[Samba] Can't get 'root preexec' to run
L.P.H. van Belle
belle at bazuin.nl
Thu Oct 22 11:26:54 UTC 2015
Commented within...
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe
> Verzonden: donderdag 22 oktober 2015 12:09
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Can't get 'root preexec' to run
>
>
>
> Am 22.10.2015 um 11:36 schrieb L.P.H. van Belle:
> > Commented within...
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe
> >> Verzonden: donderdag 22 oktober 2015 11:13
> >> Aan: samba at lists.samba.org
> >> Onderwerp: Re: [Samba] Can't get 'root preexec' to run
> >>
> >> Louis, I agree with you, with some exceptions:
> >>
> >> Am 22.10.2015 um 10:44 schrieb L.P.H. van Belle:
> >>> Hai, i'll try to explain so here..
> >>>
> >>> When you use ADUC console. This is what happens.
> >>>
> >>> ( for Profile tab in ADUC )
> >>>
> >>> The ADUC user creates the user network dir, but only what you set the
> >>> Drive letter: (connected with)
> \\servername.domain.tld\users\%username%
> >>> If you set the local pad, its not created.
> >>> This folder is created at the moment you clik OK, or Apply.
> >>>
> >>> For the profil folder, this is NOT created by the ADUC tool, but by
> the
> >> computer where the user is logging off. ( only created at logoff )
> >>> Normaly you set something like :
> >>> \\servername.domain.tld\profiles\%username%
> >> You probably mean 'logon', right?
> > [L.P.H. van Belle] No, profile folders are created at logoff.
> > Test is yourself, create a new user, set the homedir and profile path.
> > Login as the user, now goto the \\servername\profiles share,
> > And you see no folder of the newly created user. ;-)
> Thanks, wasn't aware of that!
>
>
> >
> >>> Users can access these shares.. but only see there own folders IF the
> >> share and folder rights are set correctly.
> >>> For example. All my users have 770 on
> >> \\servername.domain.tld\users\%username%
> >>> Which gives in my case, username:Domain Users ( the unix primary
> group
> >> )
> >>> The share rights tells that "everybody" has all rights.
> >>> ( you can change this to domain user for example, but i need everybody
> )
> >>>
> >>> The Access rights ( security tab ) there we set domain users with the
> >> advanced settings to : Only this folder.
> >>> So resulted in ( for windows ) user see only there folders, for linux
> >> users access to all user folders. Which i need for distributing file
> etc
> >> in user dirs.
> >> I actually see a problem here, as we have linux member servers, where
> >> users shouldn't be allowed to browse each others files. This linux
> >> behavior gives me a real headache sometimes. Therefore I use
> >> username:Domain Admins.
> > [L.P.H. van Belle] thats a possebilty yes, but i suggest dont abuse the
> "Domain Admins" just create an other group set GID and use that one.
> > You will be even more flexible.
> >
> >>> For the profile path
> >>> \\servername.domain.tld\profiles\%username%
> >>> Here key is, user "SYSTEM" is use for creating the profiles folders.
> >>> Which is the account the computer users and most importand that
> "SYSTEM"
> >> has all rights. ( and which exists on all windows computers )
> >>> And the profile folder is created at Logoff, not like the users folder
> >> at klik OK/Apply.
> >>> The "LOCAL PATH" is normaly ony used for terminal server.
> >>>
> >>> The Unix tab
> >>> In this case.
> >>> \\servername.domain.tld\users\%username%
> >>> Which is /home/users/%username%
> >>>
> >>> Users is shared
> >> What do you mean by that?
> > [L.P.H. van Belle]
> >
> > in ADUC tab Profile
> > \\servername.domain.tld\users\%username% = "connect to drive" + path
> >
> > In ADUC tab Unix attributes.
> > /home/users/%username%
> > Which is the same as above. In profile tab.
> I meant "Users is shared", but Rowland already cleared this up (thanks!)
>
> Louis, with which method and options (permissions also) do you make
> "\\servername.domain.tld\users" accessible on domain member servers?
[L.P.H. van Belle] this depends, i use nfs3 or nfs4 or cifs.
Based on my needs, aka where users login and not.
I have for example only 5 linux users, mostly on a different server then the users and company data.
>
> >
> >
> >>> And GID is set to "domain users"
> >> Louis, do you always put the user in the "Unix Attributes" of the
> Domain
> >> Users group? Probably that is necessary for group membership to work
> >> correctly on linux, right? I just recently discovered this tab and was
> >> wondering about it.
> > [L.P.H. van Belle]
> > Yes, in 90% of all case i use "domain users" why ..
> > All computer are member of "domain users"
> > All users are member of "domain users"
> > With share rights and security rights you protect the company folders.
> > Example.
> > \\servername\data
> > \Folder1
> > \Folder2
> >
> > Group right on folder1 is "group users folder1 "
> > anyone member of folder 1 can write, set "group creating special right"
> > Now everyone in this folder can write but set to group rights = domain
> users. Result, no problems with file created by users, and users Owning
> files.
> >
> > Same for folder 2.
