[Samba] Map user home dir using GPO failing
Mason Schmitt
mason at ftlcomputing.com
Sun Mar 3 23:15:13 UTC 2019
Of course the procedure should have been in reverse order...
- Create the smb.conf and PAM configs
- Setup the Samba Share
On Sun, 3 Mar 2019 at 15:10, Mason Schmitt <mason at ftlcomputing.com> wrote:
> This mailing list seems to have magical powers... Twice now I have sent
> emails to this list asking for help, both times I have not received the
> correct answer to my question, but each response has inadvertently helped
> me to see my problem from a new angle and thus I have been able to resolve
> my own issue!
>
> As neither the wiki nor any past mailing list messages (that I could find)
> correctly answer this question, I'm going to document the solution for the
> next person that runs into it.
>
> *Goals:*
>
> - Auto create home dir when AD domain user logs in
> - Map home drive using group policy
> - Use NT ACLs in order to provide maximum compatibility with Windows
> clients
>
> Note that this does work with selinux enabled, which makes my inner
> security nut, happy :)
>
> *Procedure*
>
> *Setup the Samba Share*
> Follow the instructions at
> https://wiki.samba.org/index.php/User_Home_Folders, *but only* the
> following sections:
>
> - Setting up the Share on the Samba File Server > Using Windows ACLs
> - Creating the Home Folder for a New User > Using a Group Policy
> Preference
>
>
> *Create the smb.conf and PAM configs*
> There are 6 smb.conf entries that are critical to making this work, they
> are:
>
> - vfs objects = acl_xattr # I'm not certain that the two other
> acl_xattr entries, in the smb.conf below, are absolutely necessary
> - map acl inherit = yes
> - store dos attributes = yes
> - template homedir = /srv/samba/users/%U # Note the %U here
> - obey pam restrictions = yes # with the corresponding entry in
> /etc/pam.d/common-session as per the comments in the smb.conf below
> - [users]
> path = /srv/samba/users # Very important! Don't put the %U
> here!
> comment = Share for user home dirs
> guest ok = no
> read only = no
>
>
> *The full working smb.conf file*
> [global]
> kerberos method = system keytab
> workgroup = FTLC
> security = ads
> realm = FTLC.FTLCOMPUTING.COM
>
> # Netbios is dead, let's make it explicit
> # There's no need to run nmbd either, so disable it using systemctl
> disable nmbd
> disable netbios = yes
>
> # Encrypting SMB traffic is a good basic defense
> # As soon as Windows 7 goes away, we'll be able to
> # change this to 'required'
> smb encrypt = desired
>
> # Logging
> log file = /var/log/samba/%m.log
> log level = 5
>
> # We're using the RID method of mapping SIDs to UID/GID
> idmap config FTLC : range = 2000000-2999999
> idmap config FTLC : backend = rid
> idmap config * : range = 10000-999999
> idmap config * : backend = tdb
>
> # Samba AD users will not have access to a shell on linux hosts
> template shell = /bin/false
>
> # Winbind
> winbind use default domain = no
> winbind refresh tickets = yes
> winbind offline logon = yes
> winbind enum groups = no
> winbind enum users = no
>
> # Map domain admin account to local root account
> # and resolve other "net rpc" issues
> username map = /etc/samba/user.map
> bind interfaces only = yes
> interfaces = lo eth0
>
> # Enable Windows ACL support and make ACLs maximally compatible with NFTS
> ACLs.
> # The ignore system acls option, will hopefully eliminate the issues we
> have
> # encountered with having to set POSIX and NT ACLs. This does mean that
> all file
> # access should be done through Samba
> vfs objects = acl_xattr
> acl_xattr:default acl style = windows
> acl_xattr:ignore system acls = yes
> map acl inherit = yes
> store dos attributes = yes
>
> # ---------------------------------------------------------------------
> # Automatic creation of home directories
>
> # In addition to the NT ACL settings above and the [users] share in the
> # the shares section below, the following settings are needed in order for
> # automatic creation of home directories to work
>
> # Home directory path
> template homedir = /srv/samba/users/%U
>
> # To help with automated creation of user home directories,
> # we need the following in this smb.conf file and we need
> # 'session required pam_mkhomedir.so skel=/etc/skel/ umask=0022'
> # added to /etc/pam.d/common-session
> obey pam restrictions = yes
>
> # end home dir settings -----------------------------------------------
>
> ##################################
> # Shares #
> ##################################
> # All shares will be created within the /srv/samba/shares/ folder,
> # except for home dirs which are in /srv/samba/users/
>
> [users]
> path = /srv/samba/users
> comment = Share for user home dirs
> guest ok = no
> read only = no
>
>
> Futher work - help needed
> I was surprised to find that once the home drive has been mapped and users
> begin creating their own files and folders, that the POSIX permissions on
> the file server are wide open - ie 777. Even though AD users will not be
> logging in to the file server and the files won't be shared via NFS, I
> still really don't like seeing files being world rwx.
>
> Why does samba set these permissions? What can be done to lock them down?
>
> Thanks,
> Mason
>
>>
More information about the samba
mailing list