[Samba] Samba-4.3.11 Roaming profiles on FreeBSD10.3
L.P.H. van Belle
belle at bazuin.nl
Mon Aug 1 08:53:22 UTC 2016
Hai James,
>I deliberately switched the PROFILES share with the USERS share in order to >test whether or not there was something obviously wrong with either the >share definition or the permissions. I understand that one must first >press on the ok button to trigger the event.
For a USER Home dir yes, but profiles no.
You can do that but that wont help much.
Pressing OK only works as followed.
When creating a new user, and you press OK, the SYSTEM impersonates the user and the user folder is created, and should have the user as owner.
For a USER Profiles dir, its when the user logs off the "user" profile is created.
For the rights on profiles ( SHARE Rights )
You can use EVERYONE on the share, which makes it more ease to manage.
You can also change that to "Authenticated users" which makes it bit more secure.
For the rights on profiles ( FOLDER Rights )
The three (3) entries in the Security Tab being:
CREATOR OWNER - Special Permissions
Administrator - Full Control
DOmain Users - Special Permissions
Yes, this is all you need and is secure but its all about how you “want” to use things.
I'll explain what happens above.
I can enter the share because i'm in group EVERYONE. So yes the world can enter this share.
And no they cant, to access any share on the server you need to be authenticated.
And the folder rights are makeing sure that.
1) The Domain Users can enter and read and create a folder in the share Profiles.
2) CREATOR OWNER are rights that are set in the content of the created folder above. So the own always has full control.
3) The user "Administrator" ( has full control ) over all folders.
The order of setting the rights can have different results AND.
I really really do advice to set this on the profile share:
acl_xattr:ignore system acl = yes
In my opinion the profiles share should ONLY be use for profiles.
Setting acl_xattr:ignore system acl = yes helps to make a much better match on windows ACL rights.
In general always to do following in this order.
1) create the share.
2) setup the share rights ( NOT THE FOLDER RIGHTS )
3) IF you need to write some share somewhare in the share ( and subfolders include, you NEED WRITE rights.
Or "Everyone"
Or "Authenticated Users" ( and sometimes with "domain computers"
Or "Domain User" ( and sometimes with "domain computers"
Or "any group you created. “My advice only for data access, SO no profiles, no user homedirs, no prolicy folder and NO software distribution folder.”
4) apply the FOLDER RIGHTS.
1) Set the "basic" rights. ( NOT the advanced tab )
2) Now go to advanced.
3) Klik change
4) And here set what you want/need. Also Things like "SYSTEM" can be needed sometimes, which depens on you need and use )
5) now only apply the needed rights and DONT inherrit, but DO apply on top objects.
Appling on the top object set the correct rights in uderlaying folders.
For a DATA share, i advice the following.
PATH Example /home/samba/companydata
You share “companydata” with share rights, set any group, i preffer authenticated users or domain users)
That protects the share/data access.
Now on set the security (folder rights)
/home/samba/companydata
Choose one of these.
1) do you allow to have folders created by users?
2) Only “Domain Admins” and/or “Folder Admins” can create folders in “companydata”
Base on one of these set the rights.
If Administrators/Folder admins, need access on subfolders, then in the advanced tab use the “Inherrit”
That make sure that if a sub folder is created the “Domain admins/Folder admin” are automatic added to the subfolder rights.
And set PER sub folder the group access ( dont forget to ALWAYS SET: Creator GROUP”
Pff. Hope i explained this clearly now..
And yes whats on the wiki is all correct and works.
And this is not “samba’s way” but general windows way, so applies for windows and samba.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: James B. Byrne [mailto:byrnejb at harte-lyne.ca]
> Verzonden: vrijdag 29 juli 2016 18:12
> Aan: L.P.H. van Belle
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba-4.3.11 Roaming profiles on FreeBSD10.3
>
>
> On Fri, July 29, 2016 02:58, L.P.H. van Belle wrote:
> > I sniped the best parts, and added comment.
> >
> >
> >
> >>
> >
> >> The situation is that assigning a new user the profile:
> >
> >> //DC/PROFILES/%USERNAME% does not produce anything on the DC's
> >
> >> filesystem.
> >
> > Correct that only dan when you first login with the user and then
> > logoff.
