[Samba] security settings on [home] share for use in member server

Tue Oct 28 10:21:59 MDT 2014

Hi all,

I am referring to the official wiki here:
https://wiki.samba.org/index.php/Setting_up_a_home_share#Setting_up_the_share_and_filesystem_permissions

I was struggling around for many hours before I have found out what caused my issue. Well, I have created the [home] share exactly as epxlained on the How-To, in detail: I am creating on the linux prompt at the member server the directory with "mkdir -p /srv/samba/home" and then I apply the Windows ACL settings as shown on the wiki link:

"Authenticated Users" have read access on (this folder only)
"Domain Admins" have full access (this folder, subfolder and files)
"SYSTEM" have full access (this folder, subfolder and files)
"Creator-Owner" have full access (subfolders and files)

Afterwards, when I check the ACL settings on the linux prompt at my member server I get following output:

root at membersrv1:~# getfacl /srv/samba/home

# file: home
# owner: root
# group: root
user::rwx
user:root:rwx
group::---
group:root:---
group:domain\040admins:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:root:---
default:group:domain\040admins:rwx
default:mask::rwx
default:other::---

As you can see, there is one big mistake ==> Only the group "Domain Admins" got full (rwx) rights ! With that setting a normal domain user is *not* possible to access that [home] share at all. But it will work, when I do following change:

I remove "Authenticated Users" from the security settings and instead I add "Domain Users" with the same security settings as shown above, that means: READ/LIST/EXECUTE rights (this folder only). When I use "Domain Users" group instead of "Authenticated Users", the ACL settings on linux prompt are as shown here:

root at membersrv1:/~# getfacl /srv/samba/home
# file: home
# owner: root
# group: root
user::rwx
user:root:rwx
group::---
group:root:---
group:domain\040users:r-x
group:domain\040admins:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:root:---
default:group:domain\040admins:rwx
default:mask::rwx
default:other::---

With these settings a domain user can make use of the [home] share as expected. Now why I am saying all this? If this can be proofed by someone else and is correct, it would be nice if the corresponding persons could modify the wiki content. Because the wiki says:

[...] Note: If you have the requirement, that your users need to access their 
home folder locally on the server, too, you have to add a group that 
contains these user accounts. Add this group in all steps below and set 
the permissions to exactly the same than for „Authenticated users“. Of 
course this group must be available locally trough Winbindd, sssd, 
nslcd, or other. This is required, because if the user log in locally on
 the server, there is no „Authenticated User“! 
[...]

[...] If you have the requirement, that your users need access their home 
folder locally on the server, too, additionally or add a group that 
contains these user accounts. Because if the user log in locally on the 
server, there is no „Authenticated User“! The permissions for this 
additional group have to be the same than for „Authenticated users“ [...]

That is completely right what the wiki says, but unfortunately it doesn't make it clear (imho) that I *need* "Domain Users" *even when not intending* to need my users access their home folder locally on the server. My domain users don't login locally on the memberserver to access their home directory, they just need accessing the [home]/username directory through their windows clients.

Any comment welcome,

thanks in advance,
Mirco