[Samba] Map user home dir using GPO failing
Mason Schmitt
mason at ftlcomputing.com
Sun Mar 3 07:23:55 UTC 2019
Hello,
I am trying to auto create and mount home directories using a GPO, as per
https://wiki.samba.org/index.php/User_Home_Folders.
I currently have home directories being created, through the use of
pam_mkhomedir.so. with 'obey pam restrictions = yes' in my smb.conf file.
I have also setup the share permissions and Windows ACLs as per the above
link.
Unfortunately, even though the user's home directory is being created on
the samba file server, I cannot see the new folder from Windows and my GPO
is not mapping the network drive. However, the same GPO does successfully
map a drive for a different share.
On the windows 7 PC, when I run 'gpresult /H gpo.html', I see that the GPO
has been applied to my PC, but it does show an error message for the home
dir mapping. The error is 'Result: Failure (Error Code: 0x80070035)'. A
Google search turns up potential issues with DNS or with the share name
being specified using a trailing slash in the GPO. Given the mapping of
the other share works just fine, I can rule out DNS. My share definition
in the GPO doesn't have a trailing slash, but it does use a variable
'%LogonUser%'. I also tried creating the GPO with the variable
'%username%', which didn't work either.
Here's my smb.conf
[global]
kerberos method = system keytab
workgroup = FTLC
security = ads
realm = AD.FTLCOMPUTING.COM
# Netbios is dead, let's make it explicit
disable netbios = yes
# Encrypting SMB traffic is a good basic defense
# As soon as Windows 7 goes away, we'll be able to
# change this to 'required'
smb encrypt = desired
# Logging
log file = /var/log/samba/%m.log
log level = 5
# We're using the RID method of mapping SIDs to UID/GID
idmap config FTLC : range = 2000000-2999999
idmap config FTLC : backend = rid
idmap config * : range = 10000-999999
idmap config * : backend = tdb
# Samba AD users will not have access to a shell on linux hosts
template shell = /bin/false
# Winbind
winbind use default domain = no
winbind refresh tickets = yes
winbind offline logon = yes
winbind enum groups = no
winbind enum users = no
# Map domain admin account to local root account
# and resolve other "net rpc" issues
username map = /etc/samba/user.map
bind interfaces only = yes
interfaces = lo eth0
# Enable Windows ACL support and make ACLs maximally compatible with NFTS
ACLs.
# The ignore system acls option, will hopefully eliminate the issues we have
# encountered with having to set POSIX and NT ACLs. This does mean that
all file
# access must be done through Samba
vfs objects = acl_xattr
acl_xattr:default acl style = windows
acl_xattr:ignore system acls = yes
map acl inherit = yes
store dos attributes = yes
# ---------------------------------------------------------------------
# Automatic creation of home directories
# In addition to the NT ACL settings above and the [users] share in the
# the shares section below, the following settings are needed in order for
# automatic creation of home directories to work
# Home directory path
template homedir = /srv/samba/users/%U
# To help with automated creation of user home directories,
# we need the following in this smb.conf file and we need
# 'session required pam_mkhomedir.so skel=/etc/skel/ umask=0022'
# added to /etc/pam.d/common-session
obey pam restrictions = yes
# end home dir settings -----------------------------------------------
##################################
# Shares #
##################################
# All shares will be created within the /srv/samba/shares/ folder,
# except for home dirs which are in /srv/samba/users/
# For example:
#[test]
# path = /srv/samba/shares/test
# comment = Test Share
# guest ok = no
# read only = no
[users]
path = /srv/samba/users/%U
comment = Share for user home dirs
guest ok = no
read only = no
[Operations]
path = /srv/samba/shares/Operations
comment = FTL Operations
guest ok = no
read only = no
--
Mason
More information about the samba
mailing list