> >
> >
> >
> >>However, using the same string as a mapping for the
> >
> >> user's home drive works fine. In other words the directory
> >
> >> //DC/PROFILES/%USERNAME% is created when used as the mapping
> >> argument.
> >
> > //DC/PROFILES/%USERNAME% is created when you klik on the OK knop in
> > windows tool.
> >
> >> However, the existence of this directory does not cure anything.
> >> If
> >
> >> following creation of the profile directory using the mapping
> >> gambit
> >
> >> one changes the profile to use that directory then when one logs on
> >> as
> >
> >> \\DC\%USERNAME% the profile cannot be found or created on the DC
> >> for that user. If I rename the existing profile directory to
> >> PROFILES/%USERNAME%.V2 then I do not get the temporary profile
> >> error notice when logging in so the profile is found. But when
> >> logging off I instead get the error notice that the roaming profile
> >> could not be synchronised and nothing is saved on the host
> >> filesystem.
> >
> >
> >
> >
> >
> > It looks like you swapped these 2 paths.
> >
> > The user folder rights are bit different then the profiles folder.
> >
> > But you have to little info to be more precise.
> >
> >
> >
> > If you share the user folder. Example :
> >
> > /home/DOMAIN/users/Userfolders.
> >
> > In this path. /home/DOMAIN/users/Userfolders
> >
> >
> >
> > Share the users folder like
> >
> > \\DC\users\%username and Now this folder wil be automatic created
> > through RSAT.
> >
> > IF you assigned uid/gid ( samba AD backend ) first assign the UID/GID
> > THEN set the user homedir.
> >
> > Wrong order can give the problem off not creating the user folders.
> >
> >
> >
> > And for the profiles setup like this.
> >
> > /home/DOMAIN/profiles/Userfolders.
> >
> >
> >
> > And share like
> >
> > \\dc\profiles\%username%
> >
> >
> >
> > Once this is correct set, now choose.
> >
> > Windows profiles acl or (l(unix) posix acl.
> >
> > Setup exact like this :
> >
> > https://wiki.samba.org/index.php/Implementing_roaming_profiles
> >
> > and it works.
> >
> >
> >
> > Check it, if it doesnt work post the needed info.
> >
> >
> >
> > And recheck your homedir folders
> >
> > https://wiki.samba.org/index.php/User_home_drives
> >
> >
> >
> >
> >
> >
> >
> > Greetz,
> >
> >
> >
> > Louis
>
> First of all thank for your reply. Here are some additional data:
>
> # cat /usr/local/etc/smb4.conf
> # Global parameters
> [global]
> workgroup = BROCKLEY-2016
> realm = BROCKLEY-2016.HARTE-LYNE.CA
> netbios name = SAMBA-01
> server role = active directory domain controller
> dns forwarder = 216.185.71.33
> idmap_ldb:use rfc2307 = yes
>
> [netlogon]
> path = /var/db/samba4/sysvol/brockley-2016.harte-lyne.ca/scripts
> read only = No
>
> [sysvol]
> path = /var/db/samba4/sysvol
> read only = No
>
> [PROFILES]
> path = /var/samba4/BROCKLEY-2016/PROFILES/
> read only = No
>
> [USERS]
> path = /var/samba4/BROCKLEY-2016/USERS/
> read only = No
>
>
> Home directories work fine and always have. Users can put files into
> their home drives.
>
> # getfacl /var/samba4/BROCKLEY-2016/USERS/
> # file: /var/samba4/BROCKLEY-2016/USERS/
> # owner: root
> # group: BROCKLEY-2016\domain admins
> user::rwx
> user:root:rwx
> user:3000002:rwx
> user:3000003:r-x
> user:BROCKLEY-2016\domain admins:rwx
> group::rwx
> group:3000002:rwx
> group:3000003:r-x
> group:BROCKLEY-2016\domain admins:rwx
> mask::rwx
> other::---
>
> # ll /var/samba4/BROCKLEY-2016/USERS/testing12
> total 12
> drwxrwx---+ 2 BROCKLEY-2016\testing12 staff 512 Jul 29 10:14 Testing
> -rwxrwx---+ 1 BROCKLEY-2016\testing12 staff 0 Jul 29 10:15
> Testing.txt.txt
>
> # wbinfo -u
> BROCKLEY-2016\administrator
> BROCKLEY-2016\testing11
> BROCKLEY-2016\testing12
> BROCKLEY-2016\krbtgt
> BROCKLEY-2016\guest
>
>
> I deliberately switched the PROFILES share with the USERS share in
> order to test whether or not there was something obviously wrong with
> either the share definition or the permissions. I understand that one
> must first press on the ok button to trigger the event.
