[Samba] security settings on [home] share for use in member server

L.P.H. van Belle belle at bazuin.nl
Wed Oct 29 01:45:10 MDT 2014 

Hai 

I checked my settings and this is what i have
but this i also about how you want to use the "home" share. 

In my case, /home/users  has linux 2770 ( root:root) 
drwxrwx--T+  7 root   root   4096 Oct 14 11:48 users

[home]
   path = /home/users
   read only = no
   vfs objects = acl_xattr recycle
   recycle:keeptree = yes
   recycle:versions = yes
   recycle:maxsize = 1073741824

in the share rights, i have 
Verified users ( full access)
SYSTEM	   ( full access)
Domain Admins  ( full access)

on the security tab. 	
Creator Owner		( special )	Only subfolders and files
Verified users 		( special ) Only this folder
SYSTEM	   		( full access) This folder, subfolders and files
DOMAIN\Domain Admins  	( full access) This folder, subfolders and files
DOMAIN\Administrator	( full access) This folder, subfolders and files

now when you create your users and set the home folder in the ADUC tool.
with \\servername\home\%username%  the user folder wil be created with the correct rights.
like as the security tab but with extra
the created users with full access. 

and this works ok.
i have domain admins on the users only because i use a share as 
\\home\users$  so if needed the domain admins have access in the user folders.


so above is correct, i have seen your error, look for it and try to fix it.
If you cant find it, email again ;-) 


Greetz, 

Louis


>-----Oorspronkelijk bericht-----
>Van: micromegas at mail333.com 
>[mailto:samba-bounces at lists.samba.org] Namens ?icro MEGAS
>Verzonden: dinsdag 28 oktober 2014 17:22
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] security settings on [home] share for use 
>in member server
>
>Hi all,
>
>I am referring to the official wiki here:
>https://wiki.samba.org/index.php/Setting_up_a_home_share#Settin
>g_up_the_share_and_filesystem_permissions
>
>I was struggling around for many hours before I have found out 
>what caused my issue. Well, I have created the [home] share 
>exactly as epxlained on the How-To, in detail: I am creating 
>on the linux prompt at the member server the directory with 
>"mkdir -p /srv/samba/home" and then I apply the Windows ACL 
>settings as shown on the wiki link:
>
>"Authenticated Users" have read access on (this folder only)
>"Domain Admins" have full access (this folder, subfolder and files)
>"SYSTEM" have full access (this folder, subfolder and files)
>"Creator-Owner" have full access (subfolders and files)
>
>Afterwards, when I check the ACL settings on the linux prompt 
>at my member server I get following output:
>
>root at membersrv1:~# getfacl /srv/samba/home
>
># file: home
># owner: root
># group: root
>user::rwx
>user:root:rwx
>group::---
>group:root:---
>group:domain\040admins:rwx
>mask::rwx
>other::---
>default:user::rwx
>default:user:root:rwx
>default:group::---
>default:group:root:---
>default:group:domain\040admins:rwx
>default:mask::rwx
>default:other::---
>
>As you can see, there is one big mistake ==> Only the group 
>"Domain Admins" got full (rwx) rights ! With that setting a 
>normal domain user is *not* possible to access that [home] 
>share at all. But it will work, when I do following change:
>
>I remove "Authenticated Users" from the security settings and 
>instead I add "Domain Users" with the same security settings 
>as shown above, that means: READ/LIST/EXECUTE rights (this 
>folder only). When I use "Domain Users" group instead of 
>"Authenticated Users", the ACL settings on linux prompt are as 
>shown here:
>
>root at membersrv1:/~# getfacl /srv/samba/home
># file: home
># owner: root
># group: root
>user::rwx
>user:root:rwx
>group::---
>group:root:---
>group:domain\040users:r-x
>group:domain\040admins:rwx
>mask::rwx
>other::---
>default:user::rwx
>default:user:root:rwx
>default:group::---
>default:group:root:---
>default:group:domain\040admins:rwx
>default:mask::rwx
>default:other::---
>
>With these settings a domain user can make use of the [home] 
>share as expected. Now why I am saying all this? If this can 
>be proofed by someone else and is correct, it would be nice if 
>the corresponding persons could modify the wiki content. 
>Because the wiki says:
>
>[...] Note: If you have the requirement, that your users need 
>to access their 
>home folder locally on the server, too, you have to add a group that 
>contains these user accounts. Add this group in all steps 
>below and set 
>the permissions to exactly the same than for „Authenticated users“. Of 
>course this group must be available locally trough Winbindd, sssd, 
>nslcd, or other. This is required, because if the user log in 
>locally on
> the server, there is no „Authenticated User“! 
>[...]
>
>[...] If you have the requirement, that your users need access 
>their home 
>folder locally on the server, too, additionally or add a group that 
>contains these user accounts. Because if the user log in 
>locally on the 
>server, there is no „Authenticated User“! The permissions for this 
>additional group have to be the same than for „Authenticated 
>users“ [...]
>
>That is completely right what the wiki says, but unfortunately 
>it doesn't make it clear (imho) that I *need* "Domain Users" 
>*even when not intending* to need my users access their home 
>folder locally on the server. My domain users don't login 
>locally on the memberserver to access their home directory, 
>they just need accessing the [home]/username directory through 
>their windows clients.
>
>Any comment welcome,
>
>thanks in advance,
>Mirco
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list