[Samba] security settings on [home] share for use in member server
L.P.H. van Belle
belle at bazuin.nl
Wed Oct 29 01:45:10 MDT 2014
Hai
I checked my settings and this is what i have
but this i also about how you want to use the "home" share.
In my case, /home/users has linux 2770 ( root:root)
drwxrwx--T+ 7 root root 4096 Oct 14 11:48 users
[home]
path = /home/users
read only = no
vfs objects = acl_xattr recycle
recycle:keeptree = yes
recycle:versions = yes
recycle:maxsize = 1073741824
in the share rights, i have
Verified users ( full access)
SYSTEM ( full access)
Domain Admins ( full access)
on the security tab.
Creator Owner ( special ) Only subfolders and files
Verified users ( special ) Only this folder
SYSTEM ( full access) This folder, subfolders and files
DOMAIN\Domain Admins ( full access) This folder, subfolders and files
DOMAIN\Administrator ( full access) This folder, subfolders and files
now when you create your users and set the home folder in the ADUC tool.
with \\servername\home\%username% the user folder wil be created with the correct rights.
like as the security tab but with extra
the created users with full access.
and this works ok.
i have domain admins on the users only because i use a share as
\\home\users$ so if needed the domain admins have access in the user folders.
so above is correct, i have seen your error, look for it and try to fix it.
If you cant find it, email again ;-)
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: micromegas at mail333.com
>[mailto:samba-bounces at lists.samba.org] Namens ?icro MEGAS
>Verzonden: dinsdag 28 oktober 2014 17:22
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] security settings on [home] share for use
>in member server
>
>Hi all,
>
>I am referring to the official wiki here:
>https://wiki.samba.org/index.php/Setting_up_a_home_share#Settin
>g_up_the_share_and_filesystem_permissions
>
>I was struggling around for many hours before I have found out
>what caused my issue. Well, I have created the [home] share
>exactly as epxlained on the How-To, in detail: I am creating
>on the linux prompt at the member server the directory with
>"mkdir -p /srv/samba/home" and then I apply the Windows ACL
>settings as shown on the wiki link:
>
>"Authenticated Users" have read access on (this folder only)
>"Domain Admins" have full access (this folder, subfolder and files)
>"SYSTEM" have full access (this folder, subfolder and files)
>"Creator-Owner" have full access (subfolders and files)
>
>Afterwards, when I check the ACL settings on the linux prompt
>at my member server I get following output:
>
>root at membersrv1:~# getfacl /srv/samba/home
>
># file: home
># owner: root
># group: root
>user::rwx
>user:root:rwx
>group::---
>group:root:---
>group:domain\040admins:rwx
>mask::rwx
>other::---
>default:user::rwx
>default:user:root:rwx
>default:group::---
>default:group:root:---
>default:group:domain\040admins:rwx
>default:mask::rwx
>default:other::---
>
>As you can see, there is one big mistake ==> Only the group
>"Domain Admins" got full (rwx) rights ! With that setting a
>normal domain user is *not* possible to access that [home]
>share at all. But it will work, when I do following change:
>
>I remove "Authenticated Users" from the security settings and
>instead I add "Domain Users" with the same security settings
>as shown above, that means: READ/LIST/EXECUTE rights (this
>folder only). When I use "Domain Users" group instead of
>"Authenticated Users", the ACL settings on linux prompt are as
>shown here:
>
>root at membersrv1:/~# getfacl /srv/samba/home
># file: home
># owner: root
># group: root
>user::rwx
>user:root:rwx
>group::---
>group:root:---
>group:domain\040users:r-x
>group:domain\040admins:rwx
>mask::rwx
>other::---
>default:user::rwx
>default:user:root:rwx
>default:group::---
>default:group:root:---
>default:group:domain\040admins:rwx
>default:mask::rwx
>default:other::---
>
>With these settings a domain user can make use of the [home]
>share as expected. Now why I am saying all this? If this can
>be proofed by someone else and is correct, it would be nice if
>the corresponding persons could modify the wiki content.
>Because the wiki says:
>
>[...] Note: If you have the requirement, that your users need
>to access their
>home folder locally on the server, too, you have to add a group that
>contains these user accounts. Add this group in all steps
>below and set
>the permissions to exactly the same than for „Authenticated users“. Of
>course this group must be available locally trough Winbindd, sssd,
>nslcd, or other. This is required, because if the user log in
>locally on
> the server, there is no „Authenticated User“!
>[...]
>
>[...] If you have the requirement, that your users need access
>their home
>folder locally on the server, too, additionally or add a group that
>contains these user accounts. Because if the user log in
>locally on the
>server, there is no „Authenticated User“! The permissions for this
>additional group have to be the same than for „Authenticated
>users“ [...]
>
>That is completely right what the wiki says, but unfortunately
>it doesn't make it clear (imho) that I *need* "Domain Users"
>*even when not intending* to need my users access their home
>folder locally on the server. My domain users don't login
>locally on the memberserver to access their home directory,
>they just need accessing the [home]/username directory through
>their windows clients.
>
>Any comment welcome,
>
>thanks in advance,
>Mirco
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list