[OpenAFS] Roaming Windows Profiles

Stephen Joyce stephen@physics.unc.edu
Wed, 5 Feb 2003 17:01:08 -0500 (EST) 

James,

My Dept's production environment uses K5, but relies on a Win2K server for
roaming profiles... that said, I have tested a similar setup to
what you describe (keeping the K5 single-signon but storing profiles in
AFS) and would like to put it into production, but haven't yet.

My observations follow.  Do they agree with your experiences?

	The profile needs system:anyuser l access (for windows to "see" the
		 profile exists prior to getting tokens)
	AD won't let you redirect folders with arbitrary variables
		(so, it's possible to redirect all users' profiles to
		/afs/cell/home/user/WinProfile, but cells that have
		/afs/cell/home/u/user/WinProfile must set each profile
		location for each user separately--or create another
		separate set of mount points).
	It's necessary to ensure that My Documents, etc does NOT roam, but
		is redirected into AFS... otherwise login/logout times
		increase substancially over the same setup without AFS.

	Certain files, like MS office docs, shouldn't be opened directly
		out of AFS due to assumptions about byte-range locking
		which AFS doesn't support... so access to non-roaming
		space is still required.

Others I'm forgetting?

Cheers,
Stephen
--
Stephen Joyce
Systems Administrator                                            P A N I C
Physics & Astronomy Department                         Physics & Astronomy
University of North Carolina at Chapel Hill         Network Infrastructure
voice: (919) 962-7214                                        and Computing
fax: (919) 962-0480                               http://www.panic.unc.edu

On Wed, 5 Feb 2003, Rodney M Dyer wrote:

> James,
>
> Sure, we've been doing roaming profiles since the first Transarc AFS client
> was introduced on NT 4.0.  Over the summer of '02 we migrated to Windows XP
> and are still doing roaming profiles and folder redirection without
> problem.  We also knitted together Kerberos 5 and AFS for single-sign-on
> with few problems, ah hem...so far.  Btw, we are pure Windows 2x/XP
> architecture environment.  (Get rid of Win9x versions, not worth the
> trouble to keep.)
>
> A windows profile is just a single directory store of information.  You can
> pretty safely store the profile in the user's UNIX home directory.  We just
> called ours "xp_profile".  When you logon, Windows sucks the profile
> directory and everything in it to the local machine.  When you logout,
> everything that changed is sync'ed back to AFS space.
>
> When our XP clients boot, they link a global network drive "N:" to the top
> of our AFS filespace.  That drive is available to all users when they logon
> to the box.  We setup an active directory domain and supplied it with
> account names of our UNIX users.  In each user's account on the active
> directory we set the profile path to point down the global drive link to
> the user's home directory profile.  When the user's logon to the XP
> clients, the AFS client authenticates them to the AFS file space, this
> allows the XP box to grab the profile and pull it local.  (i'm actually
> fibb'ing a bit here, we do it a little differently now that we are Kerb 5.)
>
> I'm going to be putting together a fully documented solution document for
> our AFS/Kerberos 5 environment if I ever get the time.  It has really
> worked out well.
>
> Let me know if you need anything specific and I may be able to help you.
>
> Rodney
>
> Rodney M. Dyer
> x86 Systems Programmer
> College of Engineering Computing Services
> University of North Carolina at Charlotte
> Email rmdyer@uncc.edu
> Phone (704)687-3518
> Help Desk Line (704)687-3150
> FAX (704)687-2352
> Office  267 Smith Building
>
> At 11:44 AM 2/5/2003 -0800, you wrote:
> >I had looked into doing roaming Windows profiles and ran out of steam after
> >my initial analysis.
> >Basically it came down to the following technical problems:
> >1. Where can you safely store the profile
> >2. What makes up a profile for XP,W2k, NT, 98
> >3. Properly configuring Windows to pick up the profile
> >4. Fetching the profile during GINA when the user space has not started and
> >therefore the SMB protocol can't determine who the user is for
> >authenication.
> >
> >If you have any wisedom on any of these issues it would be greatly
> >appreciated.
> >
> >James
> >"Integrity is the Base of Excellence"
> >
> >
> >_______________________________________________
> >OpenAFS-info mailing list
> >OpenAFS-info@openafs.org
> >https://lists.openafs.org/mailman/listinfo/openafs-info
>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>