[Samba] Unable to set up home share correctly
rpenny at samba.org
Thu Oct 13 16:25:21 UTC 2016
On Thu, 13 Oct 2016 17:56:50 +0200
Udo Willke via samba <samba at lists.samba.org> wrote:
> Hello Rowland,
> Am 13.10.2016 um 16:53 schrieb Rowland Penny via samba:
> > On Thu, 13 Oct 2016 16:22:47 +0200
> > Udo Willke via samba <samba at lists.samba.org> wrote:
> >> Hello Rowland,
> >> I have removed the rfc2307-IDs now. I guess going to the "Unix
> >> Attributes" tab in ADUC and setting "NIS Domain" to "none" is
> >> sufficient?
> > No, it should show your domain name.
> Hmm, the "NIS Domain" setting is a drop-down menu. When I choose
> mydomain (in lower case this time) a UID Number is automatically
> assigned, when I choose <none> the fields are greyed out. So "no
> uidNumber" and "should show your domain name" don't work at the same
> time. Or should I choose mydomain and delete the remaining field
> >> Checking the getent commands:
> >> root at fileserver:/var/log/samba# getent passwd | grep ^MYDOMAIN
> >> MYDOMAIN\kbanre:*:10003:10001:XXXXXXXXXX:/var/share/samba/homes/kbanre:/bin/sh
> >> MYDOMAIN\kbmamu:*:10004:10001:Max
> >> Mustermann:/var/share/samba//homes/kbmamu:/bin/sh
> >> MYDOMAIN\kbudwi:*:10002:10001:Udo
> >> Willke:/var/share/samba/homes/kbudwi:/bin/sh
> >> root at fileserver:/var/log/samba# getent group | grep ^MYDOMAIN
> >> MYDOMAIN\domain admins:x:10000:
> >> MYDOMAIN\domain users:x:10001:
> >> MYDOMAIN\workgroup-1:x:10010:
> >> Does this look good?
> > Yes
> >> Should I recreate the /var/share/samba/homes directory? The owner
> >> with UID 10000 is not known to Linux now:
> > Probably easiest, as long as the old dirs don't contain anything you
> > need.
> Yes, already made this. Now Administrator account is not shown as
> locked (!) in ADUC but still not able to assign rights to the
> "Creator Owner". HOWEVER: In the Advanced View the check marks are
> there (!) together with the restriction "Files and Subfolders only".
> But, still the unwanted accounts "Everyone", "root" and "Creator
> Group" are listed on the Security tab?!? And still no home
> folders ....
> >> root at fileserver:~# getfacl /var/share/samba/homes/
> >> getfacl: Removing leading '/' from absolute path names
> >> # file: var/share/samba/homes/
> >> # owner: 10000
> >> # group: MYDOMAIN\134domain\040admins
> >> ....
> >> Apart from that: Still no home folders, even not able to create
> >> them manually. All the initial symptoms persist :-(
> > Altering the PAM config should create the home dirs as the users
> > connect, but why are you putting them in /var ??
> > What is wrong with /home/DOMAIN/%U
> Nothing at all. I somewhere read that this was a "recommendation" for
> user shares on Linux. So I mounted my xattr-enabled partition
> underneath /var/share, but maybe that's wrong? However, would prefer
> not changing this right now.
> This is /etc/pam.d/common-account - just for verification:
> # /etc/pam.d/common-account - authorization settings common to all
> services #
> # This file is included from other service-specific PAM config files,
> # and should contain a list of the authorization modules that define
> # the central access policy for use on the system. The default is to
> # only deny service to users whose accounts are expired
> in /etc/shadow. #
> # As of pam 1.0.1-6, this file is managed by pam-auth-update by
> default. # To take advantage of this, it is recommended that you
> configure any # local modules either before or after the default
> block, and use # pam-auth-update to manage selection of other
> modules. See # pam-auth-update(8) for details.
> # here are the per-package modules (the "Primary" block)
> account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
> account [success=1 new_authtok_reqd=done default=ignore]
> pam_winbind.so # here's the fallback if no module succeeds
> account requisite pam_deny.so
> # prime the stack with a positive return value if there isn't one
> already; # this avoids us returning an error just because nothing
> sets a success code # since the modules above will each just jump
> around account required pam_permit.so
> # and here are more per-package modules (the "Additional" block)
> account required pam_krb5.so minimum_uid=1000
> # end of pam-auth-update config
> # Modification for Samba
> session required pam_mkhomedir.so skel=/etc/skel/
> Entries are TAB-separated. Also checked the syslog for PAM errors
> with no result. pam_mkhomedir.so is installed.
> root at fileserver:/var/log# locate pam_mkhomedir.so
> Would be looking forward to continue finding the problem tomorrow.
> Thanks and best regards
> > Rowland
It sounds like you don't have IDMU installed, not sure if you can
install it on 2012.
More information about the samba