[Samba] Cannot access HOME folder after upgrading to 4.8 from 4.6

Doug Sampson dougs at dawnsign.com
Mon Sep 17 20:50:13 UTC 2018 

> Hello-
> 
> I upgraded Samba from 4.6 to 4.8 on a FreeBSD 11.2 server. After the
> upgrade, users cannot access the HOME folder share but they can access
> other shares just fine.
> 
> I am using the RID backend on this member server that connects to Windows-
> based domain controllers. I apologize for the lengthy smb4.conf but here
> it is:
> 

[ ...snip... ]

> # uncomment the following (and tweak the other settings below to suit)
> # to enable the default home directory shares. This will share each
> # user's home directory as \\server\username
> 
> [home]
>    comment = Home directories for AD users
>    path = /zdata/home
> #   browseable = no
> # By default, the home directories are exported read-only. Change the
> # next parameter to 'no' if you want to be able to write to them.
>    read only = no
> # File creation mask is set to 0700 for security reasons. If you want to
> # create files with group=rw permissions, set next parameter to 0775.
>    create mask = 0700
> # Directory creation mask is set to 0700 for security reasons. If you want
> to
> # create dirs. with group=rw permissions, set next parameter to 0775.
>    directory mask = 0700
> # By default, \\server\username shares can be connected to by anyone
> # with access to the samba server. Un-comment the following parameter
> # to make sure that only "username" can connect to \\server\username
> # This might need tweaking when using external authentication schemes
> ##   valid users = EXAMPLE-%U @"EXAMPLE-domain admins"
>    valid users = EXAMPLE-%U @"EXAMPLE-domain admins"
> #   inherit permissions = Yes
> #   inherit owner = Yes
>    delete veto files = Yes
>    veto files = /lost+found/Network Trash
> Folder/TheFindByContentFolder/TheVolumeSettingsFolder/
>    hide files =
> /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary
> Items/$RECYCLE.BIN/
> #   map archive = No
> #   map readonly = no
>    vfs objects = zfsacl, shadow_copy2, full_audit
>    full_audit:prefix = %u|%I
>    full_audit:success = chflags chmod chmod_acl chown mkdir rename rmdir
> unlink write pwrite pwrite_send pwrite_recv
>    full_audit:failure = none
>    full_audit:facility = LOCAL7
>    full_audit:priority = ALERT
>    shadow: snapdir = .zfs/snapshot
>    shadow: format = %Y-%m-%dT%H:%M:%S
>    shadow: snapdirseverywhere = yes
>    shadow: sort = desc
>    shadow: localtime = no
> 
> 
> 
> I have several other SMB servers there were upgraded to 4.8 and I am able
> to enumerate users and groups on all of these servers except this one. I
> cannot enumerate groups and I am mystified as to why I cannot.
> 
> Also is the variable DSP-%U still supported? I have tried "EXAMPLE-Domain
> Users" in place of EXAMPLE-%U. It doesn't work.
> 
> Is the vfs object full_audit still supported by 4.8?
> 

I substituted EXAMPLE-%U with "EXAMPLE-domain users" and now users are able to access their home folders. Since each user's home folders have had user security restrictions applied at the file level, I am comfortable with the level of security here.

But why the change??? I looked at both 4.7 and 4.8 release notes and did not see anything related to this. Has this been deprecated?

~Doug

More information about the samba mailing list