[Samba] Unable to set up home share correctly
Udo Willke
udo.willke at freenet.de
Thu Oct 13 08:33:20 UTC 2016
Hi everyone,
after some struggling I have finally set up a Samba AD DC and a file
server more or less successfully. Unfortunately I am failing at one of
the last steps: the configuration of the home share, where I can't set
the permissions correctly which, as a consequence, seems to prevent the
creation of the users' folders on the home share
I am using the standard Samba packages on ubuntu 16.04 LTS
("2:4.3.11+dfsg-0ubuntu0.16.04") and opted for winbind and the AD
backend for id mapping of the domain users. My smb.conf of the member
server looks like this:
[global]
netbios name = FILESERVER
security = ADS
workgroup = MYDOMAIN
realm = MYDOMAIN.LAN
log level = 5
log file = /var/log/samba/%m.log
password server = 192.168.6.8
interfaces = lo br0
bind interfaces only = yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = no
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = Yes
winbind cache time = 60
;; Default idmap config used for BUILTIN and local accounts/groups
idmap config * : backend = tdb
idmap config * : range = 100000-4294967295
;; idmap config for domain MYDOMAIN
idmap config MYDOMAIN : backend = ad
idmap config MYDOMAIN : schema_mode = rfc2307
idmap config MYDOMAIN : range = 10000-99999
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
template homedir = /var/share/samba/homes/%U
[home]
path = /var/share/samba/homes
guest ok = no
read only = no
browseable = yes
[profiles]
path = /var/share/samba/profiles
read only = no
store dos attributes = yes
create mask = 0600
directory mask = 0700
guest ok = no
profile acls = yes
csc policy = disable
"interfaces" and "bind interfaces only = yes" is needed because the
server is dual-homed. By setting the tdb id range to 100000-4294967295,
I hoped to get the Windows system accounts mapped.
winbind seems to work ok. "getent passwd" and "getent group" show the AD
users with the uidNumber and gidNumber attributes set on the AD in the
right range. Example
root at fileserver:/var/share/samba# id MYDOMAIN\\Administrator
uid=10000(MYDOMAIN\administrator) gid=10000(MYDOMAIN\domain admins)
groups=10000(MYDOMAIN\domain admins),10004(MYDOMAIN\enterprise
admins),10003(MYDOMAIN\schema admins),10001(MYDOMAIN\domain
users),100000(BUILTIN\administrators),100001(BUILTIN\users)
After adding the [home] section to smb.conf I create the directory as
described in the Samba wiki
root at fileserver:/var/share/samba# mkdir homes
root at fileserver:/var/share/samba# chgrp MYDOMAIN\\Domain\ Admins homes/
root at fileserver:/var/share/samba# chmod g=rwx homes/
root at fileserver:/var/share/samba# ls -ld homes/
drwxrwxr-x 2 root MYDOMAIN\domain admins 4096 Okt 12 16:05 homes/
Then I continue with the RSAT Tools (German Language Version) on Windows
7 where I log in as "MYDOMAIN\Administrator" and use the "Computer
Management" Console to configure the home share.
Here I face two problems on the "Security" tab:
1) When I add the Administrator user, the account is shown as "locked"
(red dot with cross) but I can set "Full Control"
2) When I add the Creator Owner (in my case, I have to look for
ERSTELLER-BESITZER) I can check "Full Control", but when I click "Apply"
all the check marks disappear
Additionally, extra users like "Everyone", "root" or "Creator Group" are
already listed in the dialogue box without me doing anything.
On the Linux side, the extended permissions of the
/var/share/samba/homes directory look like this
root at fileserver:/var/share/samba# getfacl homes/
# file: homes/
# owner: MYDOMAIN\134administrator
# group: MYDOMAIN\134domain\040admins
user::rwx
user:MYDOMAIN\134administrator:rwx
group::rwx
group:MYDOMAIN\134domain\040admins:rwx
group:100004:r-x
group:100005:rwx
mask::rwx
other::---
default:user::rwx
default:user:MYDOMAIN\134administrator:rwx
default:group::---
default:group:MYDOMAIN\134domain\040admins:rwx
default:group:100004:r-x
default:group:100005:rwx
default:mask::rwx
default:other::---
I noticed GIDs 100004 and 100005 are not resolved so I tried to find out why
root at fileserver:/var/share/samba# net idmap dump
dumping id mapping from /var/lib/samba/winbindd_idmap.tdb
GID 100004 S-1-5-11
GID 100005 S-1-5-18
GID 100006 S-1-3-0
USER HWM 100000
GID 100002 S-1-1-0
GID 100007 S-1-5-4
GID 100003 S-1-5-2
GROUP HWM 100008
With wbinfo --sid-to-fullname I find
GID 100004 S-1-5-11 --> NT AUTHORITY\Authenticated Users 5
GID 100005 S-1-5-18 --> NT AUTHORITY\SYSTEM 5
S-1-3-0 is the well-known SID of the Creator Owner (thus known to the
server)
Finally, when I log into a Windows 7 workstation (previously joined to
the domain) with my test user account
root at fileserver:/var/share/samba# id MYDOMAIN\\kbudwi
uid=10002(MYDOMAIN\kbudwi) gid=10001(MYDOMAIN\domain users)
groups=10001(MYDOMAIN\domain
users),10010(MYDOMAIN\workgroup-1),100001(BUILTIN\users)
my home folder "kbudwi" is neither created nor mounted.
When I navigate manually to the home base folder by entering
"\\fileserver\home" into Windows Explorer, I get an empty folder.
When I try to create my home folder manually I get a message box saying
something like "home: You need permissions to continue the operation"
(loosely translated from German). I suspect, the missing "Creator Owner"
rights block the folder creation.
Generally speaking, I am very unsure how to handle the id mapping for
the ad backend. The documentation (I found) does not specify, whether I
have to set the Unix UIDs and GIDs on system accounts or on user
accounts only. Maybe I have messed it up at this level?
Any help would by highly appreciated as I am seriously running out of ideas
Thanks and best regards
Udo
More information about the samba
mailing list