Lab Infrastructure

Authentication

Grad Lab and Math Lab workstations use Active Directory authentication. There are two Samba domain controllers, turing-1.math.ucsb.edu and turing-2.math.ucsb.edu. There is one-way replication of SYSVOL from turing-1 to turing-2, so group policy changes should be made on turing-1.

Home directories and profiles

User home directories are stored on zeta.math.ucsb.edu (a Samba server), on the UserHome share. Windows roaming profiles are stored on the UserProfile share. The way that home directories are used depends on the OS:

Windows

Windows uses folder redirection to direct a user's Documents, Downloads, Desktop, and a few other folders to their home directory. This is controlled by the "Home directories on zeta" group policy object, which applies to all users in the Roaming Profile Users group.

Roaming profiles are controlled by the "Lab Roaming Profiles" group policy, which applies to computers in the Lab Workstations group and users in the Roaming Profile Users group.

This normally functions pretty seamlessly for users.

macOS

macOS doesn't support network home directories properly, so we don't have true roaming on these machines. We do, however, put a link to the user's network home directory in the Dock. With the current bugginess of network home support, this is the best we can do. This poilcy is set in the "Active Directory clients" Profile Manager group, which also contains the credentials needed to join Macs to the domain.

Remote access

Users can access the files in their network home directories via SFTP. The setup for this is somewhat involved (although it's seamless in operation); see /etc/security/pam_mount.conf.xml and /etc/ssh/sshd_config on zeta, where the details are explained in a comment block.

Guest users

Windows

Windows no longer has a true guest account. Instead, there is a domain account called "lab". This account is NOT in the "Lab Roaming Profiles" or "Home folders on zeta" groups, so its profile is strictly local. In fact its profile directory on zeta is read-only to ensure it can't become a roaming account.

The lab account is also a member of the group "Restricted Kiosk Users". This leverages the User portion of the Lab Policy group policy, which adds several restrictions aimed at preventing users' data from becoming available to the next user. For example, Chrome is limited to private browsing. Firefox is set to delete all content on logout. There are relatively few restrictions on Edge, simply because Microsoft doesn't make many policy knobs available to us for that browser.

macOS

We use the built-in macOS "guest" account, which is enabled via Policy Manager. The guest account is automatically wiped clean whenever the user logs out or shuts down the machine. Because of this, there's no need for special browser settings; the data is automatically disposed of by the OS.