[Samba] Users, home directories and profiles

L.P.H. van Belle belle at bazuin.nl
Wed Jul 1 07:29:30 UTC 2020


If people remove Everyone on the shares then most are missing at least "Walkthrough" rights (x) on the folder before the share this this happens. 
For example users SYSTEM will get in problems (when and if its used, like at logon and when group policies are processed"

If i look at this test folder. 
drwxrwxrwx   3 root domain admins  4096 Jun 30 08:03 test05 
I dont see any "windows" rights...(+) 
So what is getfacl telling. 

I would like to see: 
drwxrwxrwx+   3 root domain admins  4096 Jun 30 08:03 test05 

Also, When people remove Everyone as the TP showed. 

Share Permissions set for Everyone Full Control
Security - Object Name: \\PROTO\test05

Groups or usernames:  (none have any Allowed permissions.)
root [Unix User\root]
Creator Owner	<- these are missing also compaired to the windows setup. 
Which is chmod 17xx 

Creator Group	<- 						
Which is chmod 377x

Creator Owner + group 
Which is chmod 477x

> We have tested with several shares and sequences with the same result.
Yes, and the question also, are xattr and acl installed? 

dpkg -l | egrep "xattr|acl"

What i advice, to get a better understanding of the rights.  Run this: 

for x in 0 1 3 4 5 7
	install -d /data/samba/test$x-0 -o root -g "domain users" -m "${x}"770
	install -d /data/samba/test$x-1 -o root -g "domain users" -m "${x}"771
	install -d /data/samba/test$x-5 -o root -g "domain users" -m "${x}"771
	install -d /data/samba/test$x-5 -o root -g "domain users" -m "${x}"775
	install -d /data/samba/test$x-7 -o root -g "domain users" -m "${x}"777

Add 2 shares /data/samba in smb.conf
With with acl_xattr:ignore system acl = yes and one without that. 

Now after these are created, go lookup all the rights through the security tab. 
See the difference in windows. 
And do this with a test share, one with everyone full and your adjusted share setup. 
If you adjusting rights, do this only from withing windows or use setfacl 

After that all above, only one more thing. 
The "Primary Group", remember this is "ALWAYS" "domain users"

I hope this explains better where these things are going wrong. 
Should we see a crash with that security tab, no, but its just due to an "incorrect" rights setup. 
Should it crash, now, but its easy to avoid. 

The sample of my folder structure. 

/home/samba	\\server\samba$  root:domain admins 3751 Only Administrators are allowed here to create subfolders/adjust acls in the base BEFORE the share entry.
I use this share to manage/create new basefolders (shares) with user Adminsitrator. ( like companydata share ) 

/home/samba/companydata	\\server\companydata root:domain admins 3771 ! Only Administrators are allowed to create subfolders IN the base share.

In /home/samba/companydata/department1	  root:domain admins 3770 + the department group
	primary group will use "domain users" for group write control, and makes sure everyone is allowed to write/override the files. 
	The "department1" group is for the access security for the folder, not for file/folder right control. 

Shares where you need to install from or needs GPO things, add SYSTEM.
A user/computer policy is applied by the SYSTEM impersonating the real users for example. 

I hope i explained this correctly and understandable. 

Just take some time to test this so you can see what fits best with your setup. 
Mine dont have to be the correct one for you, but testing it as shown, will help you in finding yours.

Good luck testing above, i'm 100% sure you will learn from it.  ;-) 



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Jeremy Allison via samba
> Verzonden: dinsdag 30 juni 2020 19:29
> Aan: Enrico Morelli
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] Users, home directories and profiles
> On Tue, Jun 30, 2020 at 02:41:46PM +0200, Enrico Morelli via 
> samba wrote:
> > On Tue, 30 Jun 2020 11:01:27 +0100
> > Rowland penny via samba <samba at lists.samba.org> wrote:
> > 
> > > On 30/06/2020 10:40, Enrico Morelli via samba wrote:
> > > > At the end I'll to abandon samba :-((
> > > > I'm really sad  
> > > 
> > > One last thought, have you touched the 'share' tab ?
> > > 
> > > For instance, have you removed 'Everyone' from it ?
> > > 
> > > If so, put it back.
> > > 
> > > Rowland
> > > 
> > > 
> > > 
> > 
> > Everyone is present. Clicking on the security tab, the window crash.
> The window crashing is a Windows bug. Whatever we send it
> shouldn't do that. Do you have a wireshark trace of the
> SMB2 reply that crashes the tab ?
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list