[Samba] Creating home folders on file server automatically

Rowland Penny rpenny at samba.org
Tue Jun 13 09:34:10 UTC 2017


On Tue, 13 Jun 2017 10:33:43 +0200
Udo Willke via samba <samba at lists.samba.org> wrote:

> Hello Rowland,
> 
> Am 12.06.2017 um 19:32 schrieb Rowland Penny via samba:
> > On Mon, 12 Jun 2017 10:04:56 -0700
> > Luke Barone via samba <samba at lists.samba.org> wrote:
> >
> >> Hi list,
> >>
> >> We have a script we are using to create new users, and drop them
> >> into the proper OUs on our Samba AD server, using samba-tool. We
> >> have a Samba member file server (fs1) joined to the domain for
> >> hosting our file shares. On there is also where we are putting the
> >> users' home folders.
> >>
> >> I saw in the Samba Docs, and in the mailing list, that I can use
> >> `--home-directory=\\server\directory\$username`. I have that added,
> >> pointing to the file server's location. The issue is, the folder
> >> does not get created, even when the user logs in.
> >>
> >> The only way it seems to create the folder is if I go into ADUC on
> >> my Admin computer, go into the user's properties, and change the
> >> text for the Home Folder to something, then change it back, and
> >> hit OK. The correct text shows up initially, but it is not getting
> >> created on the member server automatically.
> >>
> >> Is there a known way to get past this limitation? We add thousands
> >> of users each year (school setting).
> > You are only doing half the job ;-)
> >
> > Add:
> >
> > session    required   pam_mkhomedir.so skel=/etc/skel/ umask=0022
> >
> > to /etc/pam.d/common-session on the Unix domain member
> >
> > NOTE: this on Debian, I believe there is something similar on
> > red-hat
> >
> > Rowland
> >
> you suggested this solution to me a while ago. It definitely works,
> and creates a home folder for the user (at least on Ubuntu). However
> I noticed that the permissions of a folder created by the PAM module
> are different from the permissions of a folder created by the RSAT
> Tool.
> 
> I really can't say if this is a relevant issue when the home folder
> is only used to serve files and the user is not supposed to log into
> that server.
> 
> In the meantime I use "root preexec" in smb.conf and the following 
> script. It creates the folder and mimics the permissions as created
> by the RSAT Tool.
> 
> #!/bin/bash
> #
> # Create Home Folder and mimic ACLs as created by RSAT Tools
> #
> # use in smb.conf:
> #
> # [home]
> #
> # root prexec = path_to/make_home_folder.sh '%D' '%U' '%G' '%H'
> #
> # ;; %D = Domain or Workgroup of user ($1) --> "SAMDOM"
> # ;; %U = Username                    ($2) --> "kbudwi"
> # ;; %G = Groupname                   ($3) --> "SAMDOM\domain users"
> # ;; %H = Home Directory of User      ($4) --> "/home/kbudwi"
> #
> #
> 
> if [[ $# -ne 4 ]]; then
>    echo "Usage: $0 <Domain or Workgroup> <Username> <Groupname> <Home 
> Folder>"
>    logger "$0: SCRIPT FAILED ARGC=$# ARGV=|$1|$2|$3|$4|"
>    exit 1
> fi
> 
> SN="$(basename "$0"): root prexec"
> 
> logger "$SN: Create Samba Home Folder $4: Domain=$1 User=$2 Group=$3"
> 
> if [[ -d "$4" ]]; then
> 
>      logger "$SN: Folder $4 exists"
>      exit
> 
>    else
> 
>      #  BUILTIN\\administrators == S-1-5-32-544
>      #
>      BUILTIN_ADMINS_GID=$(wbinfo --sid-to-gid S-1-5-32-544);
>      DOMAIN_ADMINS_GID=$(wbinfo --group-info="$1"\\"Domain Admins" |
> cut -d: -f3)
> 
>      BID=$(wbinfo --user-info="$1"\\"$2" | cut -d: -f3)
>      GID=$(wbinfo --group-info="$3" | cut -d: -f3)
> 
>      logger "$SN: Creating folder $4 with UID=$BID and GID=$GID"
> 
>      mkdir -p   "$4"
>      chown $BID "$4"
>      chgrp $GID "$4"
>      chmod 0770 "$4"
> 
>      logger "$SN: Base directory created: $(ls -ld $4)"
> 
>      # Extended User Attributes
>      setfacl  -m u:$BID:rwx $4
> 
>      # Extended Group Attributes
>      setfacl  -m g:$GID:--- $4
>      setfacl  -m g:$DOMAIN_ADMINS_GID:rwx "$4"
>      setfacl  -m g:$BUILTIN_ADMINS_GID:rwx $4
> 
>      # Extended Default Users Attributes
>      setfacl  -dm u:$BID:rwx "$4"
> 
>      # Extended Default Group Attributes
>      setfacl  -dm g:$GID:--- "$4"
>      setfacl  -dm g:$DOMAIN_ADMINS_UID:rwx "$4"
>      setfacl  -dm g:$BUILTIN_ADMINS_GID:rwx $4
> 
>      logger "$SN: setfacl commands executed"
> 
>      logger "$SN: Folder $4 created"
>      ## getfacl "$4"
> fi
> 
> 
> Please comment, if you disagree with my solution.
> 

The only problem I can see with that is, you are giving *_ADMINS full
control of any users home directory, I think this may be illegal in
some countries.

Thinking about privacy, perhaps the PAM line should be:

session    required   pam_mkhomedir.so skel=/etc/skel/ umask=0077

This way only the user gets any permissions on the share.

Rowland




More information about the samba mailing list