[Samba] Unable to set up home share correctly

Rowland Penny rpenny at samba.org
Thu Oct 13 09:04:19 UTC 2016


On Thu, 13 Oct 2016 10:33:20 +0200
Udo Willke via samba <samba at lists.samba.org> wrote:

> Hi everyone,
> 
> after some struggling I have finally set up a Samba AD DC and a file 
> server more or less successfully. Unfortunately I am failing at one
> of the last steps: the configuration of the home share, where I can't
> set the permissions correctly which, as a consequence, seems to
> prevent the creation of the users' folders on the home share
> 
> I am using the standard Samba packages on ubuntu 16.04 LTS 
> ("2:4.3.11+dfsg-0ubuntu0.16.04") and opted for winbind and the AD 
> backend for id mapping of the domain users. My smb.conf of the member 
> server looks like this:
> 
> [global]
>       netbios name = FILESERVER
>       security = ADS
>       workgroup = MYDOMAIN
>       realm = MYDOMAIN.LAN
> 
>       log level = 5
>       log file = /var/log/samba/%m.log
> 
>       password server = 192.168.6.8
> 
>       interfaces = lo br0
>       bind interfaces only = yes
> 
>       dedicated keytab file = /etc/krb5.keytab
>       kerberos method = secrets and keytab
> 
>       winbind nss info = rfc2307
>       winbind trusted domains only = no
>       winbind use default domain = no
>       winbind enum users  = yes
>       winbind enum groups = yes
>       winbind refresh tickets = Yes
>       winbind cache time = 60
> 
>       ;; Default idmap config used for BUILTIN and local
> accounts/groups idmap config * : backend = tdb
>       idmap config * : range = 100000-4294967295
> 
>       ;; idmap config for domain MYDOMAIN
>       idmap config MYDOMAIN : backend = ad
>       idmap config MYDOMAIN : schema_mode = rfc2307
>       idmap config MYDOMAIN : range = 10000-99999
> 
>       vfs objects = acl_xattr
>       map acl inherit = yes
>       store dos attributes = yes
> 
>       load printers = no
>       printing = bsd
>       printcap name = /dev/null
>       disable spoolss = yes
> 
>       template homedir = /var/share/samba/homes/%U
> 
> [home]
>       path = /var/share/samba/homes
>       guest ok = no
>       read only = no
>       browseable = yes
> 
> 
> [profiles]
>       path = /var/share/samba/profiles
>       read only = no
>       store dos attributes = yes
>       create mask = 0600
>       directory mask = 0700
>       guest ok = no
>       profile acls = yes
>       csc policy = disable
> 
> "interfaces" and "bind interfaces only = yes" is needed because the 
> server is dual-homed. By setting the tdb id range to
> 100000-4294967295, I hoped to get the Windows system accounts mapped.
> 
> winbind seems to work ok. "getent passwd" and "getent group" show the
> AD users with the uidNumber and gidNumber attributes set on the AD in
> the right range. Example
> 
> root at fileserver:/var/share/samba# id MYDOMAIN\\Administrator
> uid=10000(MYDOMAIN\administrator) gid=10000(MYDOMAIN\domain admins) 
> groups=10000(MYDOMAIN\domain admins),10004(MYDOMAIN\enterprise 
> admins),10003(MYDOMAIN\schema admins),10001(MYDOMAIN\domain 
> users),100000(BUILTIN\administrators),100001(BUILTIN\users)
> 
> After adding the [home] section to smb.conf  I create the directory
> as described in the Samba wiki
> 
> root at fileserver:/var/share/samba# mkdir homes
> root at fileserver:/var/share/samba# chgrp MYDOMAIN\\Domain\ Admins
> homes/ root at fileserver:/var/share/samba# chmod g=rwx homes/
> root at fileserver:/var/share/samba# ls -ld homes/
> drwxrwxr-x 2 root MYDOMAIN\domain admins 4096 Okt 12 16:05 homes/
> 
> Then I continue with the RSAT Tools (German Language Version) on
> Windows 7 where I log in as "MYDOMAIN\Administrator" and use the
> "Computer Management" Console to configure the home share.
> 
> 
> Here I face two problems on the "Security" tab:
> 