> > BUT, users in "folder 1 group" can not access the Folder2, because of
> "GROUP Folder access"
> >
> > I hope it explains a bit..
>
> Sorry, Louis, I appreciate the effort, but you lost me completely. Of
> course, I use the Domain Users group. But is it necessary to fill it on
> the Unix Attributes tab as well? That was the question, Rowland said 'no'.
>
> Apart from that: With 'group right' you mean Unix permissions and not
> Windows ACLs, right? Do you actually create AD user groups just for
> managing access right to single particular folders?
> to a group other then domain users. And or set creating special right and
> user special right.
[L.P.H. van Belle] ok, i'll try in most simple terms per example
( a windows minded setup )
For a windows pc. you map a share, like drive K: ( \\servername\sharename )
A users wil see
K:\folder1 (windows group : Group_folder1 )
K:\folder2 (windows group : Group_folder2 )
Now if in ADUC you keep the GID on Domain Users.
Files in folder1 are created and get rights : username:"Domain Users"
Because of the "Group_folder" member ship (and same for folder2)
A user can access folder1 (or 2) only if they are group member.
And visa versa.
Now i have 1 user which is also a unix user. ( i assigned him a uid/gid )
BUT for my unix acl rights i need to set the primary group to the group the unix users need.
To make things more easy, i always set :
acl_xattr:ignore system acl = yes
on my shares. Windows ignores the rights for unix. But if i work from ssh.
The unix rights do apply, and in this case you need to set the corrrect GID on the "K:\Folder1"
So folder1 in linux, is for example, /home/samba/folder1
And has unix rights root:LinuxGroup
( and the "LinuxGroup" can be a windows group with GID)
And Windows ignores the linux rights, so windows users can access these files also.
Its a bit fiddeling around, testing until you get/set what you want.
And, this works for me, but maybe your environment does not apply for a setup like this.
Best is to read :
https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
https://wiki.samba.org/index.php/User_home_drives
( only i change [home] for [users] so these things dont get mixed up. )
And on the User home drives link.. read the "On *nix"
The important part.
"This entry only appears, if you had assigned a UID in the „Unix Attributes“ tab before the home was created!"
Hope its bit more clear, i dont know how to better explain.. :-/
> >
> > Test a bit with it, and dont forget the share rights and security
> rights.
> >
> >>> So hope this is more clear...
> >>>
> >>> And i really advice to NOT user \\servername\home (or \homes )
> >>> Why? You can set \\servername\%username% for the user home dir BUT no
> >> auto-created home dir.
> >> That is not entirely true and applys to Rowlands last posting as well:
> >> if you use 'root preexec' in the [homes] section, you can use scripted
> >> auto-creation of user home share. I just successfully tried this and it
> >> confirms my reading of the man pages that only if a share is requested
> >> that is not actually existing, the [homes] section applies and 'root
> >> preexec' there is executed (in case username exists and password is
> >> correct).
> >>
> >> However, I wouldn't want to use \\server\%username% as home dir
> >> location, was well.
> >>
> > [L.P.H. van Belle] yes, Rowland is correct, if you dont use ADUC or if
> you dont create folders from within windows but im doing everything from
> windows, ( most people are ) and
> > no scripts etc run from linux or are set in samba.
> > I think it should not be needed, but this depends totaly on what you
> want and how you setup.
> >
> > I do almost everything with group policies.
> > And 2 VB script for installing certificates.
> >
> >
> >>> And you dont want \\servername\username , for XP this was ok, because
> of
> >> path traversal problems but as Win Vista/7 and up easely blok that.
> >>> (see above)
> >>>
> >>> Greetz
> >>>
> >>> Louis
> >>>
> >>>
> >>>
> >>>
> >>>> -----Oorspronkelijk bericht-----
> >>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland
> Penny
> >>>> Verzonden: woensdag 21 oktober 2015 18:52
> >>>> Aan: samba at lists.samba.org
> >>>> Onderwerp: Re: [Samba] Can't get 'root preexec' to run
> >>>>
> >>>> On 21/10/15 17:40, Ole Traupe wrote:
> >>>>> On a Windows domain member client in the ADUC console, you specifiy
> >>>>> the home dir path that is to be used on Windows machines on the
> >>>>> "Profile" tab. As soon as you click 'Ok' (or 'Apply' for that
> matter),
> >>>>> the folder is created (by the DC via your domain admin account) on
> the
> >>>>> Samba server hosting the share the path you provided leads to. Try
> it,
> >>>>> its nice an simple. However, not useful in my case, as I want to
> >>>>> create a zfs data set.
> >>>>>
> >>>>>
> >>>>>
> >>>> I usually set the users profile attribute directly when creating the
> >>>> user and as such, have never used ADUC to do this, but I am still
> >>>> struggling to understand how a windows machine can create the full
> >>>> directory path to a users profile on a Unix machine.
> >>>>
> >>>> Rowland
> >>>>
> >>>>
> >>>> --
> >>>> To unsubscribe from this list go to the following URL and read the
> >>>> instructions: https://lists.samba.org/mailman/options/samba
> >>>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list