[Samba] Users, home directories and profiles

L.P.H. van Belle belle at bazuin.nl
Tue Jun 30 14:38:04 UTC 2020



> -----Oorspronkelijk bericht-----
> Van: Enrico Morelli [mailto:morelli at cerm.unifi.it] 
> Verzonden: dinsdag 30 juni 2020 15:48
> Aan: samba at lists.samba.org
> CC: L.P.H. van Belle
> Onderwerp: Re: [Samba] Users, home directories and profiles
> 
> On Tue, 30 Jun 2020 14:53:14 +0200
> "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> 
> > Check the rights before the folder your trying to change. 
> > Im guessing that now has 770, try 771 or 775 or 777
> > 
> > 
> 
> I'm able to create the folder after changing the mode to 777. But this
> isn't good because every user is able to create folder inside users, or not? 
No, folder security prevents that, only Domain users can and admins. 


getfacl /home/samba/
getfacl: Removing leading '/' from absolute path names
# file: home/samba/
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

ls -al  ( and if you dont like that 777 try 1751 ) 

drwxrwx--T+ 127 root root  4096 Jun 29 10:18 profiles

getfacl /home/samba/profiles/
getfacl: Removing leading '/' from absolute path names
# file: home/samba/profiles/
# owner: root
# group: root
# flags: --t
user::rwx
user:root:rwx
group::---
group:root:---
group:domain\040users:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:root:---
default:mask::rwx
default:other::---

getfacl /home/samba/profiles/myusernamehere.V6/
getfacl: Removing leading '/' from absolute path names
# file: home/samba/profiles/myusernamehere.V6/
# owner: myusernamehere
# group: domain\040users
user::rwx
user:myusernamehere:rwx
group::---
group:2005:rwx
group:domain\040users:---
mask::rwx
other::---
default:user::rwx
default:user:myusernamehere:rwx
default:group::---
default:group:2005:rwx
default:group:domain\040users:---
default:mask::rwx

Note, GID 2005 = SYSTEM 


[profiles]
    browseable = yes
    path = /home/samba/profiles
    read only = no
    acl_xattr:ignore system acl = yes


My resulting rights in profiles for myusernamehere.V6 in windows shows.
SYSTEM full control. 
And
Myusernamehere full controll. 

Share security, everyone full controll.. 

Folder security should have: 
Administrator Full control	This folder, Subfolders and files
Creator Owner   Full control	Subfolders and files
Domain users  SPECIAL 		This folder only
*( see wiki ) 
Its (from wiki) 
Domain Users  Traverse folder / execute file
	List folder / read data
	Create folder / append data


Doing above in the right order is key..
First set share then the share/folder security 
Then dont touch it from within linux and use getfacl to backup the acl created. 

I hope above helps you. 

In addtion 
https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles 
Only things i would change here, not that its not working but it might prevent problems. 
AND its adviced by microsoft. 

When you set the profile path for a user, you always set the path without any version suffix. For example:

\\server\profiles\user_name  i changed it to  \\server.FQDN\profiles 


Security tab file system permissions on the root of the profiles share:
Domain Admins	Full control	This folder, subfolders and files
I used Administrator, i forgot why, thats a setup done almost 5 years ago. 

And if you use : Using Windows ACLs from the wiki. 
Stop reading if you see : POSIX ACLs 
Dont mix them.


Now the last difference i've seen..
Your doing this on a AD-DC, im on a member.
But acl_xattr:ignore system acl = yes should help you out. 
(see man smb.conf) 

