Samba 3 and Windows Vista Clients

An Example Samba-Vista Deployment

Working with Vista's User Profiles

One hurdle to overcome when deploying Vista Clients with a Samba Domain is the differences in User Profiles and how they are managed. This stems from the fact that Microsoft Implemented "Profiles Version 2" with Windows Vista, as well as problems with certain implementations of Samba having bugs with Roaming Profiles not working properly with Vista clients.

There are a few ways you can handle User Profiles when dealing with Windows Vista clients. The first way (the one that I currently recommend until problems are fixed) is to simply disable Roaming Profiles at the Vista Client. This has the advantage of still allowing your older Windows Clients to properly use Roaming Profiles, while ensuring that your new Vista clients do not run into many of the problems that various Samba sites are encountering.

Another way to handle User Profiles is to go ahead and allow Roaming Profiles. Many times this should work flawlessly and no adjustments need to be made to your Samba configuration for Vista Clients since Vista Created profiles automatically have a ".V2" extension. Even if you start to run into the various problems that others have encountered, there is a huge possiblity that your user's won't even notice it.

Disabling Roaming Profiles at the Vista Client

For those Administrators that have Roaming Profiles working with other versions of Microsoft Windows and do not want to lose that functionality, you can simply disable Roaming Profiles by setting a few Registry keys on your Windows Vista workstations:

Only Allow Local User Profiles

Local Group Policy
	Comp Conf - Admin Templates - System - User Profiles - Only allow local user profiles
Local Machine RegKey
	HKLM\Software\Policies\Microsoft\Windows\System - LocalProfile - 1

Prevent Roaming Profile Changes from propogating to the server

Local Group Policy
	Comp Conf - Admin Templates - System - User Profiles - Prevent Roaming Profile Changes from propogating to the server
Local Machine RegKey
	HKLM\Software\Policies\Microsoft\Windows\System - ReadOnlyProfile - 1

Delete User Profiles Older than X days

Computer Registry Key
	HKLM\SOFTWARE\Policies\Microsoft\Windows\System - CleanupProfiles - 14 (num of days)

The last registry setting is recommended only if your users log into different workstations across your network. If your users simply use the same workstation, it is recommended to not implement deleting profiles older than X amount of days.

Getting Roaming Profiles to work properly

As of this writing, 1 Oct 08, Samba currently does not work well using Roaming Profiles with Windows Vista Clients. The Roaming Proile directory is created on the Server, but the profile itself is not copied to the server upon logout. If memory serves, I had this working at one time (that is where I first ran into the Error 1511 problem below) but as of right now I cannot complete this section.

However, if you are lucky enough to get it working, the following registry keys may be of importance.

Do Not Check Ownership of Roaming Profile Folders

Computer Registry Key
	HKLM\SOFTWARE\Policies\Microsoft\Windows\System - CompatibleRUPSecurity - 1 (DWORD)

Delete Cached Copies of Roaming Profiles

Computer Registry Key
	HKLM\SOFTWARE\Policies\Microsoft\Windows\System - DeleteRoamingCache - 1 (DWORD)

Exlude Directories in Roaming Profile

User Registry Key
	Software\Microsoft\Windows\CurrentVersion\Policies\System - ExcludeProfileDirs - (list)

Dealing with Event 1511, cannot find user's profile - One of the "improvements" Microsoft made for Vista is the tracking of the User's Roaming Profile. Instead of just writing the profile to the network share on logout, Vista also writes the location of said profile within the computer's registry. This sounds innocent enough, until you have to delete a User's profile because it is corrupted.

If the profile listed within the machine's registry is not present, you will get the Event 1511 error. To fix this you must delete the profile pointer within the workstation's registry. This is located within:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList

and the key is the number representing the User's SID.

Until Samba once again works with Roaming Profiles, I won't be able to troubleshoot this and come up with a solution. I am really hoping that simply setting the above registry key for "Delete Cached Copies of Roaming Profiles" will take care of this.

Network Wide Default Profile.V2

Since Vista updated its User's Profile to what is referred to as "Version 2", the existing Network Wide Default User profiles will no longer work with Windows Vista. According to Microsoft's Documents, you can still implement a "Version 2" Network Wide Default Profile. However, so far I am unable to implement one properly using Samba Servers. If anyone has more info on this, please email me.

Redirecting User Profile Directories

Regardless how you implement User Profiles, more than likely you will probably want to implement some sort of Folder Redirection to move important folders such as the User's Documents and Desktop folders away from the volatile Profile (recommended even if you are using "Local Profiles").

With previous versions of Windows, this was somewhat trivial as more than likely you just implemented Folder Redirection within the System Policy. However, since Vista no longer applies System Policies (it instead uses AD Group Policies, which Samba doesn't support yet), you must find an alternative way to implement Folder Redirection.

The most popular way to implement Folder Redirection is through the User's Logon Script. For instance, I use the kixtart processor for my logon scripts, so I just add the following to the User's Script (if you use an alternate Logon Script, you should be able to locate the correct registry keys from this example):

Example Logon Script using Kixtart

IF @PRODUCTTYPE = "Windows Vista Business Edition"

	$FolderRedirect = "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
	$ = WriteValue($FolderRedirect, "Personal", "P:\Documents", "REG_SZ")
	$ = WriteValue($FolderRedirect, "AppData", "P:\.winsettings\appdata", "REG_SZ")
	$ = WriteValue($FolderRedirect, "Desktop", "P:\WinDesktop", "REG_SZ")
	$ = WriteValue($FolderRedirect, "My Music", "P:\Music", "REG_SZ")
	$ = WriteValue($FolderRedirect, "My Pictures", "P:\Pictures", "REG_SZ")
	$ = WriteValue($FolderRedirect, "My Video", "P:\Videos", "REG_SZ")
	$ = WriteValue($FolderRedirect, "{374DE290-123F-4565-9164-39C4925E467B}", "P:\Downloads", "REG_SZ")

ENDIF

No matter which type of logon script you use, you will quickly realize that a few errors may occur when you redirect these Folders. To minimize these errors you will need to set the following registry keys on the Vista Clients:

Run Logon Scripts Syncronously - Ensures that the Explorer interface is not loaded until the Logon Scripts are finished

Computer Registry Key
	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - RunLogonScriptSync - 1 (DWORD)

Always Wait for the Network before Allowing Logins

Computer Registry Key
	HKLM\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon - SyncForegroundPolicy - 1 (DWORD)

Disable Offline Files

Computer Registry Key HKLM\Software\Policies\Microsoft\Windows\NetCache - NoConfigCache - 1

Do Not Sync Redirected Folders

Computer Registry Key
	HKLM\Software\Policies\Microsoft\Windows\NetCache - DisableFRAdminPin - 2 (DWORD)

Hiding System Files within Redirected Folders

Once you implement Folder Redirection you may notice a few files show up that normally would be hidden to the user. In order to ensure that they remain hidden you must adjust your Samba's smb.conf file and add something similar to either the main configuration section or within the "Homes" Share:

hide files = /desktop.ini/$RECYCLE.BIN/

Mike Petersen