[homes] share issues and concerns

steve steve at steve-ss.com
Tue Feb 26 10:15:11 MST 2013


On 26/02/13 18:00, Ricky Nance wrote:
> I forgot to mention that this mail may have had a bit to do with the
> changes.
> http://lists.samba.org/archive/samba-technical/2012-October/087272.html
>
> Ricky
>
>
> On Tue, Feb 26, 2013 at 10:57 AM, Ricky Nance <
> ricky.nance at weaubleau.k12.mo.us> wrote:
>
>> I have added Jeremy and Andrew to this specifically because of the
>> concerns with permission/acls. First, there are a couple of ways to do the
>> [homes] share, I will name them 'the samba 3 way' and the 'windows ad way',
>> I will give examples of both and the benefits/drawbacks to using each.
>>
>> What needs done your your setup for [homes] to work. As this has been
>> mentioned before, you will need a working winbind setup as described in
>> https://wiki.samba.org/index.php/Samba4/Winbind. Next you will need to
>> add:
>>       template homedir = /home/%ACCOUNTNAME%
>> to your [global] IF you are using the traditional home location for your
>> domain (it defaults to /home/%WORKGROUP%/%ACCOUNTNAME% ). This is needed
>> for either setup. Now the difference.
>>
>> If you are wanting the traditional samba 3 \\server\homes or
>> \\server\%USERNAME% type of share, you need the following [homes]
>>
>>      [homes]
>>      valid users = %S
>>      browsable = no
>>      read only = no
>>
>> Pro: Very secure as no one else can access your homes share by using
>> \\server\homes\someotheruser
>>
>>   Con: Windows ADUC (Active Directory Users and Computers) doesn't handle
>> creating the \\server\homes\%USERNAME% when adding the 'home folder' in the
>> 'profile' tab of the user properties as you normally would with AD server.
>> http://support.microsoft.com/kb/320043
>>
>> The default [homes] share that is made when running samba-tool domain
>> provision, is correct in respect to 'how windows AD does it' it looks like:
>>      [homes]
>>      read only = No
>>
>> Pro: Works exactly how windows does in respect to adding a users 'home
>> folder' inside of ADUC.
>> Con: (and this is a BIGGIE) any user can open any other users homes folder
>> by simply doing \\server\homes\someotheruser as the default permissions set
>> the users home directory like the following:
>>
>> root at server:/home# ls -alh | grep some.user
>> drwxrwxrwx+   2 root                             Domain Users  4.0K Feb 26
>> 10:46 some.user
>> root at server:/home# getfacl some.user
>> # file: some.user
>> # owner: root
>> # group: Domain\040Users
>> user::rwx
>> user:root:rwx
>> group::rwx
>> group:Domain\040Users:rwx
>> group:10001:rwx
>> group:11118:rwx
>> mask::rwx
>> other::rwx
>> default:user::rwx
>> default:user:root:rwx
>> default:group::rwx
>> default:group:Domain\040Users:rwx
>> default:group:10001:rwx
>> default:group:11118:rwx
>> default:mask::rwx
>> default:other::rwx
>>
>> By default on a windows server, Everyone has Read access (which again, is
>> questionable in my opinion), then some.user, administrator, Administrators
>> (group), and SYSTEM all have FULL access to the folder.
>>
>> I don't have a proposed solution to the issue, but would like to ask what
>> is recommended, and how should it be fixed? Sorry for the lengthy mail.
>>
>> Ricky
>>
>> --
>>
>>
>
> --
Hi Ricky, hi everyone.

4.0.4 git (tested on 4.0.3 too)
Does this explain why any file created on a cifs mounted share on a 
Linux client is _always_  0777?

I tried:
create mode = 0744
in the global section of smb.conf, but the files were still created 0777

Any ideas?
Cheers,
Steve



More information about the samba-technical mailing list