[homes] share issues and concerns

Ricky Nance ricky.nance at weaubleau.k12.mo.us
Tue Feb 26 10:00:04 MST 2013 

I forgot to mention that this mail may have had a bit to do with the
changes.
http://lists.samba.org/archive/samba-technical/2012-October/087272.html

Ricky


On Tue, Feb 26, 2013 at 10:57 AM, Ricky Nance <
ricky.nance at weaubleau.k12.mo.us> wrote:

> I have added Jeremy and Andrew to this specifically because of the
> concerns with permission/acls. First, there are a couple of ways to do the
> [homes] share, I will name them 'the samba 3 way' and the 'windows ad way',
> I will give examples of both and the benefits/drawbacks to using each.
>
> What needs done your your setup for [homes] to work. As this has been
> mentioned before, you will need a working winbind setup as described in
> https://wiki.samba.org/index.php/Samba4/Winbind. Next you will need to
> add:
>      template homedir = /home/%ACCOUNTNAME%
> to your [global] IF you are using the traditional home location for your
> domain (it defaults to /home/%WORKGROUP%/%ACCOUNTNAME% ). This is needed
> for either setup. Now the difference.
>
> If you are wanting the traditional samba 3 \\server\homes or
> \\server\%USERNAME% type of share, you need the following [homes]
>
>     [homes]
>     valid users = %S
>     browsable = no
>     read only = no
>
> Pro: Very secure as no one else can access your homes share by using
> \\server\homes\someotheruser
>
>  Con: Windows ADUC (Active Directory Users and Computers) doesn't handle
> creating the \\server\homes\%USERNAME% when adding the 'home folder' in the
> 'profile' tab of the user properties as you normally would with AD server.
> http://support.microsoft.com/kb/320043
>
> The default [homes] share that is made when running samba-tool domain
> provision, is correct in respect to 'how windows AD does it' it looks like:
>     [homes]
>     read only = No
>
> Pro: Works exactly how windows does in respect to adding a users 'home
> folder' inside of ADUC.
> Con: (and this is a BIGGIE) any user can open any other users homes folder
> by simply doing \\server\homes\someotheruser as the default permissions set
> the users home directory like the following:
>
> root at server:/home# ls -alh | grep some.user
> drwxrwxrwx+   2 root                             Domain Users  4.0K Feb 26
> 10:46 some.user
> root at server:/home# getfacl some.user
> # file: some.user
> # owner: root
> # group: Domain\040Users
> user::rwx
> user:root:rwx
> group::rwx
> group:Domain\040Users:rwx
> group:10001:rwx
> group:11118:rwx
> mask::rwx
> other::rwx
> default:user::rwx
> default:user:root:rwx
> default:group::rwx
> default:group:Domain\040Users:rwx
> default:group:10001:rwx
> default:group:11118:rwx
> default:mask::rwx
> default:other::rwx
>
> By default on a windows server, Everyone has Read access (which again, is
> questionable in my opinion), then some.user, administrator, Administrators
> (group), and SYSTEM all have FULL access to the folder.
>
> I don't have a proposed solution to the issue, but would like to ask what
> is recommended, and how should it be fixed? Sorry for the lengthy mail.
>
> Ricky
>
> --
>
>


--

More information about the samba-technical mailing list