[homes] share issues and concerns
ricky.nance at weaubleau.k12.mo.us
Tue Feb 26 09:57:56 MST 2013
I have added Jeremy and Andrew to this specifically because of the concerns
with permission/acls. First, there are a couple of ways to do the [homes]
share, I will name them 'the samba 3 way' and the 'windows ad way', I will
give examples of both and the benefits/drawbacks to using each.
What needs done your your setup for [homes] to work. As this has been
mentioned before, you will need a working winbind setup as described in
https://wiki.samba.org/index.php/Samba4/Winbind. Next you will need to add:
template homedir = /home/%ACCOUNTNAME%
to your [global] IF you are using the traditional home location for your
domain (it defaults to /home/%WORKGROUP%/%ACCOUNTNAME% ). This is needed
for either setup. Now the difference.
If you are wanting the traditional samba 3 \\server\homes or
\\server\%USERNAME% type of share, you need the following [homes]
valid users = %S
browsable = no
read only = no
Pro: Very secure as no one else can access your homes share by using
Con: Windows ADUC (Active Directory Users and Computers) doesn't handle
creating the \\server\homes\%USERNAME% when adding the 'home folder' in the
'profile' tab of the user properties as you normally would with AD server.
The default [homes] share that is made when running samba-tool domain
provision, is correct in respect to 'how windows AD does it' it looks like:
read only = No
Pro: Works exactly how windows does in respect to adding a users 'home
folder' inside of ADUC.
Con: (and this is a BIGGIE) any user can open any other users homes folder
by simply doing \\server\homes\someotheruser as the default permissions set
the users home directory like the following:
root at server:/home# ls -alh | grep some.user
drwxrwxrwx+ 2 root Domain Users 4.0K Feb 26
root at server:/home# getfacl some.user
# file: some.user
# owner: root
# group: Domain\040Users
By default on a windows server, Everyone has Read access (which again, is
questionable in my opinion), then some.user, administrator, Administrators
(group), and SYSTEM all have FULL access to the folder.
I don't have a proposed solution to the issue, but would like to ask what
is recommended, and how should it be fixed? Sorry for the lengthy mail.
More information about the samba-technical