[Samba] Roaming profiles

L.P.H. van Belle belle at bazuin.nl
Wed Jun 20 12:15:09 UTC 2018


Looks pretty ok to me, few pointers. 

> /etc/init.d/winbind stop  ( debian stretch: systemctl stop winbind ) 
> /etc/init.d/samba stop    ( debian stretch: systemctl stop samba ) 

Or ..   systemctl stop samba winbind 

Get use to systemctl is my advice. Handy things are. 
systemctl edit   ( add a custom part in the override.conf files ) 
systemctl edit --full  ( copy full setttings )

Samba: Smb.conf 
  winbind enum users = yes
  winbind enum groups = yes
Change these to no, use yes for testing in production no. 

Missing...  ( so add ) 
    # user Administrator workaround, without it you are unable to set privileges
    username map = /etc/samba/samba_usermapping


[profiles]
        comment = Users profiles
        path = /home/EXAMPLE/profiles
        browseable = Yes
        read only = No
        force create mode = 0600
        force directory mode = 0700
        csc policy = disable
        store dos attributes = yes
        vfs objects = acl_xattr


But you missed : 
> chmod 1750 /home/EXAMPLE/profiles/ 
Who "owns"  /home/EXAMPLE/profiles 
Try again with 
chmod 1777 /home/EXAMPLE/profiles/ 

Imo, now nobody of you domain may access profiles.
Why, i'll bet the 1750 is (1) (7-root) (5-root) (0-everybody) on the file system. 


I use normaly: 
# Create these share folders
mkdir -p /home/samba/{profiles,users,data}
chmod 3771 /home/samba   ( note the last 1. that allow to traveral through ) 
chmod 1777 /home/samba/profiles


# ! Note, kerberos needs access in a users home to check ( or set: ignore_k5login = true  in krb5.conf ) 
chmod 1770 /home/samba/users
# on the data folder we want creator owner and group. The group maps to "domain users"
chmod 3770 /home/samba/data

https://github.com/thctlo/samba4/tree/master/howtos
Read the one with 3.2. 


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Michael Funke via samba
> Verzonden: woensdag 20 juni 2018 13:42
> Aan: Rowland Penny via samba
> Onderwerp: [Samba] Roaming profiles
> 
> Hey,
> 
> I want to use a debian stretch with samba 4 as a fileserver, 
> but I have
> problems with the access.
> 
> Here is what I did:
> 
> apt-get install samba winbind libpam-heimdal libnss-winbind
> /etc/init.d/winbind stop
> /etc/init.d/samba stop
> nano /etc/krb5.conf    https://pastebin.com/rkBPJ2Wz
> nano /etc/samba/smb.conf   https://pastebin.com/h1cJZ6sM
> nano /etc/nsswitch.conf   https://pastebin.com/gxK2rJLU
> 
> getent hosts fs
> 
> smbd -b | egrep "LOCKDIR|STATEDIR|CACHEDIR|PRIVATE_DIR"
> rm -v /var/run/samba/*.tdb /var/run/samba/*.ldb /var/lib/samba/*.tdb
> /var/lib/samba/*.ldb /var/cache/samba/*.tdb /var/cache/samba/*.ldb
> /var/lib/samba/private/*.tdb /var/lib/samba/private/*.ldb
> 
> reboot
> 
> net ads join -U administrator
> /etc/init.d/winbind start
> 
> wbinfo --ping-dc
> getent passwd
> getent group
> 
> net rpc rights grant "EXAMPLE\Domänen-Admins" 
> SeDiskOperatorPrivilege -U
> "EXAMPLE\administrator"
> net rpc rights list privileges SeDiskOperatorPrivilege -U
> "EXAMPLE\administrator"
> 
> mkdir -p /home/EXAMPLE/profiles
> chgrp -R domänen-benutzer /home/EXAMPLE/profiles/
> chmod 1750 /home/EXAMPLE/profiles/
> 
> smbcontrol all reload-config
> 
> What did I wrong?
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 




More information about the samba mailing list