[Samba] Cannot access HOME folder after upgrading to 4.8 from 4.6
dougs at dawnsign.com
Mon Sep 17 20:50:13 UTC 2018
> I upgraded Samba from 4.6 to 4.8 on a FreeBSD 11.2 server. After the
> upgrade, users cannot access the HOME folder share but they can access
> other shares just fine.
> I am using the RID backend on this member server that connects to Windows-
> based domain controllers. I apologize for the lengthy smb4.conf but here
> it is:
[ ...snip... ]
> # uncomment the following (and tweak the other settings below to suit)
> # to enable the default home directory shares. This will share each
> # user's home directory as \\server\username
> comment = Home directories for AD users
> path = /zdata/home
> # browseable = no
> # By default, the home directories are exported read-only. Change the
> # next parameter to 'no' if you want to be able to write to them.
> read only = no
> # File creation mask is set to 0700 for security reasons. If you want to
> # create files with group=rw permissions, set next parameter to 0775.
> create mask = 0700
> # Directory creation mask is set to 0700 for security reasons. If you want
> # create dirs. with group=rw permissions, set next parameter to 0775.
> directory mask = 0700
> # By default, \\server\username shares can be connected to by anyone
> # with access to the samba server. Un-comment the following parameter
> # to make sure that only "username" can connect to \\server\username
> # This might need tweaking when using external authentication schemes
> ## valid users = EXAMPLE-%U @"EXAMPLE-domain admins"
> valid users = EXAMPLE-%U @"EXAMPLE-domain admins"
> # inherit permissions = Yes
> # inherit owner = Yes
> delete veto files = Yes
> veto files = /lost+found/Network Trash
> hide files =
> # map archive = No
> # map readonly = no
> vfs objects = zfsacl, shadow_copy2, full_audit
> full_audit:prefix = %u|%I
> full_audit:success = chflags chmod chmod_acl chown mkdir rename rmdir
> unlink write pwrite pwrite_send pwrite_recv
> full_audit:failure = none
> full_audit:facility = LOCAL7
> full_audit:priority = ALERT
> shadow: snapdir = .zfs/snapshot
> shadow: format = %Y-%m-%dT%H:%M:%S
> shadow: snapdirseverywhere = yes
> shadow: sort = desc
> shadow: localtime = no
> I have several other SMB servers there were upgraded to 4.8 and I am able
> to enumerate users and groups on all of these servers except this one. I
> cannot enumerate groups and I am mystified as to why I cannot.
> Also is the variable DSP-%U still supported? I have tried "EXAMPLE-Domain
> Users" in place of EXAMPLE-%U. It doesn't work.
> Is the vfs object full_audit still supported by 4.8?
I substituted EXAMPLE-%U with "EXAMPLE-domain users" and now users are able to access their home folders. Since each user's home folders have had user security restrictions applied at the file level, I am comfortable with the level of security here.
But why the change??? I looked at both 4.7 and 4.8 release notes and did not see anything related to this. Has this been deprecated?
More information about the samba