[Samba] Expanding on post "Domain member login"

Rowland Penny rpenny at samba.org
Wed Jun 4 14:52:42 UTC 2025 

On Wed, 4 Jun 2025 16:39:18 +0200
Peter Milesson via samba <samba at lists.samba.org> wrote:

> Hi folks,
> 
> I have got a few client Linux PCs that are used to mount user
> profiles on a CIFS server (Samba or Windows) with pam_mount. The user
> profiles are mounted on /home/<DOMAINUSER>, and the directory
> /home/<DOMAINUSER> is created by pam_mount, before the mounting
> itself (I assume). The problem is, that the user's mounted directory,
> and all sub directories get the permission 755, when one would expect
> 700.
> 
> Through this, it would be possible for another domain user to log on
> to the same PC and access the data of the previously logged in user.
> I have tried, and I can access data from another user. On the CIFS
> server only the owner (domain user), SYSTEM, Domain Admins, and
> Administrator have got permissions on the user's profile directory,
> how this then translates to 755 in the mounted directory is to me a
> mystery. When the user logs out, the /home/<DOMAINUSER> is unmounted,
> and is ideally deleted (not always, but nothing remains there after
> logoff).
> 
> I have tried to set pam_mkhomedir.so umask=0077 in 
> /etc/pam.d/common-session, but that did not help (which probably was 
> expected). I have also tried to set mount options, neither that did
> help.
> 
> The client OS info, smb.conf, pam_mount.conf.xml, and common-session 
> from pam below.
> 
> If somebody could point me in the right direction, I would be
> grateful.
> 
> Best regards,
> 
> Peter
> 
> *OS*
> Debian Bookworm 12.11 (important parts of the OS from backports)
> Samba 4.22.1 from backports
> 
> 
> */etc/samba/smb.conf*
> [global]
>          dedicated keytab file = /etc/krb5.keytab
>          disable netbios = Yes
>          disable spoolss = Yes
>          kerberos method = secrets and keytab
>          log level = 1
>          printcap name = /dev/null
>          realm = PRIVATE.TALPS
>          security = ADS
>          server role = member server
>          smb ports = 445
>          template homedir = /home/%U
>          template shell = /bin/bash
>          timestamp logs = Yes
>          username map = /etc/samba/user.map
>          winbind expand groups = 4
>          winbind refresh tickets = Yes
>          winbind use default domain = Yes
>          workgroup = PRIVATE
>          acl_xattr:ignore system acls = yes
>          idmap config * : backend = tdb
>          idmap config * : range = 3000-9999
>          idmap config private : backend = rid
>          idmap config private : range = 10000-99999
>          map acl inherit = Yes
>          vfs objects = acl_xattr
> 
> 
> */etc/security/pam_mount.conf.xml*
> <?xml version="1.0" encoding="utf-8" ?>
> <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
> <!--
>          See pam_mount.conf(5) for a description.
> -->
> 
> <pam_mount>
> 
>                  <!-- debug should come before everything else,
>                  since this file is still processed in a single pass
>                  from top-to-bottom -->
> 
> <debug enable="0" />
> 
>                  <!-- Volume definitions -->
> <volume user="*"
>          fstype="cifs"
>          server="datasrv.private.talps"
>          path="linuxhomes$/%(DOMAIN_USER)"
>          mountpoint="/home/%(DOMAIN_USER)"
>          uid="10000-999999"
> options="nosuid,nodev,sec=krb5i,cruid=%(USERUID),mfsymlinks,nobrl,vers=3.0" 

Have you tried adding 'dir_mode=0700' to the 'options line ?

Rowland

More information about the samba mailing list