Greetz, 

Louis




> 
> 
> Moreover I'm tired, everything I try doesn't work. I created a new
>  user with samba-tool. I created the home directory from Windows
> computer giving to the new user the full privileges on it.
> But if I try to login with the new user I receive:
> 
> We can't sign you with this credential because your domain isn't
> available. Make sure your device is connected to your organization's
> network and try again. If you previously signed in on this device with
> another credential, you can sign in with that credential.
> 
> 
> 
> > Greetz, 
> > 
> > Louis
> > 
> > 
> > 
> > > -----Oorspronkelijk bericht-----
> > > Van: Enrico Morelli [mailto:morelli at cerm.unifi.it] 
> > > Verzonden: dinsdag 30 juni 2020 14:44
> > > Aan: samba at lists.samba.org
> > > CC: L.P.H. van Belle
> > > Onderwerp: Re: [Samba] Users, home directories and profiles
> > > 
> > > On Tue, 30 Jun 2020 12:00:32 +0200
> > > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> > >   
> > > > Read :
> > > >   
> > > https://github.com/thctlo/samba4/blob/master/howtos/stretch-ba
> > > se-3.3-samba-member-fileserver-rights-example.txt   
> > > > 
> > > > This Still works for buster and other samba versions ( im   
> > > now running  
> > > > 4.12.x ) for my servers. 
> > > > 
> > > > For your profiles; Add : acl_xattr:ignore system acl = yes in
> > > > smb.conf on the share where you need it. 
> > > > 
> > > > Make/set the needed base rigths FROM WITHIN Linux then first
> > > > configure the share FROM WITHIN Windows and while your logged in
> > > > as DOM\Administrator. And then FROM WITHIN Windows set the   
> > > needed rights  
> > > > on through security tab. 
> > > > 
> > > > Done, dont touch it again from linux ( use getfacl to backup the
> > > > rights )
> > > > 
> > > > Because only windows will use profiles and you simple have a
> > > > better match in ACL's I do the same for users, but thats a
> > > > choice. 
> > > > 
> > > > I've started on my new server and im writing out the 
> steps, takes
> > > > some time.. 
> > > >   
> > > 
> > > 
> > > I tried to follow your guide, but when I open the shared from the
> > > Windows client I've two problem:
> > > 
> > > 1) I'm unable to create a folder under users because Windows say
> > > that I've no permission to do that (my user is in the 
> Administrator
> > > group) 2) when I try to open Security tab the window crash
> > >   
> > > >   
> > > > > > > In the windows log events I've the following error:
> > > > > > > the processing of Group Policy failed. Windows could
> > > > > > > not     
> > > > > resolve the    
> > > > > > > user name. This could be caused by one of more of the
> > > > > > > following : a) Name Resolution failure on the 
> current domain
> > > > > > > controller b) Active Directory Replication Latency
> > > > > > >     
> > > > About this, enable Wait for Network in windows. 
> > > > Its a GPO. 
> > > > 
> > > > This should get you where you need to be. 
> > > > 
> > > > 
> > > > Greetz, 
> > > > 
> > > > Louis
> > > > 
> > > > 
> > > > 
> > > >   
> > > > > -----Oorspronkelijk bericht-----
> > > > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> > > > > Enrico Morelli via samba
> > > > > Verzonden: dinsdag 30 juni 2020 11:41
> > > > > Aan: samba at lists.samba.org
> > > > > Onderwerp: Re: [Samba] Users, home directories and profiles
> > > > > 
> > > > > On Thu, 25 Jun 2020 14:14:46 +0200
> > > > > Enrico Morelli via samba <samba at lists.samba.org> wrote:
> > > > >     
> > > > > > On Tue, 23 Jun 2020 14:56:57 +0200
> > > > > > Enrico Morelli via samba <samba at lists.samba.org> wrote:
> > > > > >     
> > > > > > > On Tue, 23 Jun 2020 12:37:16 +0200
> > > > > > > Enrico Morelli via samba <samba at lists.samba.org> wrote:
> > > > > > >       
> > > > > > > > On Mon, 22 Jun 2020 13:54:38 +0100
> > > > > > > > Rowland penny via samba <samba at lists.samba.org> wrote:
> > > > > > > >         
> > > > > > > > > On 22/06/2020 13:50, Enrico Morelli wrote:          
> > > > > > > > > > On Mon, 22 Jun 2020 11:46:55 +0100
> > > > > > > > > > Rowland penny via samba 
> <samba at lists.samba.org> wrote:
> > > > > > > > > >            
> > > > > > > > > >> On 22/06/2020 11:33, Enrico Morelli
> > > > > > > > > >> wrote:            
> > > > > > > > > >>> [global]
> > > > > > > > > >>> 	dns forwarder = 150.217.1.32
> > > > > > > > > >>> 	netbios name = FIORGEN7
> > > > > > > > > >>> 	realm = CERM.UNIFI.IT
> > > > > > > > > >>> 	server role = active directory domain
> > > > > > > > > >>> controller workgroup = CERM
> > > > > > > > > >>> 	idmap_ldb:use rfc2307 = yes
> > > > > > > > > >>> 	vfs objects = acl_xattr
> > > > > > > > > >>> 	map acl inherit = yes            
