[Samba] Users, home directories and profiles
L.P.H. van Belle
belle at bazuin.nl
Tue Jun 30 14:38:04 UTC 2020
> -----Oorspronkelijk bericht-----
> Van: Enrico Morelli [mailto:morelli at cerm.unifi.it]
> Verzonden: dinsdag 30 juni 2020 15:48
> Aan: samba at lists.samba.org
> CC: L.P.H. van Belle
> Onderwerp: Re: [Samba] Users, home directories and profiles
>
> On Tue, 30 Jun 2020 14:53:14 +0200
> "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
>
> > Check the rights before the folder your trying to change.
> > Im guessing that now has 770, try 771 or 775 or 777
> >
> >
>
> I'm able to create the folder after changing the mode to 777. But this
> isn't good because every user is able to create folder inside users, or not?
No, folder security prevents that, only Domain users can and admins.
getfacl /home/samba/
getfacl: Removing leading '/' from absolute path names
# file: home/samba/
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
ls -al ( and if you dont like that 777 try 1751 )
drwxrwx--T+ 127 root root 4096 Jun 29 10:18 profiles
getfacl /home/samba/profiles/
getfacl: Removing leading '/' from absolute path names
# file: home/samba/profiles/
# owner: root
# group: root
# flags: --t
user::rwx
user:root:rwx
group::---
group:root:---
group:domain\040users:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:root:---
default:mask::rwx
default:other::---
getfacl /home/samba/profiles/myusernamehere.V6/
getfacl: Removing leading '/' from absolute path names
# file: home/samba/profiles/myusernamehere.V6/
# owner: myusernamehere
# group: domain\040users
user::rwx
user:myusernamehere:rwx
group::---
group:2005:rwx
group:domain\040users:---
mask::rwx
other::---
default:user::rwx
default:user:myusernamehere:rwx
default:group::---
default:group:2005:rwx
default:group:domain\040users:---
default:mask::rwx
Note, GID 2005 = SYSTEM
[profiles]
browseable = yes
path = /home/samba/profiles
read only = no
acl_xattr:ignore system acl = yes
My resulting rights in profiles for myusernamehere.V6 in windows shows.
SYSTEM full control.
And
Myusernamehere full controll.
Share security, everyone full controll..
Folder security should have:
Administrator Full control This folder, Subfolders and files
Creator Owner Full control Subfolders and files
Domain users SPECIAL This folder only
*( see wiki )
Its (from wiki)
Domain Users Traverse folder / execute file
List folder / read data
Create folder / append data
Doing above in the right order is key..
First set share then the share/folder security
Then dont touch it from within linux and use getfacl to backup the acl created.
I hope above helps you.
In addtion
https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles
Only things i would change here, not that its not working but it might prevent problems.
AND its adviced by microsoft.
When you set the profile path for a user, you always set the path without any version suffix. For example:
\\server\profiles\user_name i changed it to \\server.FQDN\profiles
Security tab file system permissions on the root of the profiles share:
Domain Admins Full control This folder, subfolders and files
I used Administrator, i forgot why, thats a setup done almost 5 years ago.
And if you use : Using Windows ACLs from the wiki.
Stop reading if you see : POSIX ACLs
Dont mix them.
Now the last difference i've seen..
Your doing this on a AD-DC, im on a member.
But acl_xattr:ignore system acl = yes should help you out.
(see man smb.conf)
Greetz,
Louis
>
>
> Moreover I'm tired, everything I try doesn't work. I created a new
> user with samba-tool. I created the home directory from Windows
> computer giving to the new user the full privileges on it.
> But if I try to login with the new user I receive:
>
> We can't sign you with this credential because your domain isn't
> available. Make sure your device is connected to your organization's
> network and try again. If you previously signed in on this device with
> another credential, you can sign in with that credential.
