[Samba] how to use root preexec on user share with %U not as root user

Rowland penny rpenny at samba.org
Thu Apr 30 21:55:59 UTC 2020

On 30/04/2020 22:27, Jelle de Jong via samba wrote:
> On 2020-04-30 23:14, Rowland penny via samba wrote:
>> On 30/04/2020 21:40, Jelle de Jong via samba wrote:
>>> First logon is I use samba-tool to add the user then I go to an 
>>> Windows 10 Pro domain member system and logon to the machine. The 
>>> \\SAMBA01\users\lgaga folder will not be there.....
>> It will not be there, samba-tool doesn't have the code to create the 
>> users folder, but when created on Windows, Windows does.
>>> samba-tool user create lgaga passwd --login-shell /bin/bash 
>>> --given-name "Lady Gaga" --home-drive=H 
>>> --home-directory="\\\SAMBA01\users\lgaga"
>>> Could you or others share (sent) the /path/to/a/script you use 
>>> because when I try to use mine above script the user always is root, 
>>> and I need a smarter script that sets the setfacl correct with 
>>> Windows ACL instead of posix acl.
>> The problem is, to get it to work correctly, you need to ensure that 
>> you do not change the users homeDirectory attribute (this is what 
>> '--home-directory' sets). Also a 'root preexec' script is obviously 
>> run as 'root', so of course any directories will be created with root 
>> ownership. This means the script needs to change ownership etc.
>> I have a script that will give you pointers, it isn't really tested, 
>> but you are welcome to a copy.
>> Rowland
> I did some debugging and found I had a bug in my original script I 
> shared "domain user" instead of "domain users" and therefor the owner 
> never got changed...
> [users]
>     path = /srv/storage/users/
>     read only = No
>     root preexec = /usr/local/bin/samba-mkdir-home %U %H
> id $1
> if [ $? -eq 0 ] && [ ! -e /srv/storage/users/$1 ]; then
>     mkdir /srv/storage/users/$1
>     chown "$1":"domain users" /srv/storage/users/$1
> fi
> exit 0
> The %H is indeed not very userful as it it set to /home/SAMDOM/lgaga 
> if I do not use template homedir = /home/%U

That is a problem there, '%H' is the users Unix home directory path (the 
unixHomeDirectory attribute in AD, which is only used by the 'ad' 
backend), which is not to be confused with Windows home directory path 
(the homeDirectory attribute in AD, only used by Windows).

> The --home-drive=H and --home-directory="\\\SAMBA01\users\lgaga" are 
> not actually doing anything?? for me, it does set the options in the 
> profile and they are visible with ADUC but there is never an network 
> mount H: when logon with the user on Windows 10 Pro... I have to use a 
> GPO or --script-path=netlogon.bat with net use...
If you set the path in ADUC, the users Windows home directory will be 
created for you, but it will not be created if set by Samba-tool etc.
> What is the homeDirectory and homeDrive doing in Windows 10 Pro?

The homeDirectory attribute contents are mapped to the homeDrive 
attribute contents, but only when created through ADUC, that is because 
only ADUC has the code to do this.

I suppose you could write a script around samba-tool to use ssh to 
create the users Windows home directory, but that would be a complex script.


More information about the samba mailing list