> > > > > > > > > >> Remove the last two lines, they have no place on
> > > > > > > > > >> a     
> > > > > DC and in    
> > > > > > > > > >> fact you have turned off one of the required vfs
> > > > > > > > > >> objects.            
> > > > > > > > > > Done.
> > > > > > > > > >            
> > > > > > > > > >>> [homes]
> > > > > > > > > >>> 	path = /home/win_shares/homes
> > > > > > > > > >>> 	read only = no            
> > > > > > > > > >> I would rename [homes] to [users], [homes] 
> is a     
> > > > > special share    
> > > > > > > > > >> that does not require the 'path' parameter and     
> > > > > normally uses    
> > > > > > > > > >> the users Unix directory path and you are   
> > > using a Windows  
> > > > > > > > > >> user home directory path.            
> > > > > > > > > > Done.
> > > > > > > > > >
> > > > > > > > > > All seems to be hard. Now I'm able to see security
> > > > > > > > > > tab, but when I select it the application crash.
> > > > > > > > > >
> > > > > > > > > > I tried to set profile but when I open Active     
> > > > > Directory Users    
> > > > > > > > > > and Computers I receive: Naming information
> > > > > > > > > > cannot     
> > > > > be located    
> > > > > > > > > > for the following reason: The server is not
> > > > > > > > > > operational.
> > > > > > > > > >
> > > > > > > > > > :-((
> > > > > > > > > >
> > > > > > > > > >            
> > > > > > > > > Firewall or Apparmor or Selinux getting in the way ?
> > > > > > > > > 
> > > > > > > > > Rowland
> > > > > > > > > 
> > > > > > > > > 
> > > > > > > > >           
> > > > > > > > 
> > > > > > > > I updated Windows 10 to the latest update, removed
> > > > > > > > the     
> > > > > Windows PC    
> > > > > > > > from the domain and putted it again.
> > > > > > > > 
> > > > > > > > Now Active Directory Users and Computers doesn't start.
> > > > > > > > 
> > > > > > > > I'm unable to use Computer Management to 
> perform the     
> > > > > steps to set    
> > > > > > > > home directories because it crashes.
> > > > > > > > 
> > > > > > > > I tried to set the homes using File explorer, going
> > > > > > > > to     
> > > > > the shared    
> > > > > > > > resources and creating the home directory but I   
> > > receive that I  
> > > > > > > > haven't permission to create a folder
> > > > > > > > under /home/win_shares/users.
> > > > > > > > 
> > > > > > > > Before I added my account to Unix Admins and Domain
> > > > > > > > Admins. 
> > > > > > > > 
> > > > > > > > I set log level to 10 but I'm unable to see if   
> > > there is issues  
> > > > > > > > scrolling thousand of lines.
> > > > > > > > 
> > > > > > > > I don't know what fish to catch anymore :-((
> > > > > > > >         
> > > > > > > 
> > > > > > > In the windows log events I've the following error:
> > > > > > > the processing of Group Policy failed. Windows could
> > > > > > > not     
> > > > > resolve the    
> > > > > > > user name. This could be caused by one of more of the
> > > > > > > following : a) Name Resolution failure on the 
> current domain
> > > > > > > controller b) Active Directory Replication Latency
> > > > > > > 
> > > > > > >       
> > > > > > 
> > > > > > 
> > > > > > No ideas?
> > > > > > 
> > > > > > 
> > > > > >     
> > > > > 
> > > > > At the end I'll to abandon samba :-((
> > > > > I'm really sad
> > > > > 
> > > > > -- 
> > > > > -----------------------------------------------------------
> > > > >   Enrico Morelli
> > > > >   System Administrator | Programmer | Web Developer
> > > > > 
> > > > >   CERM - Polo Scientifico
> > > > >   via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY
> > > > > ------------------------------------------------------------
> > > > > 
> > > > > -- 
> > > > > To unsubscribe from this list go to the following URL and read
> > > > > the instructions:  
> https://lists.samba.org/mailman/options/samba
> > > > > 
> > > > >     
> > > > 
> > > >   
> > > 
> > > 
> > > 
> > > -- 
> > > -----------------------------------------------------------
> > >   Enrico Morelli
> > >   System Administrator | Programmer | Web Developer
> > > 
> > >   CERM - Polo Scientifico
> > >   via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY
> > > ------------------------------------------------------------
> > > 
> > >   
> > 
> > 
> 
> 
> 
> -- 
> -----------------------------------------------------------
>   Enrico Morelli
>   System Administrator | Programmer | Web Developer
> 
>   CERM - Polo Scientifico
>   via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY
> ------------------------------------------------------------
> 
> 




More information about the samba mailing list