>
>
>
> > Greetz,
> >
> > Louis
> >
> >
> >
> > > -----Oorspronkelijk bericht-----
> > > Van: Enrico Morelli [mailto:morelli at cerm.unifi.it]
> > > Verzonden: dinsdag 30 juni 2020 14:44
> > > Aan: samba at lists.samba.org
> > > CC: L.P.H. van Belle
> > > Onderwerp: Re: [Samba] Users, home directories and profiles
> > >
> > > On Tue, 30 Jun 2020 12:00:32 +0200
> > > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> > >
> > > > Read :
> > > >
> > > https://github.com/thctlo/samba4/blob/master/howtos/stretch-ba
> > > se-3.3-samba-member-fileserver-rights-example.txt
> > > >
> > > > This Still works for buster and other samba versions ( im
> > > now running
> > > > 4.12.x ) for my servers.
> > > >
> > > > For your profiles; Add : acl_xattr:ignore system acl = yes in
> > > > smb.conf on the share where you need it.
> > > >
> > > > Make/set the needed base rigths FROM WITHIN Linux then first
> > > > configure the share FROM WITHIN Windows and while your logged in
> > > > as DOM\Administrator. And then FROM WITHIN Windows set the
> > > needed rights
> > > > on through security tab.
> > > >
> > > > Done, dont touch it again from linux ( use getfacl to backup the
> > > > rights )
> > > >
> > > > Because only windows will use profiles and you simple have a
> > > > better match in ACL's I do the same for users, but thats a
> > > > choice.
> > > >
> > > > I've started on my new server and im writing out the
> steps, takes
> > > > some time..
> > > >
> > >
> > >
> > > I tried to follow your guide, but when I open the shared from the
> > > Windows client I've two problem:
> > >
> > > 1) I'm unable to create a folder under users because Windows say
> > > that I've no permission to do that (my user is in the
> Administrator
> > > group) 2) when I try to open Security tab the window crash
> > >
> > > >
> > > > > > > In the windows log events I've the following error:
> > > > > > > the processing of Group Policy failed. Windows could
> > > > > > > not
> > > > > resolve the
> > > > > > > user name. This could be caused by one of more of the
> > > > > > > following : a) Name Resolution failure on the
> current domain
> > > > > > > controller b) Active Directory Replication Latency
> > > > > > >
> > > > About this, enable Wait for Network in windows.
> > > > Its a GPO.
> > > >
> > > > This should get you where you need to be.
> > > >
> > > >
> > > > Greetz,
> > > >
> > > > Louis
> > > >
> > > >
> > > >
> > > >
> > > > > -----Oorspronkelijk bericht-----
> > > > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > > > > Enrico Morelli via samba
> > > > > Verzonden: dinsdag 30 juni 2020 11:41
> > > > > Aan: samba at lists.samba.org
> > > > > Onderwerp: Re: [Samba] Users, home directories and profiles
> > > > >
> > > > > On Thu, 25 Jun 2020 14:14:46 +0200
> > > > > Enrico Morelli via samba <samba at lists.samba.org> wrote:
> > > > >
> > > > > > On Tue, 23 Jun 2020 14:56:57 +0200
> > > > > > Enrico Morelli via samba <samba at lists.samba.org> wrote:
> > > > > >
> > > > > > > On Tue, 23 Jun 2020 12:37:16 +0200
> > > > > > > Enrico Morelli via samba <samba at lists.samba.org> wrote:
> > > > > > >
> > > > > > > > On Mon, 22 Jun 2020 13:54:38 +0100
> > > > > > > > Rowland penny via samba <samba at lists.samba.org> wrote:
> > > > > > > >
> > > > > > > > > On 22/06/2020 13:50, Enrico Morelli wrote:
> > > > > > > > > > On Mon, 22 Jun 2020 11:46:55 +0100
> > > > > > > > > > Rowland penny via samba
> <samba at lists.samba.org> wrote:
> > > > > > > > > >
> > > > > > > > > >> On 22/06/2020 11:33, Enrico Morelli
> > > > > > > > > >> wrote:
> > > > > > > > > >>> [global]
> > > > > > > > > >>> dns forwarder = 150.217.1.32
> > > > > > > > > >>> netbios name = FIORGEN7
> > > > > > > > > >>> realm = CERM.UNIFI.IT
> > > > > > > > > >>> server role = active directory domain
> > > > > > > > > >>> controller workgroup = CERM
> > > > > > > > > >>> idmap_ldb:use rfc2307 = yes
> > > > > > > > > >>> vfs objects = acl_xattr
> > > > > > > > > >>> map acl inherit = yes
> > > > > > > > > >> Remove the last two lines, they have no place on
> > > > > > > > > >> a
> > > > > DC and in
> > > > > > > > > >> fact you have turned off one of the required vfs
> > > > > > > > > >> objects.
