[Samba] Expanding on post "Domain member login"

Peter Milesson miles at atmos.eu
Wed Jun 4 15:28:28 UTC 2025



On 04.06.2025 16:52, Rowland Penny via samba wrote:
> On Wed, 4 Jun 2025 16:39:18 +0200
> Peter Milesson via samba <samba at lists.samba.org> wrote:
>
>> Hi folks,
>>
>> I have got a few client Linux PCs that are used to mount user
>> profiles on a CIFS server (Samba or Windows) with pam_mount. The user
>> profiles are mounted on /home/<DOMAINUSER>, and the directory
>> /home/<DOMAINUSER> is created by pam_mount, before the mounting
>> itself (I assume). The problem is, that the user's mounted directory,
>> and all sub directories get the permission 755, when one would expect
>> 700.
>>
>> Through this, it would be possible for another domain user to log on
>> to the same PC and access the data of the previously logged in user.
>> I have tried, and I can access data from another user. On the CIFS
>> server only the owner (domain user), SYSTEM, Domain Admins, and
>> Administrator have got permissions on the user's profile directory,
>> how this then translates to 755 in the mounted directory is to me a
>> mystery. When the user logs out, the /home/<DOMAINUSER> is unmounted,
>> and is ideally deleted (not always, but nothing remains there after
>> logoff).
>>
>> I have tried to set pam_mkhomedir.so umask=0077 in
>> /etc/pam.d/common-session, but that did not help (which probably was
>> expected). I have also tried to set mount options, neither that did
>> help.
>>
>> The client OS info, smb.conf, pam_mount.conf.xml, and common-session
>> from pam below.
>>
>> If somebody could point me in the right direction, I would be
>> grateful.
>>
>> Best regards,
>>
>> Peter
>>
>> *OS*
>> Debian Bookworm 12.11 (important parts of the OS from backports)
>> Samba 4.22.1 from backports
>>
>>
>> */etc/samba/smb.conf*
>> [global]
>>           dedicated keytab file = /etc/krb5.keytab
>>           disable netbios = Yes
>>           disable spoolss = Yes
>>           kerberos method = secrets and keytab
>>           log level = 1
>>           printcap name = /dev/null
>>           realm = PRIVATE.TALPS
>>           security = ADS
>>           server role = member server
>>           smb ports = 445
>>           template homedir = /home/%U
>>           template shell = /bin/bash
>>           timestamp logs = Yes
>>           username map = /etc/samba/user.map
>>           winbind expand groups = 4
>>           winbind refresh tickets = Yes
>>           winbind use default domain = Yes
>>           workgroup = PRIVATE
>>           acl_xattr:ignore system acls = yes
>>           idmap config * : backend = tdb
>>           idmap config * : range = 3000-9999
>>           idmap config private : backend = rid
>>           idmap config private : range = 10000-99999
>>           map acl inherit = Yes
>>           vfs objects = acl_xattr
>>
>>
>> */etc/security/pam_mount.conf.xml*
>> <?xml version="1.0" encoding="utf-8" ?>
>> <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
>> <!--
>>           See pam_mount.conf(5) for a description.
>> -->
>>
>> <pam_mount>
>>
>>                   <!-- debug should come before everything else,
>>                   since this file is still processed in a single pass
>>                   from top-to-bottom -->
>>
>> <debug enable="0" />
>>
>>                   <!-- Volume definitions -->
>> <volume user="*"
>>           fstype="cifs"
>>           server="datasrv.private.talps"
>>           path="linuxhomes$/%(DOMAIN_USER)"
>>           mountpoint="/home/%(DOMAIN_USER)"
>>           uid="10000-999999"
>> options="nosuid,nodev,sec=krb5i,cruid=%(USERUID),mfsymlinks,nobrl,vers=3.0"
> Have you tried adding 'dir_mode=0700' to the 'options line ?
>
> Rowland
>
Hi Rowland,

Thanks a ton. That did the trick! Problem solved.

The risk for unauthorized access was minimal, as the PCs are used by 
single users. But better safe than sorry.

Best regards,

Peter





More information about the samba mailing list