[Samba] Fwd: Re: Restrict access to users home drives

["Th. Söldenwagner"]

Hello Marc,

Am 24.10.2013 21:00, schrieb Marc Muehlfeld:
> Hello Thoralf,
>
> Am 24.10.2013 20:32, schrieb "Th. Söldenwagner":
>> is it possible to hide/restrict access to the home drives of our samba
>> users when accessing them directly via netbios address?
>>
>> The server is running at school and there are several pupils who have
>> the ability to misuse this situation.
>
> Don't simply hide something! That's security by obscurity. And I'm 100%
> sure, that it will be abused. :-)
>
> Is it neccessary, that users have access to foreign homes? Or is it just
> a misconfiguration?

On the contrary! As I mentioned, I don't want all users have access to
foreign homes. So, maybe a misconfiguration. Following is what I did so far:

1.
  Created user demo1 in ADUC and set its home drive to H: with the path
\\elektra\data\%username%

2.
  the directory was automatically created on the samba (4.1.0) server
with these permissions: drwxrwxr-x+   2 3000000 users

The corresponding entry in smb.conf is:

  [data]
	path = /files_samba/userdirs
	read only = yes
3.
  created test.txt on H: as user demo1. The permissions are:
-rwxrwxr-x+   1 3000057 users     0 Oct 21 19:06 test.txt

4. logged in as user demo2 and opened the samba shares in address line:
  \\elektra

All shares show up and I can open the data folder and all other user
folders except that I can't write to them. Users shouldn't be able to
see other folders at all or the data share should be restricted but I
have no idea how to set this up...
Should this be done in ADUC or on the samba side?

> Here's a HowTo about setting up file shares:
> http://wiki.samba.org/index.php/Setup_and_configure_file_shares
> It also describes how to configure permissions. If you use a filesystem
> that supports user_xattr, you can use all ACL stuff windows provides.


My filesystem supports user_xattr.

Best regards
Thoralf