[Samba] Unable to set up home share correctly

Udo Willke udo.willke at freenet.de
Thu Oct 13 15:56:50 UTC 2016 

Hello Rowland,

Am 13.10.2016 um 16:53 schrieb Rowland Penny via samba:
> On Thu, 13 Oct 2016 16:22:47 +0200
> Udo Willke via samba <samba at lists.samba.org> wrote:
>
>> Hello Rowland,
>>
>> I have removed the rfc2307-IDs now. I guess going to the "Unix
>> Attributes" tab in ADUC and setting "NIS Domain" to "none" is
>> sufficient?
> No, it should show your domain name.
Hmm, the "NIS Domain" setting is a drop-down menu. When I choose 
mydomain (in lower case this time) a UID Number is automatically 
assigned, when I choose <none> the fields are greyed out. So "no 
uidNumber" and "should show your domain name" don't work at the same 
time. Or should I choose mydomain and delete the remaining field entries?
>
>> Checking the getent commands:
>>
>> root at fileserver:/var/log/samba# getent passwd | grep ^MYDOMAIN
>> MYDOMAIN\kbanre:*:10003:10001:XXXXXXXXXX:/var/share/samba/homes/kbanre:/bin/sh
>> MYDOMAIN\kbmamu:*:10004:10001:Max
>> Mustermann:/var/share/samba//homes/kbmamu:/bin/sh
>> MYDOMAIN\kbudwi:*:10002:10001:Udo
>> Willke:/var/share/samba/homes/kbudwi:/bin/sh
>>
>> root at fileserver:/var/log/samba# getent group | grep ^MYDOMAIN
>> MYDOMAIN\domain admins:x:10000:
>> MYDOMAIN\domain users:x:10001:
>> MYDOMAIN\workgroup-1:x:10010:
>>
>> Does this look good?
> Yes
>
>> Should I recreate the /var/share/samba/homes directory? The owner
>> with UID 10000 is not known to Linux now:
> Probably easiest, as long as the old dirs don't contain anything you
> need.
Yes, already made this. Now Administrator account is not shown as locked 
(!) in ADUC but still not able to assign rights to the "Creator Owner". 
HOWEVER: In the Advanced View the check marks are there (!) together 
with the restriction "Files and Subfolders only". But, still the 
unwanted accounts "Everyone", "root" and "Creator Group" are listed on 
the Security tab?!? And still no home folders ....
>
>> root at fileserver:~# getfacl /var/share/samba/homes/
>> getfacl: Removing leading '/' from absolute path names
>> # file: var/share/samba/homes/
>> # owner: 10000
>> # group: MYDOMAIN\134domain\040admins
>>
>> ....
>>
>> Apart from that: Still no home folders, even not able to create them
>> manually. All the initial symptoms persist :-(
>>
> Altering the PAM config should create the home dirs as the users
> connect, but why are you putting them in /var ??
> What is wrong with /home/DOMAIN/%U
Nothing at all. I somewhere read that this was a "recommendation" for 
user shares on Linux. So I mounted my xattr-enabled partition underneath 
/var/share, but maybe that's wrong? However, would prefer not changing 
this right now.

This is  /etc/pam.d/common-account  - just for verification:

#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system.  The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.
#

# here are the per-package modules (the "Primary" block)
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so
# here's the fallback if no module succeeds
account requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
account required                        pam_krb5.so minimum_uid=1000
# end of pam-auth-update config
#
# Modification for Samba
#
session         required        pam_mkhomedir.so skel=/etc/skel/ umask=0022


Entries are TAB-separated. Also checked the syslog for PAM errors with 
no result. pam_mkhomedir.so is installed.

root at fileserver:/var/log# locate  pam_mkhomedir.so
/lib/x86_64-linux-gnu/security/pam_mkhomedir.so

Would be looking forward to continue finding the problem tomorrow.

Thanks and best regards

Udo



>
> Rowland
>   
>

More information about the samba mailing list