[OpenAFS] Roaming Windows Profiles
Stephen Joyce
stephen@physics.unc.edu
Wed, 5 Feb 2003 17:01:08 -0500 (EST)
James,
My Dept's production environment uses K5, but relies on a Win2K server for
roaming profiles... that said, I have tested a similar setup to
what you describe (keeping the K5 single-signon but storing profiles in
AFS) and would like to put it into production, but haven't yet.
My observations follow. Do they agree with your experiences?
The profile needs system:anyuser l access (for windows to "see" the
profile exists prior to getting tokens)
AD won't let you redirect folders with arbitrary variables
(so, it's possible to redirect all users' profiles to
/afs/cell/home/user/WinProfile, but cells that have
/afs/cell/home/u/user/WinProfile must set each profile
location for each user separately--or create another
separate set of mount points).
It's necessary to ensure that My Documents, etc does NOT roam, but
is redirected into AFS... otherwise login/logout times
increase substancially over the same setup without AFS.
Certain files, like MS office docs, shouldn't be opened directly
out of AFS due to assumptions about byte-range locking
which AFS doesn't support... so access to non-roaming
space is still required.
Others I'm forgetting?
Cheers,
Stephen
--
Stephen Joyce
Systems Administrator P A N I C
Physics & Astronomy Department Physics & Astronomy
University of North Carolina at Chapel Hill Network Infrastructure
voice: (919) 962-7214 and Computing
fax: (919) 962-0480 http://www.panic.unc.edu
On Wed, 5 Feb 2003, Rodney M Dyer wrote:
> James,
>
> Sure, we've been doing roaming profiles since the first Transarc AFS client
> was introduced on NT 4.0. Over the summer of '02 we migrated to Windows XP
> and are still doing roaming profiles and folder redirection without
> problem. We also knitted together Kerberos 5 and AFS for single-sign-on
> with few problems, ah hem...so far. Btw, we are pure Windows 2x/XP
> architecture environment. (Get rid of Win9x versions, not worth the
> trouble to keep.)
>
> A windows profile is just a single directory store of information. You can
> pretty safely store the profile in the user's UNIX home directory. We just
> called ours "xp_profile". When you logon, Windows sucks the profile
> directory and everything in it to the local machine. When you logout,
> everything that changed is sync'ed back to AFS space.
>
> When our XP clients boot, they link a global network drive "N:" to the top
> of our AFS filespace. That drive is available to all users when they logon
> to the box. We setup an active directory domain and supplied it with
> account names of our UNIX users. In each user's account on the active
> directory we set the profile path to point down the global drive link to
> the user's home directory profile. When the user's logon to the XP
> clients, the AFS client authenticates them to the AFS file space, this
> allows the XP box to grab the profile and pull it local. (i'm actually
> fibb'ing a bit here, we do it a little differently now that we are Kerb 5.)
>
> I'm going to be putting together a fully documented solution document for
> our AFS/Kerberos 5 environment if I ever get the time. It has really
> worked out well.
>
> Let me know if you need anything specific and I may be able to help you.
>
> Rodney
>
> Rodney M. Dyer
> x86 Systems Programmer
> College of Engineering Computing Services
> University of North Carolina at Charlotte
> Email rmdyer@uncc.edu
> Phone (704)687-3518
> Help Desk Line (704)687-3150
> FAX (704)687-2352
> Office 267 Smith Building
>
> At 11:44 AM 2/5/2003 -0800, you wrote:
> >I had looked into doing roaming Windows profiles and ran out of steam after
> >my initial analysis.
> >Basically it came down to the following technical problems:
> >1. Where can you safely store the profile
> >2. What makes up a profile for XP,W2k, NT, 98
> >3. Properly configuring Windows to pick up the profile
> >4. Fetching the profile during GINA when the user space has not started and
> >therefore the SMB protocol can't determine who the user is for
> >authenication.
> >
> >If you have any wisedom on any of these issues it would be greatly
> >appreciated.
> >
> >James
> >"Integrity is the Base of Excellence"
> >
> >
> >_______________________________________________
> >OpenAFS-info mailing list
> >OpenAFS-info@openafs.org
> >https://lists.openafs.org/mailman/listinfo/openafs-info
>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>