from 
> >the computer they just logged in on, which gets written right back to the 
> >same computer, under a different username so now you have two 
> >space-wasters and the drudgery continues for every use that ever logs in 
> >on that computer.
> >
> >My solution is this follow closely as it might get complicated to some. 
> >Also, keep in mind that we run linux on our servers here, but not ldap
> >for 
> >login.  I know, I still do accounts the old-fashioned way, but you'll see 
> >how it may be better this way than using ldap, unless I am just missing 
> >something major.. ..
> >
> >First off, the samba server that has the domain that the students login
> >on 
> >from student-use computers has the profiles in a different location than 
> >the user's home directory, which is the default location. The profiles 
> >have their own share on the server.  The share is set up with root
> >preexec 
> >and post exec that creates the profile location on login and deletes the 
> >profile location on logout for the user. Samba sets up the profile 
> >location before it turns it over to Windows on login.  Windows sets up
> >the 
> >profile, and the user keeps it as long as they are logged in.  Once they 
> >logout, and after winders has written the profile and lets go of the 
> >share, the post exec deletes the profile directory.  Windows is happy 
> >because it wrote the profile successfully, and then the server gets happy 
> >because it cleared up the space wasted by the profiles.
> >
> >On the student-access computers, we run DriveShield which is similar to 
> >DeepFreeze and other lockdown software. The machines are set up and a 
> >default profile is created that contains everything the student's need
> >for 
> >that computer. Then the computer is locked down.  Unchangeable.
> >
> >When a student logs in on that computer, they have no profile, so winders 
> >gets a copy of the default profile, which is minimal to begin with, and 
> >gives it to the student.  A copy is also written to the hard drive on 
> >the computer. But when the student logs off, it is deleted from the 
> >server, and then next time the computer is rebooted, that profile is
> >wiped 
> >from the computer.
> >
> >So, there is no drive space wasted on either the server or the computer 
> >for student access computers.
> >
> >The domain that teachers log into is different than the domain the 
> >students login to.  Students can't use teacher's computers (security
> >risk) 
> >because their login will not work on them.  Teacher's logins will not
> >work 
> >on student computers, either, but they don't need to anyway. Teachers
> >have 
> >access to all student's home directories no matter what computer they are 
> >using.
> >
> >I hate profiles!
> >
> >Doug Simpson
> >Technology Specialist
> >DeQueen Public Schools
> >DeQueen, AR 71832
> >simpsond at leopards.k12.ar.us
> >Tux for President!
> >
> >On Tue, 3 Jan 2006, Randall Swift wrote:
> >
> >> "Support list for opensource software in schools." <k12osn at redhat.com>
> >on
> >> Friday, December 30, 2005 at 12:42 PM -0500 wrote:
> >> >cant you simply edit oout the roamaing profiles portion of smb.conf..?
> >> >chuck
> >> >> Randall Swift wrote:
> >> >>> 	I have a samba/ldap server doing my authentication and storing home
> >> >>> directories as well as roaming profiles. How do I disable roaming
> >> >>> profiles
> >> >>> (setup on core 3 using the smbldap-installer script)? This server
> >has
> >> >>> been
> >> >>> running for almost a year now can I just simply disable roaming
> >> >profiles
> >> >>> without it affecting the server? Thanks for the help.
> >> >>>
> >> >>
> >> >> We have roaming profiles too, and I'd love to learn how to disable
> >them!
> >> >>    They are kind of a "legacy" from the W2K server we had years ago.
> >> >>
> >> >> Rita Gibson
> >> >> RMSELTech
> >> >>
> >> >> _______________________________________________
> >> >> K12OSN mailing list
> >> >> K12OSN at redhat.com
> >> >> https://www.redhat.com/mailman/listinfo/k12osn
> >> >> For more info see <http://www.k12os.org>
> >> >>
> >> >
> >> >
> >> >_______________________________________________
> >> >K12OSN mailing list
> >> >K12OSN at redhat.com
> >> >https://www.redhat.com/mailman/listinfo/k12osn
> >> >For more info see <http://www.k12os.org>
> >> 
> >> I was thinking that you could comment out the profile section in
> >smb.conf.
> >> I am not an expert and did not know if this would cause any problems. I
> >> really need to know what to do as profiles are a problem with network
> >> traffic. I was hoping there was an easy way to do this but with few
> >> responses I now don't think it is. Any help is appreciated. Thanks
> >> 
> >> Randy Swift
> >> Network Administrator
> >> Leavitt Area High School
> >> Turner, Maine 04282
> >> (207)225-3533
> >> swift at msad52.k12.me.us
> >> 
> >> _______________________________________________
> >> K12OSN mailing list
> >> K12OSN at redhat.com
> >> https://www.redhat.com/mailman/listinfo/k12osn
> >> For more info see <http://www.k12os.org>
> >> 
> >
> >_______________________________________________
> >K12OSN mailing list
> >K12OSN at redhat.com
> >https://www.redhat.com/mailman/listinfo/k12osn
> >For more info see <http://www.k12os.org>
> 
> 
> 
> David N. Trask
> Technology Teacher/Director
> Vassalboro Community School
> dtrask at vcsvikings.org
> (207)923-3100
> 
> 
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
> 