[Samba] Creating home folders on file server automatically
Rowland Penny
rpenny at samba.org
Tue Jun 13 10:24:11 UTC 2017
On Tue, 13 Jun 2017 10:34:10 +0100
Rowland Penny via samba <samba at lists.samba.org> wrote:
>
> The only problem I can see with that is, you are giving *_ADMINS full
> control of any users home directory, I think this may be illegal in
> some countries.
>
> Thinking about privacy, perhaps the PAM line should be:
>
> session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
>
> This way only the user gets any permissions on the share.
>
> Rowland
>
>
I have been thinking about this a bit more and the problem seems to be
that by using '0022' I was following Unix permissions, but I wasn't
following Unix ownership.
Unix users have a private group and when a Unix users home directory is
created, it gets '0755' permissions and username:usergroup ownership.
So, PAM setting '0022' (this is the umask for '0755') means it is just
following Unix practise. One problem is, because you cannot have a user
private group in AD, Domain Users is used instead, this means that any
user can read any other users home directory. This is (following Unix
practice) not a problem, because the permissions (0755) also allow this.
I therefore think that if you require an AD Unix home directory that is
only readable by the user that owns the directory, you will need to set
'0700' permissions on the directory, or '0077' with PAM
Rowland
More information about the samba
mailing list