[homes] share issues and concerns

Ricky Nance ricky.nance at weaubleau.k12.mo.us
Tue Feb 26 09:57:56 MST 2013


I have added Jeremy and Andrew to this specifically because of the concerns
with permission/acls. First, there are a couple of ways to do the [homes]
share, I will name them 'the samba 3 way' and the 'windows ad way', I will
give examples of both and the benefits/drawbacks to using each.

What needs done your your setup for [homes] to work. As this has been
mentioned before, you will need a working winbind setup as described in
https://wiki.samba.org/index.php/Samba4/Winbind. Next you will need to add:
     template homedir = /home/%ACCOUNTNAME%
to your [global] IF you are using the traditional home location for your
domain (it defaults to /home/%WORKGROUP%/%ACCOUNTNAME% ). This is needed
for either setup. Now the difference.

If you are wanting the traditional samba 3 \\server\homes or
\\server\%USERNAME% type of share, you need the following [homes]

    [homes]
    valid users = %S
    browsable = no
    read only = no

Pro: Very secure as no one else can access your homes share by using
\\server\homes\someotheruser

Con: Windows ADUC (Active Directory Users and Computers) doesn't handle
creating the \\server\homes\%USERNAME% when adding the 'home folder' in the
'profile' tab of the user properties as you normally would with AD server.
http://support.microsoft.com/kb/320043

The default [homes] share that is made when running samba-tool domain
provision, is correct in respect to 'how windows AD does it' it looks like:
    [homes]
    read only = No

Pro: Works exactly how windows does in respect to adding a users 'home
folder' inside of ADUC.
Con: (and this is a BIGGIE) any user can open any other users homes folder
by simply doing \\server\homes\someotheruser as the default permissions set
the users home directory like the following:

root at server:/home# ls -alh | grep some.user
drwxrwxrwx+   2 root                             Domain Users  4.0K Feb 26
10:46 some.user
root at server:/home# getfacl some.user
# file: some.user
# owner: root
# group: Domain\040Users
user::rwx
user:root:rwx
group::rwx
group:Domain\040Users:rwx
group:10001:rwx
group:11118:rwx
mask::rwx
other::rwx
default:user::rwx
default:user:root:rwx
default:group::rwx
default:group:Domain\040Users:rwx
default:group:10001:rwx
default:group:11118:rwx
default:mask::rwx
default:other::rwx

By default on a windows server, Everyone has Read access (which again, is
questionable in my opinion), then some.user, administrator, Administrators
(group), and SYSTEM all have FULL access to the folder.

I don't have a proposed solution to the issue, but would like to ask what
is recommended, and how should it be fixed? Sorry for the lengthy mail.

Ricky

--


More information about the samba-technical mailing list