[Samba] Map user home dir using GPO failing

Mason Schmitt mason at ftlcomputing.com
Sun Mar 3 23:10:39 UTC 2019 

This mailing list seems to have magical powers...  Twice now I have sent
emails to this list asking for help, both times I have not received the
correct answer to my question, but each response has inadvertently helped
me to see my problem from a new angle and thus I have been able to resolve
my own issue!

As neither the wiki nor any past mailing list messages (that I could find)
correctly answer this question, I'm going to document the solution for the
next person that runs into it.

*Goals:*

   - Auto create home dir when AD domain user logs in
   - Map home drive using group policy
   - Use NT ACLs in order to provide maximum compatibility with Windows
   clients

Note that this does work with selinux enabled, which makes my inner
security nut, happy :)

*Procedure*

*Setup the Samba Share*
Follow the instructions at
https://wiki.samba.org/index.php/User_Home_Folders, *but only* the
following sections:

   - Setting up the Share on the Samba File Server > Using Windows ACLs
   - Creating the Home Folder for a New User > Using a Group Policy
   Preference


*Create the smb.conf and PAM configs*
There are 6 smb.conf entries that are critical to making this work, they
are:

   - vfs objects = acl_xattr # I'm not certain that the two other acl_xattr
   entries, in the smb.conf below, are absolutely necessary
   - map acl inherit = yes
   - store dos attributes = yes
   - template homedir = /srv/samba/users/%U  # Note the %U here
   - obey pam restrictions = yes  # with the corresponding entry in
   /etc/pam.d/common-session as per the comments in the smb.conf below
   -  [users]
           path = /srv/samba/users   # Very important! Don't put the %U
   here!
           comment = Share for user home dirs
           guest ok = no
           read only = no


*The full working smb.conf file*
[global]
kerberos method = system keytab
workgroup = FTLC
security = ads
realm = FTLC.FTLCOMPUTING.COM

# Netbios is dead, let's make it explicit
# There's no need to run nmbd either, so disable it using systemctl disable
nmbd
disable netbios = yes

# Encrypting SMB traffic is a good basic defense
# As soon as Windows 7 goes away, we'll be able to
# change this to 'required'
smb encrypt = desired

# Logging
log file = /var/log/samba/%m.log
log level = 5

# We're using the RID method of mapping SIDs to UID/GID
idmap config FTLC : range = 2000000-2999999
idmap config FTLC : backend = rid
idmap config * : range = 10000-999999
idmap config * : backend = tdb

# Samba AD users will not have access to a shell on linux hosts
template shell = /bin/false

# Winbind
winbind use default domain = no
winbind refresh tickets = yes
winbind offline logon = yes
winbind enum groups = no
winbind enum users = no

# Map domain admin account to local root account
# and resolve other "net rpc" issues
username map = /etc/samba/user.map
bind interfaces only = yes
interfaces = lo eth0

# Enable Windows ACL support and make ACLs maximally compatible with NFTS
ACLs.
# The ignore system acls option, will hopefully eliminate the issues we have
# encountered with having to set POSIX and NT ACLs.  This does mean that
all file
# access should be done through Samba
vfs objects = acl_xattr
acl_xattr:default acl style = windows
acl_xattr:ignore system acls = yes
map acl inherit = yes
store dos attributes = yes

# ---------------------------------------------------------------------
# Automatic creation of home directories

# In addition to the NT ACL settings above and the [users] share in the
# the shares section below, the following settings are needed in order for
# automatic creation of home directories to work

# Home directory path
template homedir = /srv/samba/users/%U

# To help with automated creation of user home directories,
# we need the following in this smb.conf file and we need
# 'session    required   pam_mkhomedir.so skel=/etc/skel/ umask=0022'
# added to /etc/pam.d/common-session
obey pam restrictions = yes

# end home dir settings -----------------------------------------------

##################################
#           Shares               #
##################################
# All shares will be created within the /srv/samba/shares/ folder,
# except for home dirs which are in /srv/samba/users/

[users]
        path = /srv/samba/users
        comment = Share for user home dirs
        guest ok = no
        read only = no


Futher work - help needed
I was surprised to find that once the home drive has been mapped and users
begin creating their own files and folders, that the POSIX permissions on
the file server are wide open - ie 777.  Even though AD users will not be
logging in to the file server and the files won't be shared via NFS, I
still really don't like seeing files being world rwx.

Why does samba set these permissions?  What can be done to lock them down?

Thanks,
Mason

>

More information about the samba mailing list