> 1) When I add the Administrator user, the account is shown as
> "locked" (red dot with cross) but I can set "Full Control"
> 
> 2) When I add the Creator Owner (in my case, I have to look for 
> ERSTELLER-BESITZER) I can check "Full Control", but when I click
> "Apply" all the check marks disappear
> 
> Additionally, extra users like "Everyone", "root" or "Creator Group"
> are already listed in the dialogue box without me doing anything.
> 
> 
> On the Linux side, the extended permissions of the 
> /var/share/samba/homes directory look like this
> 
> root at fileserver:/var/share/samba# getfacl homes/
> # file: homes/
> # owner: MYDOMAIN\134administrator
> # group: MYDOMAIN\134domain\040admins
> user::rwx
> user:MYDOMAIN\134administrator:rwx
> group::rwx
> group:MYDOMAIN\134domain\040admins:rwx
> group:100004:r-x
> group:100005:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:MYDOMAIN\134administrator:rwx
> default:group::---
> default:group:MYDOMAIN\134domain\040admins:rwx
> default:group:100004:r-x
> default:group:100005:rwx
> default:mask::rwx
> default:other::---
> 
> I noticed GIDs 100004 and 100005 are not resolved so I tried to find
> out why
> 
> root at fileserver:/var/share/samba# net idmap dump
> dumping id mapping from /var/lib/samba/winbindd_idmap.tdb
> GID 100004 S-1-5-11
> GID 100005 S-1-5-18
> GID 100006 S-1-3-0
> USER HWM 100000
> GID 100002 S-1-1-0
> GID 100007 S-1-5-4
> GID 100003 S-1-5-2
> GROUP HWM 100008
> 
> With wbinfo --sid-to-fullname I find
> 
> GID 100004 S-1-5-11 --> NT AUTHORITY\Authenticated Users 5
> 
> GID 100005 S-1-5-18 --> NT AUTHORITY\SYSTEM 5
> 
> S-1-3-0 is the well-known SID of the Creator Owner (thus known to the 
> server)
> 
> Finally, when I log into a Windows 7 workstation (previously joined
> to the domain) with my test user account
> 
> root at fileserver:/var/share/samba# id MYDOMAIN\\kbudwi
> uid=10002(MYDOMAIN\kbudwi) gid=10001(MYDOMAIN\domain users) 
> groups=10001(MYDOMAIN\domain 
> users),10010(MYDOMAIN\workgroup-1),100001(BUILTIN\users)
> 
> my home folder "kbudwi" is neither created nor mounted.
> 
> When I navigate manually to the home base folder by entering 
> "\\fileserver\home" into Windows Explorer, I get an empty folder.
> 
> When I try to create my home folder manually I get a message box
> saying something like "home: You need permissions to continue the
> operation" (loosely translated from German). I suspect, the missing
> "Creator Owner" rights block the folder creation.
> 
> Generally speaking, I am very unsure how to handle the id mapping for 
> the ad backend. The documentation (I found) does not specify, whether
> I have to set the Unix UIDs and GIDs on system accounts or on user 
> accounts only. Maybe I have messed it up at this level?
> 
> Any help would by highly appreciated as I am seriously running out of
> ideas
> 
> Thanks and best regards
> 
> Udo
> 

Do you really need '4294867295' spaces for the '*' range, I only have
'7999' and feel that is an overkill, see here for more info:

https://support.microsoft.com/en-us/kb/243330

As for your users home dir not getting created, try running this on the
fileserver:

echo "session    required   pam_mkhomedir.so skel=/etc/skel/
umask=0022" >> /etc/pam.d/common-account

Add this line to smb.conf:

username map = /etc/samba/user.map

And create the the /etc/samba/user.map with this content:

!root = MYDOMAIN\Administrator MYDOMAIN\administrator Administrator
administrator

That will map the windows administrator to the Unix root user

To make windows users visible to the domain member whilst using the
winbind 'ad' backend, you must give each user a unique uidNumber
attribute inside the range you set for the domain (MYDOMAIN) in
smb.conf, you MUST also give Domain Users a gidNumber attribute inside
the range.

Rowland






More information about the samba mailing list