[Samba] Creating home folders on file server automatically
Rowland Penny
rpenny at samba.org
Tue Jun 13 09:34:10 UTC 2017
On Tue, 13 Jun 2017 10:33:43 +0200
Udo Willke via samba <samba at lists.samba.org> wrote:
> Hello Rowland,
>
> Am 12.06.2017 um 19:32 schrieb Rowland Penny via samba:
> > On Mon, 12 Jun 2017 10:04:56 -0700
> > Luke Barone via samba <samba at lists.samba.org> wrote:
> >
> >> Hi list,
> >>
> >> We have a script we are using to create new users, and drop them
> >> into the proper OUs on our Samba AD server, using samba-tool. We
> >> have a Samba member file server (fs1) joined to the domain for
> >> hosting our file shares. On there is also where we are putting the
> >> users' home folders.
> >>
> >> I saw in the Samba Docs, and in the mailing list, that I can use
> >> `--home-directory=\\server\directory\$username`. I have that added,
> >> pointing to the file server's location. The issue is, the folder
> >> does not get created, even when the user logs in.
> >>
> >> The only way it seems to create the folder is if I go into ADUC on
> >> my Admin computer, go into the user's properties, and change the
> >> text for the Home Folder to something, then change it back, and
> >> hit OK. The correct text shows up initially, but it is not getting
> >> created on the member server automatically.
> >>
> >> Is there a known way to get past this limitation? We add thousands
> >> of users each year (school setting).
> > You are only doing half the job ;-)
> >
> > Add:
> >
> > session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
> >
> > to /etc/pam.d/common-session on the Unix domain member
> >
> > NOTE: this on Debian, I believe there is something similar on
> > red-hat
> >
> > Rowland
> >
> you suggested this solution to me a while ago. It definitely works,
> and creates a home folder for the user (at least on Ubuntu). However
> I noticed that the permissions of a folder created by the PAM module
> are different from the permissions of a folder created by the RSAT
> Tool.
>
> I really can't say if this is a relevant issue when the home folder
> is only used to serve files and the user is not supposed to log into
> that server.
>
> In the meantime I use "root preexec" in smb.conf and the following
> script. It creates the folder and mimics the permissions as created
> by the RSAT Tool.
>
> #!/bin/bash
> #
> # Create Home Folder and mimic ACLs as created by RSAT Tools
> #
> # use in smb.conf:
> #
> # [home]
> #
> # root prexec = path_to/make_home_folder.sh '%D' '%U' '%G' '%H'
> #
> # ;; %D = Domain or Workgroup of user ($1) --> "SAMDOM"
> # ;; %U = Username ($2) --> "kbudwi"
> # ;; %G = Groupname ($3) --> "SAMDOM\domain users"
> # ;; %H = Home Directory of User ($4) --> "/home/kbudwi"
> #
> #
>
> if [[ $# -ne 4 ]]; then
> echo "Usage: $0 <Domain or Workgroup> <Username> <Groupname> <Home
> Folder>"
> logger "$0: SCRIPT FAILED ARGC=$# ARGV=|$1|$2|$3|$4|"
> exit 1
> fi
>
> SN="$(basename "$0"): root prexec"
>
> logger "$SN: Create Samba Home Folder $4: Domain=$1 User=$2 Group=$3"
>
> if [[ -d "$4" ]]; then
>
> logger "$SN: Folder $4 exists"
> exit
>
> else
>
> # BUILTIN\\administrators == S-1-5-32-544
> #
> BUILTIN_ADMINS_GID=$(wbinfo --sid-to-gid S-1-5-32-544);
> DOMAIN_ADMINS_GID=$(wbinfo --group-info="$1"\\"Domain Admins" |
> cut -d: -f3)
>
> BID=$(wbinfo --user-info="$1"\\"$2" | cut -d: -f3)
> GID=$(wbinfo --group-info="$3" | cut -d: -f3)
>
> logger "$SN: Creating folder $4 with UID=$BID and GID=$GID"
>
> mkdir -p "$4"
> chown $BID "$4"
> chgrp $GID "$4"
> chmod 0770 "$4"
>
> logger "$SN: Base directory created: $(ls -ld $4)"
>
> # Extended User Attributes
> setfacl -m u:$BID:rwx $4
>
> # Extended Group Attributes
> setfacl -m g:$GID:--- $4
> setfacl -m g:$DOMAIN_ADMINS_GID:rwx "$4"
> setfacl -m g:$BUILTIN_ADMINS_GID:rwx $4
>
> # Extended Default Users Attributes
> setfacl -dm u:$BID:rwx "$4"
>
> # Extended Default Group Attributes
> setfacl -dm g:$GID:--- "$4"
> setfacl -dm g:$DOMAIN_ADMINS_UID:rwx "$4"
> setfacl -dm g:$BUILTIN_ADMINS_GID:rwx $4
>
> logger "$SN: setfacl commands executed"
>
> logger "$SN: Folder $4 created"
> ## getfacl "$4"
> fi
>
>
> Please comment, if you disagree with my solution.
>
The only problem I can see with that is, you are giving *_ADMINS full
control of any users home directory, I think this may be illegal in
some countries.
Thinking about privacy, perhaps the PAM line should be:
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
This way only the user gets any permissions on the share.
Rowland
More information about the samba
mailing list