[Samba] Can't get 'root preexec' to run

Rowland Penny rowlandpenny241155 at gmail.com
Thu Oct 22 09:37:39 UTC 2015 

On 22/10/15 10:12, Ole Traupe wrote:
> Louis, I agree with you, with some exceptions:
>
> Am 22.10.2015 um 10:44 schrieb L.P.H. van Belle:
>> Hai, i'll try to explain so here..
>>
>> When you use ADUC console. This is what happens.
>>
>> ( for Profile tab in ADUC )
>>
>> The ADUC user creates the user network dir, but only what you set the
>> Drive letter:  (connected with) \\servername.domain.tld\users\%username%
>> If you set the local pad, its not created.
>> This folder is created at the moment you clik OK, or Apply.
>>
>> For the profil folder, this is NOT created by the ADUC tool, but by 
>> the computer where the user is logging off. ( only created at logoff )
>> Normaly you set something like :
>> \\servername.domain.tld\profiles\%username%
> You probably mean 'logon', right?

They have only been first created at logof for me.

>
>>
>> Users can access these shares.. but only see there own folders IF the 
>> share and folder rights are set correctly.
>>
>> For example. All my users have 770 on 
>> \\servername.domain.tld\users\%username%
>> Which gives in my case, username:Domain Users  ( the unix primary 
>> group )
>>
>> The share rights tells that "everybody" has all rights.
>> ( you can change this to domain user for example, but i need everybody )
>>
>> The Access rights ( security tab ) there we set domain users with the 
>> advanced settings to : Only this folder.
>>
>> So resulted in ( for windows ) user see only there folders, for linux 
>> users access to all user folders. Which i need for distributing file 
>> etc in user dirs.
> I actually see a problem here, as we have linux member servers, where 
> users shouldn't be allowed to browse each others files. This linux 
> behavior gives me a real headache sometimes. Therefore I use 
> username:Domain Admins.
>

Yes, you can do this.

>>
>> For the profile path
>> \\servername.domain.tld\profiles\%username%
>> Here key is, user "SYSTEM" is use for creating the profiles folders.
>> Which is the account the computer users and most importand that 
>> "SYSTEM" has all rights. ( and which exists on all windows computers )
>> And the profile folder is created at Logoff, not like the users 
>> folder at klik OK/Apply.
>> The "LOCAL PATH" is normaly ony used for terminal server.
>>
>> The Unix tab
>> In this case.
>> \\servername.domain.tld\users\%username%
>> Which is /home/users/%username%
>>
>> Users is shared
> What do you mean by that?

I think he means he has a share called 'Users' on the Samba machine.

>
>> And GID is set to "domain users"
> Louis, do you always put the user in the "Unix Attributes" of the 
> Domain Users group? Probably that is necessary for group membership to 
> work correctly on linux, right? I just recently discovered this tab 
> and was wondering about it.

This is not required when using winbind, all users are members of the 
windows group 'Domain Users' and it is their primary group. If you were 
to examine the 'Domain Users' group object in AD, you would find that it 
appears to have no members, but as I am sure you are aware all domain 
users are a member of this group.

>
>>
>> So hope this is more clear...
>>
>> And i really advice to NOT user \\servername\home (or \homes )
>> Why? You can set \\servername\%username% for the user home dir BUT no 
>> auto-created home dir.
> That is not entirely true and applys to Rowlands last posting as well: 
> if you use 'root preexec' in the [homes] section, you can use scripted 
> auto-creation of user home share. I just successfully tried this and 
> it confirms my reading of the man pages that only if a share is 
> requested that is not actually existing, the [homes] section applies 
> and 'root preexec' there is executed (in case username exists and 
> password is correct).
>

You are still confusing 'homeDirectory' for 'unixHomeDirectory', it is 
the later that means anything on a Unix machine and it is the contents 
of this attribute that will be used for the users Unix home path. This 
directory will *not* be created at login to a Unix machine unless you 
write your own script to do this, or use something like pam_mkhomedir on 
debian.

> However, I wouldn't want to use \\server\%username% as home dir 
> location, was well.
>
>

I wouldn't either, mostly because it wouldn't work.

Rowland

>>
>> And you dont want \\servername\username , for XP this was ok, because 
>> of path traversal problems but as Win Vista/7 and up easely blok that.
>> (see above)
>>
>> Greetz
>>
>> Louis
>>
>>
>>
>>

More information about the samba mailing list