[Samba] Map user home dir using GPO failing

Mason Schmitt mason at ftlcomputing.com
Sun Mar 3 23:15:13 UTC 2019 

Of course the procedure should have been in reverse order...

   - Create the smb.conf and PAM configs
   - Setup the Samba Share



On Sun, 3 Mar 2019 at 15:10, Mason Schmitt <mason at ftlcomputing.com> wrote:

> This mailing list seems to have magical powers...  Twice now I have sent
> emails to this list asking for help, both times I have not received the
> correct answer to my question, but each response has inadvertently helped
> me to see my problem from a new angle and thus I have been able to resolve
> my own issue!
>
> As neither the wiki nor any past mailing list messages (that I could find)
> correctly answer this question, I'm going to document the solution for the
> next person that runs into it.
>
> *Goals:*
>
>    - Auto create home dir when AD domain user logs in
>    - Map home drive using group policy
>    - Use NT ACLs in order to provide maximum compatibility with Windows
>    clients
>
> Note that this does work with selinux enabled, which makes my inner
> security nut, happy :)
>
> *Procedure*
>
> *Setup the Samba Share*
> Follow the instructions at
> https://wiki.samba.org/index.php/User_Home_Folders, *but only* the
> following sections:
>
>    - Setting up the Share on the Samba File Server > Using Windows ACLs
>    - Creating the Home Folder for a New User > Using a Group Policy
>    Preference
>
>
> *Create the smb.conf and PAM configs*
> There are 6 smb.conf entries that are critical to making this work, they
> are:
>
>    - vfs objects = acl_xattr # I'm not certain that the two other
>    acl_xattr entries, in the smb.conf below, are absolutely necessary
>    - map acl inherit = yes
>    - store dos attributes = yes
>    - template homedir = /srv/samba/users/%U  # Note the %U here
>    - obey pam restrictions = yes  # with the corresponding entry in
>    /etc/pam.d/common-session as per the comments in the smb.conf below
>    -  [users]
>            path = /srv/samba/users   # Very important! Don't put the %U
>    here!
>            comment = Share for user home dirs
>            guest ok = no
>            read only = no
>
>
> *The full working smb.conf file*
> [global]
> kerberos method = system keytab
> workgroup = FTLC
> security = ads
> realm = FTLC.FTLCOMPUTING.COM
>
> # Netbios is dead, let's make it explicit
> # There's no need to run nmbd either, so disable it using systemctl
> disable nmbd
> disable netbios = yes
>
> # Encrypting SMB traffic is a good basic defense
> # As soon as Windows 7 goes away, we'll be able to
> # change this to 'required'
> smb encrypt = desired
>
> # Logging
> log file = /var/log/samba/%m.log
> log level = 5
>
> # We're using the RID method of mapping SIDs to UID/GID
> idmap config FTLC : range = 2000000-2999999
> idmap config FTLC : backend = rid
> idmap config * : range = 10000-999999
> idmap config * : backend = tdb
>
> # Samba AD users will not have access to a shell on linux hosts
> template shell = /bin/false
>
> # Winbind
> winbind use default domain = no
> winbind refresh tickets = yes
> winbind offline logon = yes
> winbind enum groups = no
> winbind enum users = no
>
> # Map domain admin account to local root account
> # and resolve other "net rpc" issues
> username map = /etc/samba/user.map
> bind interfaces only = yes
> interfaces = lo eth0
>
> # Enable Windows ACL support and make ACLs maximally compatible with NFTS
> ACLs.
> # The ignore system acls option, will hopefully eliminate the issues we
> have
> # encountered with having to set POSIX and NT ACLs.  This does mean that
> all file
> # access should be done through Samba
> vfs objects = acl_xattr
> acl_xattr:default acl style = windows
> acl_xattr:ignore system acls = yes
> map acl inherit = yes
> store dos attributes = yes
>
> # ---------------------------------------------------------------------
> # Automatic creation of home directories
>
> # In addition to the NT ACL settings above and the [users] share in the
> # the shares section below, the following settings are needed in order for
> # automatic creation of home directories to work
>
> # Home directory path
> template homedir = /srv/samba/users/%U
>
> # To help with automated creation of user home directories,
> # we need the following in this smb.conf file and we need
> # 'session    required   pam_mkhomedir.so skel=/etc/skel/ umask=0022'
> # added to /etc/pam.d/common-session
> obey pam restrictions = yes
>
> # end home dir settings -----------------------------------------------
>
> ##################################
> #           Shares               #
> ##################################
> # All shares will be created within the /srv/samba/shares/ folder,
> # except for home dirs which are in /srv/samba/users/
>
> [users]
>         path = /srv/samba/users
>         comment = Share for user home dirs
>         guest ok = no
>         read only = no
>
>
> Futher work - help needed
> I was surprised to find that once the home drive has been mapped and users
> begin creating their own files and folders, that the POSIX permissions on
> the file server are wide open - ie 777.  Even though AD users will not be
> logging in to the file server and the files won't be shared via NFS, I
> still really don't like seeing files being world rwx.
>
> Why does samba set these permissions?  What can be done to lock them down?
>
> Thanks,
> Mason
>
>>

More information about the samba mailing list