> > > > > > > > > > Done.
> > > > > > > > > >
> > > > > > > > > >>> [homes]
> > > > > > > > > >>> path = /home/win_shares/homes
> > > > > > > > > >>> read only = no
> > > > > > > > > >> I would rename [homes] to [users], [homes]
> is a
> > > > > special share
> > > > > > > > > >> that does not require the 'path' parameter and
> > > > > normally uses
> > > > > > > > > >> the users Unix directory path and you are
> > > using a Windows
> > > > > > > > > >> user home directory path.
> > > > > > > > > > Done.
> > > > > > > > > >
> > > > > > > > > > All seems to be hard. Now I'm able to see security
> > > > > > > > > > tab, but when I select it the application crash.
> > > > > > > > > >
> > > > > > > > > > I tried to set profile but when I open Active
> > > > > Directory Users
> > > > > > > > > > and Computers I receive: Naming information
> > > > > > > > > > cannot
> > > > > be located
> > > > > > > > > > for the following reason: The server is not
> > > > > > > > > > operational.
> > > > > > > > > >
> > > > > > > > > > :-((
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > Firewall or Apparmor or Selinux getting in the way ?
> > > > > > > > >
> > > > > > > > > Rowland
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > > I updated Windows 10 to the latest update, removed
> > > > > > > > the
> > > > > Windows PC
> > > > > > > > from the domain and putted it again.
> > > > > > > >
> > > > > > > > Now Active Directory Users and Computers doesn't start.
> > > > > > > >
> > > > > > > > I'm unable to use Computer Management to
> perform the
> > > > > steps to set
> > > > > > > > home directories because it crashes.
> > > > > > > >
> > > > > > > > I tried to set the homes using File explorer, going
> > > > > > > > to
> > > > > the shared
> > > > > > > > resources and creating the home directory but I
> > > receive that I
> > > > > > > > haven't permission to create a folder
> > > > > > > > under /home/win_shares/users.
> > > > > > > >
> > > > > > > > Before I added my account to Unix Admins and Domain
> > > > > > > > Admins.
> > > > > > > >
> > > > > > > > I set log level to 10 but I'm unable to see if
> > > there is issues
> > > > > > > > scrolling thousand of lines.
> > > > > > > >
> > > > > > > > I don't know what fish to catch anymore :-((
> > > > > > > >
> > > > > > >
> > > > > > > In the windows log events I've the following error:
> > > > > > > the processing of Group Policy failed. Windows could
> > > > > > > not
> > > > > resolve the
> > > > > > > user name. This could be caused by one of more of the
> > > > > > > following : a) Name Resolution failure on the
> current domain
> > > > > > > controller b) Active Directory Replication Latency
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > > > No ideas?
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > > At the end I'll to abandon samba :-((
> > > > > I'm really sad
> > > > >
> > > > > --
> > > > > -----------------------------------------------------------
> > > > > Enrico Morelli
> > > > > System Administrator | Programmer | Web Developer
> > > > >
> > > > > CERM - Polo Scientifico
> > > > > via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY
> > > > > ------------------------------------------------------------
> > > > >
> > > > > --
> > > > > To unsubscribe from this list go to the following URL and read
> > > > > the instructions:
> https://lists.samba.org/mailman/options/samba
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> > >
> > > --
> > > -----------------------------------------------------------
> > > Enrico Morelli
> > > System Administrator | Programmer | Web Developer
> > >
> > > CERM - Polo Scientifico
> > > via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY
> > > ------------------------------------------------------------
> > >
> > >
> >
> >
>
>
>
> --
> -----------------------------------------------------------
> Enrico Morelli
> System Administrator | Programmer | Web Developer
>
> CERM - Polo Scientifico
> via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY
> ------------------------------------------------------------
>
>
More information about the samba
mailing list