[Samba] Cannot access HOME folder after upgrading to 4.8 from 4.6
Rowland Penny
rpenny at samba.org
Mon Sep 17 21:08:36 UTC 2018
On Mon, 17 Sep 2018 20:50:13 +0000
Doug Sampson via samba <samba at lists.samba.org> wrote:
> > Hello-
> >
> > I upgraded Samba from 4.6 to 4.8 on a FreeBSD 11.2 server. After the
> > upgrade, users cannot access the HOME folder share but they can
> > access other shares just fine.
> >
> > I am using the RID backend on this member server that connects to
> > Windows- based domain controllers. I apologize for the lengthy
> > smb4.conf but here it is:
> >
>
> [ ...snip... ]
>
> > # uncomment the following (and tweak the other settings below to
> > suit) # to enable the default home directory shares. This will
> > share each # user's home directory as \\server\username
> >
> > [home]
> > comment = Home directories for AD users
> > path = /zdata/home
> > # browseable = no
> > # By default, the home directories are exported read-only. Change
> > the # next parameter to 'no' if you want to be able to write to
> > them. read only = no
> > # File creation mask is set to 0700 for security reasons. If you
> > want to # create files with group=rw permissions, set next
> > parameter to 0775. create mask = 0700
> > # Directory creation mask is set to 0700 for security reasons. If
> > you want to
> > # create dirs. with group=rw permissions, set next parameter to
> > 0775. directory mask = 0700
> > # By default, \\server\username shares can be connected to by anyone
> > # with access to the samba server. Un-comment the following
> > parameter # to make sure that only "username" can connect to
> > \\server\username # This might need tweaking when using external
> > authentication schemes ## valid users = EXAMPLE-%U
> > @"EXAMPLE-domain admins" valid users = EXAMPLE-%U @"EXAMPLE-domain
> > admins" # inherit permissions = Yes
> > # inherit owner = Yes
> > delete veto files = Yes
> > veto files = /lost+found/Network Trash
> > Folder/TheFindByContentFolder/TheVolumeSettingsFolder/
> > hide files =
> > /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary
> > Items/$RECYCLE.BIN/
> > # map archive = No
> > # map readonly = no
> > vfs objects = zfsacl, shadow_copy2, full_audit
> > full_audit:prefix = %u|%I
> > full_audit:success = chflags chmod chmod_acl chown mkdir rename
> > rmdir unlink write pwrite pwrite_send pwrite_recv
> > full_audit:failure = none
> > full_audit:facility = LOCAL7
> > full_audit:priority = ALERT
> > shadow: snapdir = .zfs/snapshot
> > shadow: format = %Y-%m-%dT%H:%M:%S
> > shadow: snapdirseverywhere = yes
> > shadow: sort = desc
> > shadow: localtime = no
> >
> >
> >
> > I have several other SMB servers there were upgraded to 4.8 and I
> > am able to enumerate users and groups on all of these servers
> > except this one. I cannot enumerate groups and I am mystified as to
> > why I cannot.
> >
> > Also is the variable DSP-%U still supported? I have tried
> > "EXAMPLE-Domain Users" in place of EXAMPLE-%U. It doesn't work.
> >
> > Is the vfs object full_audit still supported by 4.8?
> >
>
> I substituted EXAMPLE-%U with "EXAMPLE-domain users" and now users
> are able to access their home folders. Since each user's home folders
> have had user security restrictions applied at the file level, I am
> comfortable with the level of security here.
>
> But why the change??? I looked at both 4.7 and 4.8 release notes and
> did not see anything related to this. Has this been deprecated?
>
> ~Doug
>
%U is still valid and if you read 'man smb.conf' you will find this:
%U
session username (the username that the client wanted, not
necessarily the same as the one they got).
You could try '%u':
%u
username of the current service, if any.
Rowland
More information about the samba
mailing list