[Samba] Home Folder ( extra tip )
L.P.H. van Belle
belle at bazuin.nl
Tue Jul 12 12:28:14 UTC 2016
Just a tip.
If you create users with RSAT and you also uses unix id's ( UID/GID )
Used with AD backend.
The first assign the UID/GID and then apply the home dir folders in RSAT.
Only for user home dirs.
This can help if you also use ssh to login and you cant enter your own home dir.
Per example:
Your ACL ( for the user )
> # File: rs-01 /
> # Owner: administrator
> # Group: domain \ 040users
> user :: rwx
> user: rs-01: rwx
> user: administrator: rwx
> group :: r-x
> group: domain \ 040users: r-x
> group: BUILTIN \ 134administrators: rwx
> mask :: rwx
> other :: ---
> default: user :: rwx
> default: user: rs-01: rwx
> default: user: administrator: rwx
> default: x r-group ::
> default: group: domain \ 040users: r-x
> default: group: BUILTIN \ 134administrators: rwx
> default: mask :: rwx
> default: other :: ---
My ACL
# file: home/users/username/
# owner: username
# group: root
user::rwx
user:root:rwx
user: username:rwx
group::---
group:root:---
group:BUILTIN\134administrators:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user: username:rwx
default:group::---
default:group:root:---
default:group:BUILTIN\134administrators:rwx
default:mask::rwx
default:other::---
The difference.. my user is owner of its own homedir, yours its administrator.
>From within linux no user can enter the "username" folder.
Only the user and members of "Domain admins" (which is member of) BUILDIN\Administrator.
Or users which can kinit.
( p.s. i use homedirs over NFSv4 kerberized )
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Carlos A. P.
> Cunha
> Verzonden: dinsdag 12 juli 2016 14:05
> Aan: mathias dufresne; samba at lists.samba.org
> Onderwerp: Re: [Samba] Home Folder
>
> Sorry hehehehe
> I mean, when access RSAT and add the "Home Folder" of the User, and give
> a Apply, the folder is automatically created with the permissions below,
> where the "Domain Users" is already linked:
>
> getfacl rs-01 /
> # File: rs-01 /
> # Owner: administrator
> # Group: domain \ 040users
> user :: rwx
> user: rs-01: rwx
> user: administrator: rwx
> group :: r-x
> group: domain \ 040users: r-x
> group: BUILTIN \ 134administrators: rwx
> mask :: rwx
> other :: ---
> default: user :: rwx
> default: user: rs-01: rwx
> default: user: administrator: rwx
> default: x r-group ::
> default: group: domain \ 040users: r-x
> default: group: BUILTIN \ 134administrators: rwx
> default: mask :: rwx
> default: other :: ---
>
>
> and something else as well "ACL entry to" --- "." ??
>
>
> Thanks!!!
>
>
>
>
> Em 12-07-2016 05:31, mathias dufresne escreveu:
> > Sorry I don't understand what you said.
> >
> > 2016-07-12 10:30 GMT+02:00 mathias dufresne <infractory at gmail.com
> > <mailto:infractory at gmail.com>>:
> >
> > orry I don't understand what you said.
> >
> > 2016-07-11 18:41 GMT+02:00 Carlos A. P. Cunha
> > <carlos.hollow at gmail.com <mailto:carlos.hollow at gmail.com>>:
> >
> > Hello!
> > But when I add the User the way "Home folder" the folder is
> > automatically created it already comes with these permissions:
> >
> >
> > getfacl rs-01 /
> > # File: rs-01 /
> > # Owner: administrator
> > # Group: domain \ 040users
> > user :: rwx
> > user: rs-01: rwx
> > user: administrator: rwx
> > group :: r-x
> > group: domain \ 040users: r-x
> > group: BUILTIN \ 134administrators: rwx
> > mask :: rwx
> > other :: ---
> > default: user :: rwx
> > default: user: rs-01: rwx
> > default: user: administrator: rwx
> > default: x r-group ::
> > default: group: domain \ 040users: r-x
> > default: group: BUILTIN \ 134administrators: rwx
> > default: mask :: rwx
> > default: other :: ---
> >
> >
> > and something else as well "ACL entry to" --- "." ??
> >
> >
> > Thanks!!!
> >
> >
> > Em 11-07-2016 09:59, mathias dufresne escreveu:
> >> Hi Carlos,
> >>
> >> Your problem is userA can access home directory of userB?
> >>
> >> If your issue is only that, then you are right, this issue
> >> comes from the fact all AD users are, by default, in "Domain
> >> users" and your Home directories grant "Domain Users" "r-x"
> >> which means "read and enter" when applied to directory.
> >>
> >> Simply remove "Domain Users" from these ACL or change "Domain
> >> Users" ACl entry to "---".
> >>
> >> Cheers,
> >>
> >> mathias
> >>
> >> 2016-07-10 0:31 GMT+02:00 Carlos A. P. Cunha
> >> <carlos.hollow at gmail.com <mailto:carlos.hollow at gmail.com>>:
> >>
> >> Hello! I am following the how to
> >>
> >> https://wiki.samba.org/index.php/User_home_drives
> >>
> >> But even though there reported a process for User X does
> >> not access the home of Y User, this is happening
> >>
> >> root at fileserver:/srv/samba# getfacl home/
> >> # file: home/
> >> # owner: root
> >> # group: root
> >> user::rwx
> >> user:root:rwx
> >> user:administrator:rwx
> >> group::r-x
> >> group:root:r-x
> >> group:5007:r-x
> >> group:domain\040admins:rwx
> >> group:5024:rwx
> >> mask::rwx
> >> other::---
> >> default:user::rwx
> >> default:user:root:rwx
> >> default:user:administrator:rwx
> >> default:group::r-x
> >> default:group:root:r-x
> >> default:group:domain\040admins:rwx
> >> default:group:5024:rwx
> >> default:mask::rwx
> >> default:other::---
> >>
> >> ------------------
> >>
> >> root at fileserver:/srv/samba/home# getfacl rs-01/
> >> # file: rs-01/
> >> # owner: administrator
> >> # group: domain\040users
> >> user::rwx
> >> user:rs-01:rwx
> >> user:administrator:rwx
> >> group::r-x
> >> group:domain\040users:r-x
> >> group:BUILTIN\134administrators:rwx
> >> group:domain\040admins:rwx
> >> group:5024:rwx
> >> mask::rwx
> >> other::---
> >> default:user::rwx
> >> default:user:rs-01:rwx
> >> default:user:administrator:rwx
> >> default:group::r-x
> >> default:group:domain\040users:r-x
> >> default:group:BUILTIN\134administrators:rwx
> >> default:group:domain\040admins:rwx
> >> default:group:5024:rwx
> >> default:mask::rwx
> >> default:other::---
> >>
> >>
> >> ----------------------
> >>
> >> From what I think is, the problem is with the permissions
> >> of the group "Domain user" but that and automatically
> >> set, because it is the default group of users.
> >>
> >>
> >> Any idea ?
> >>
> >> Thank you
> >>
> >>
> >>
> >>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and
> >> read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >>
> >>
> >
> >
> >
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list