[Samba] smb.conf [homes] vs. GPO Drive Map

Patrick Goetz pgoetz at math.utexas.edu
Tue Nov 2 09:32:15 UTC 2021 

This question refers to a Samba domain member file server.

At least in the PDC days, the existence of the [Homes] in 
/etc/samba/smb.conf would trigger an automatic mount of an H: drive when 
a user logged in to a Windows client machine. (I think a script ran for 
this, but nothing I configured myself.)

I understand that placing Share definitions in smb.conf is the 
equivalent of right clicking on a folder in Windows and turning Sharing 
on, but I'm a bit confused because of my previous experience with the 
[homes] share on a PDC, which was handled differently from other shares.

AD GPOs afford you with multiple ways of setting a user's home directory:

  - Use RSAT to edit the user object properties to configure a home 
directory location under the Profile tab

  - Create a group policy for the relevant OU that creates an H: drive 
map for the users in the OU:

   Say map H: to \\my_samba_fileserver\home\%username%

(see, e.g. https://www.youtube.com/watch?v=qkJ80RsRIM8)

BTW, the relevant Samba Wiki page 
(https://wiki.samba.org/index.php/Windows_User_Home_Folders#Using_a_Group_Policy_Preference) 
  uses %LogonUser% as the home directory global identifying variable, 
and I'm not sure if it makes a difference which you use.  Horribly 
confusing when there are N ways to do the same thing.


My question is do I continue to set up the [homes] share the same way; e.g.

[homes]
    comment = Home Directories
    guest ok = no
    browseable = no
    writeable = yes
    create mask = 0700
    directory mask = 0700
    follow symlinks = yes
    wide links = yes
    valid users = @my_staff


even when I'm using a GPO drive map to set the home directory, or are 
these going to interfere with each other? What if the home directory is 
configured using RSAT by editing the user's Profile tab and adding the 
home directory location there?

Final question, the previous [homes] is on a system using sssd. 
Presumably, as long as

     winbind use default domain = yes

is set in the [global] section, winbind will respect the my_staff AD 
security group as configured in the preceding [homes] example?

More information about the samba mailing list