[Samba] Can't get 'root preexec' to run
Ole Traupe
ole.traupe at tu-berlin.de
Thu Oct 22 10:09:15 UTC 2015
Am 22.10.2015 um 11:36 schrieb L.P.H. van Belle:
> Commented within...
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe
>> Verzonden: donderdag 22 oktober 2015 11:13
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Can't get 'root preexec' to run
>>
>> Louis, I agree with you, with some exceptions:
>>
>> Am 22.10.2015 um 10:44 schrieb L.P.H. van Belle:
>>> Hai, i'll try to explain so here..
>>>
>>> When you use ADUC console. This is what happens.
>>>
>>> ( for Profile tab in ADUC )
>>>
>>> The ADUC user creates the user network dir, but only what you set the
>>> Drive letter: (connected with) \\servername.domain.tld\users\%username%
>>> If you set the local pad, its not created.
>>> This folder is created at the moment you clik OK, or Apply.
>>>
>>> For the profil folder, this is NOT created by the ADUC tool, but by the
>> computer where the user is logging off. ( only created at logoff )
>>> Normaly you set something like :
>>> \\servername.domain.tld\profiles\%username%
>> You probably mean 'logon', right?
> [L.P.H. van Belle] No, profile folders are created at logoff.
> Test is yourself, create a new user, set the homedir and profile path.
> Login as the user, now goto the \\servername\profiles share,
> And you see no folder of the newly created user. ;-)
Thanks, wasn't aware of that!
>
>>> Users can access these shares.. but only see there own folders IF the
>> share and folder rights are set correctly.
>>> For example. All my users have 770 on
>> \\servername.domain.tld\users\%username%
>>> Which gives in my case, username:Domain Users ( the unix primary group
>> )
>>> The share rights tells that "everybody" has all rights.
>>> ( you can change this to domain user for example, but i need everybody )
>>>
>>> The Access rights ( security tab ) there we set domain users with the
>> advanced settings to : Only this folder.
>>> So resulted in ( for windows ) user see only there folders, for linux
>> users access to all user folders. Which i need for distributing file etc
>> in user dirs.
>> I actually see a problem here, as we have linux member servers, where
>> users shouldn't be allowed to browse each others files. This linux
>> behavior gives me a real headache sometimes. Therefore I use
>> username:Domain Admins.
> [L.P.H. van Belle] thats a possebilty yes, but i suggest dont abuse the "Domain Admins" just create an other group set GID and use that one.
> You will be even more flexible.
>
>>> For the profile path
>>> \\servername.domain.tld\profiles\%username%
>>> Here key is, user "SYSTEM" is use for creating the profiles folders.
>>> Which is the account the computer users and most importand that "SYSTEM"
>> has all rights. ( and which exists on all windows computers )
>>> And the profile folder is created at Logoff, not like the users folder
>> at klik OK/Apply.
>>> The "LOCAL PATH" is normaly ony used for terminal server.
>>>
>>> The Unix tab
>>> In this case.
>>> \\servername.domain.tld\users\%username%
>>> Which is /home/users/%username%
>>>
>>> Users is shared
>> What do you mean by that?
> [L.P.H. van Belle]
>
> in ADUC tab Profile
> \\servername.domain.tld\users\%username% = "connect to drive" + path
>
> In ADUC tab Unix attributes.
> /home/users/%username%
> Which is the same as above. In profile tab.
I meant "Users is shared", but Rowland already cleared this up (thanks!)
Louis, with which method and options (permissions also) do you make
"\\servername.domain.tld\users" accessible on domain member servers?
>
>
>>> And GID is set to "domain users"
>> Louis, do you always put the user in the "Unix Attributes" of the Domain
>> Users group? Probably that is necessary for group membership to work
>> correctly on linux, right? I just recently discovered this tab and was
>> wondering about it.
> [L.P.H. van Belle]
> Yes, in 90% of all case i use "domain users" why ..
> All computer are member of "domain users"
> All users are member of "domain users"
> With share rights and security rights you protect the company folders.
> Example.
> \\servername\data
> \Folder1
> \Folder2
>
> Group right on folder1 is "group users folder1 "
> anyone member of folder 1 can write, set "group creating special right"
> Now everyone in this folder can write but set to group rights = domain users. Result, no problems with file created by users, and users Owning files.
>
> Same for folder 2.
> BUT, users in "folder 1 group" can not access the Folder2, because of "GROUP Folder access"
>
> I hope it explains a bit..
Sorry, Louis, I appreciate the effort, but you lost me completely. Of
course, I use the Domain Users group. But is it necessary to fill it on
the Unix Attributes tab as well? That was the question, Rowland said 'no'.
Apart from that: With 'group right' you mean Unix permissions and not
Windows ACLs, right? Do you actually create AD user groups just for
managing access right to single particular folders?
>
> For the places where i need linux access, these user have there GID set to a group other then domain users. And or set creating special right and user special right.
>
> Test a bit with it, and dont forget the share rights and security rights.
>
>>> So hope this is more clear...
>>>
>>> And i really advice to NOT user \\servername\home (or \homes )
>>> Why? You can set \\servername\%username% for the user home dir BUT no
>> auto-created home dir.
>> That is not entirely true and applys to Rowlands last posting as well:
>> if you use 'root preexec' in the [homes] section, you can use scripted
>> auto-creation of user home share. I just successfully tried this and it
>> confirms my reading of the man pages that only if a share is requested
>> that is not actually existing, the [homes] section applies and 'root
>> preexec' there is executed (in case username exists and password is
>> correct).
>>
>> However, I wouldn't want to use \\server\%username% as home dir
>> location, was well.
>>
> [L.P.H. van Belle] yes, Rowland is correct, if you dont use ADUC or if you dont create folders from within windows but im doing everything from windows, ( most people are ) and
> no scripts etc run from linux or are set in samba.
> I think it should not be needed, but this depends totaly on what you want and how you setup.
>
> I do almost everything with group policies.
> And 2 VB script for installing certificates.
>
>
>>> And you dont want \\servername\username , for XP this was ok, because of
>> path traversal problems but as Win Vista/7 and up easely blok that.
>>> (see above)
>>>
>>> Greetz
>>>
>>> Louis
>>>
>>>
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>>>> Verzonden: woensdag 21 oktober 2015 18:52
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: Re: [Samba] Can't get 'root preexec' to run
>>>>
>>>> On 21/10/15 17:40, Ole Traupe wrote:
>>>>> On a Windows domain member client in the ADUC console, you specifiy
>>>>> the home dir path that is to be used on Windows machines on the
>>>>> "Profile" tab. As soon as you click 'Ok' (or 'Apply' for that matter),
>>>>> the folder is created (by the DC via your domain admin account) on the
>>>>> Samba server hosting the share the path you provided leads to. Try it,
>>>>> its nice an simple. However, not useful in my case, as I want to
>>>>> create a zfs data set.
>>>>>
>>>>>
>>>>>
>>>> I usually set the users profile attribute directly when creating the
>>>> user and as such, have never used ADUC to do this, but I am still
>>>> struggling to understand how a windows machine can create the full
>>>> directory path to a users profile on a Unix machine.
>>>>
>>>> Rowland
>>>>
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list