>
> I did not set a POSIX uid for BROCKLEY-2016\testing12. I have not set
> any UNIX Attributes on any of the builtin users or groups.
>
> I have followed the instructions for setting up roaming profiles to
> the best of my ability to follow them. Evidently their is some
> assumed knowledge that I do not have.
>
> To begin with. What should the share permission be? This window is
> not commented upon in the Roaming profile set-up but is in the Home
> directories set-up. By default the initial state for any share has
> Everyone with Full Control. Is this what is meant to be left in the
> Share Permissions?
>
> In the security tab only the advanced permissions entries are shown
> and the entire panel is not displayed. Are the three entities
> displayed the ONLY members that are to be present?
>
> There is a check-box in the advanced Security settings called 'Include
> inheritable permissions from this object's parent' that is enabled by
> default. There is no mention of this on the roaming page.
>
> When I perform exactly the steps listed in the roaming profiles I get
> a warning that I am changing the root properties and asking if I want
> to proceed. Again no mention of this.
>
> Assuming that the three entities shown in the advanced tab are all
> that are meant to be present I deleted the others. Again, there are
> no instructions to do this but neither is there any mention of the
> other entities existence.
>
> What this leaves me with is three (3) entries in the Security Tab being:
>
> CREATOR OWNER - Special Permissions
> Administrator - Full Control
> DOmain Users - Special Permissions
>
> Is this correct? Should any other entries should be present?
>
> Back on the Share Permissions tab I still see this:
>
> Everyone - Full Control
>
> So, what am I to make of this? It does not strike me as being correct
> but there are no mention of it. However, if it is left in place then
> profile directories are created and if it is removed profiles are not.
> So it appears necessary. But what are its implications and why are
> they not discussed? If Everyone has Full Control of the PROFILES
> share then of course everything is permitted by anyone on anything.
> The security permissions notwithstanding. Or does Everyone - Full
> Control not mean what it appears to mean?
>
> If I look at the example on
> https://wiki.samba.org/index.php/Shares_with_Windows_ACLs there the
> Share Permissions have only Domain Admins and they do not have Full
> Control. The instructions on
> https://wiki.samba.org/index.php/Implementing_roaming_profiles say
> this:
>
> Setup a share named "Profiles" according to the documentation
> Shares with Windows ACLs
>
> Set the following ACLs on the root of the Profiles share according
> to Set ACLs on the root of a share
>
> How much of the instruction on the references apply to roaming
> profiles? Do I remove Everyone - Full Control from the Share
> Permissions and replace it with Domain Admins - Change and Read as
> shown in the references? Because that is what I did to begin with and
> evidently that is enough to break roaming profiles.
>
> As I wrote earlier my experience with MS-Windows in general, and AD-DC
> in particular, is terribly out of date and quite limited in any case.
> So perhaps what this apparent contradiction means is very different
> than what I believe it should.
>
> None of this is meant as any criticism of either the software or the
> documentation. I am simply describing my experience with it based on
> my existing knowledge.
>
> However, if Everyone - Full Control in the Share Permissions IS
> required for roaming shares to work then it would be nice to have this
> information explicitly set out on the wiki page. At the moment, with
> Everyone -Full Control roaming profiles are correctly created and
> populated. However, I cannot proceed until I know that this is
> required and that I have not opened some massive security hole by
> leaving it.
>
> Sincerely,
>
> --
> *** e-Mail is NOT a SECURE channel ***
> Do NOT transmit sensitive data via e-Mail
> Do NOT open attachments nor follow links sent by e-Mail
>
> James B. Byrne mailto:ByrneJB at Harte-Lyne.ca
> Harte & Lyne Limited http://www.harte-lyne.ca
> 9 Brockley Drive vox: +1 905 561 1241
> Hamilton, Ontario fax: +1 905 561 0757
> Canada L8E 3C3
More information about the samba
mailing list