• Published on | Apr 20, 2007 | by FozzTexx

Dumber than advertised

For the last week and a half I've been working on doing a complete network rebuild for a client, including all the servers and desktops. They are very heavily Exchange based, so the new servers had to be running Windoze. In their old environment the users were storing all their files on their local computer. This created obvious problems whenever they changed offices or when there was a hardware failure on their computer.

When the time came to setup the new Windoze servers the first thing I wanted to make sure was that the Roaming Profiles were enabled. Having used the Roaming Profiles feature on a Samba server for over 5 years, I know how useful it is. It's certainly no substitute for true home directories, but it's better than all personal files always living on the local computer.

Because Romaing Profiles was a Windoze concept, I thought it should be a trivial thing to setup on a Windoze server. A couple of searches on the internet, and whoa! What a mess! Roaming Profiles have to be enabled on an individual basis for each account! What the heck was someone smoking, that's just plain idiotic! I want to turn it on and be done, not manually have to setup each user. On Samba, I add a line to the smb.conf and I'm done. More searching to see if maybe there's a Group Policy way to do it. Nope. Sigh. I suffer through with the lame Windoze-Way and get all the accounts configured.

Well it works, sort of. Lots of hiccups though. Often when people are logging on and/or off, an error appears claiming there's a problem locating the Roaming Profile and it's going to use a local profile. I never had this problem using Samba, why can't a "Genuine" Windoze server deal with this? Users of course freak out and complaining that they "can't log on." I made some adjustments to the server and things are better, but not perfect.

Next issue is getting backups going. The plan was to build a Linux server with a huge amount of disk space and set it up to mirror all of the servers nightly, then do nightly incremental backups to tape. The reason I wanted to do it this way is because of headaches on the old system from using Windoze backup. Windoze backup seems to have this idiotic idea that a tape needs to be "formatted" and "named" before it can be written. When using scheduled backups you have to make sure you have the right tape in on the right night, otherwise the backup fails because it doesn't have the tape named in the backup script.

I build the Linux computer, tinker with mounting the shares from the Windoze servers, and hit a huge roadblock: I can't read the files in the user's home directories. Lots and lots more searching and experimenting, and I come to the realization that the Windoze security model is just plain brain dead. If I am logged in as Administrator - even on the Windoze server itself - for some absurd reason I do not have permission to look at the user's files and folders! SAY WHAT?!? That is such a huge security hole! I am Administrator and I don't have permission to see exactly what is going on with my own system?! It's no wonder there are so many exploits for Windoze, and so many things you can't remove without reformatting! Apparently the only way under Windoze that you can have full access to your own files is through the "Backup API." Unfortunately mounting the share from the Windoze server does not use that method. What to do?

At this point I decided that the easiest thing to do was to turn my backup server into a file server. This meant not only installing Samba, but I also would need to convince Samba that it needed to authenticate using the Windoze Active Directory server, and not using local Linux accounts. This took longer than I had hoped, only because every site I found with example setups had incomplete info. Most of the instructions were found here, however it's missing a few key things. In the [global] section in your smb.conf, you need to add:

   winbind uid = 10000-20000
   winbind gid = 10000-20000
   winbind enum users = yes
   winbind enum groups = yes

And in /etc/nsswitch.conf, add winbind on the appropriate lines:

    passwd:     files winbind
    shadow:     files winbind
    group:      files winbind

With all the pieces together I was now able to connect to Samba and authenticate using a Windoze AD.

I created the shares on the new Samba server to serve home directories and profiles, went through each Windoze account one at a time and changed their Roaming Profiles to point to the Samba server, and now I had their files in an easy to backup location. As a plus, I also had their files on a server with no arbitrary connection limits, so the problem of "Could not find profile" has gone away.

I still can't get over how Microsoft can't even make their own OS work as advertised. I use free software which is designed to be compatible, and it doesn't "just work," it works better and is easier to administer. I think the next thing to do is see if I can make Exchange work without requiring a Windoze AD server...

Join The Discussion