Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] Home Folder
58 views
Skip to first unread message
Carlos A. P. Cunha
Jul 9, 2016, 6:40:03 PM7/9/16
to
Hello! I am following the how to
https://wiki.samba.org/index.php/User_home_drives
But even though there reported a process for User X does not access the
home of Y User, this is happening
root@fileserver:/srv/samba# getfacl home/
# file: home/
# owner: root
# group: root
user::rwx
user:root:rwx
user:administrator:rwx
group::r-x
group:root:r-x
group:5007:r-x
group:domain\040admins:rwx
group:5024:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:administrator:rwx
default:group::r-x
default:group:root:r-x
default:group:domain\040admins:rwx
default:group:5024:rwx
default:mask::rwx
default:other::---
------------------
root@fileserver:/srv/samba/home# getfacl rs-01/
# file: rs-01/
# owner: administrator
# group: domain\040users
user::rwx
user:rs-01:rwx
user:administrator:rwx
group::r-x
group:domain\040users:r-x
group:BUILTIN\134administrators:rwx
group:domain\040admins:rwx
group:5024:rwx
mask::rwx
other::---
default:user::rwx
default:user:rs-01:rwx
default:user:administrator:rwx
default:group::r-x
default:group:domain\040users:r-x
default:group:BUILTIN\134administrators:rwx
default:group:domain\040admins:rwx
default:group:5024:rwx
default:mask::rwx
default:other::---
----------------------
From what I think is, the problem is with the permissions of the group
"Domain user" but that and automatically set, because it is the default
group of users.
Any idea ?
Thank you
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
https://wiki.samba.org/index.php/User_home_drives
But even though there reported a process for User X does not access the
home of Y User, this is happening
root@fileserver:/srv/samba# getfacl home/
# file: home/
# owner: root
# group: root
user::rwx
user:root:rwx
user:administrator:rwx
group::r-x
group:root:r-x
group:5007:r-x
group:domain\040admins:rwx
group:5024:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:administrator:rwx
default:group::r-x
default:group:root:r-x
default:group:domain\040admins:rwx
default:group:5024:rwx
default:mask::rwx
default:other::---
------------------
root@fileserver:/srv/samba/home# getfacl rs-01/
# file: rs-01/
# owner: administrator
# group: domain\040users
user::rwx
user:rs-01:rwx
user:administrator:rwx
group::r-x
group:domain\040users:r-x
group:BUILTIN\134administrators:rwx
group:domain\040admins:rwx
group:5024:rwx
mask::rwx
other::---
default:user::rwx
default:user:rs-01:rwx
default:user:administrator:rwx
default:group::r-x
default:group:domain\040users:r-x
default:group:BUILTIN\134administrators:rwx
default:group:domain\040admins:rwx
default:group:5024:rwx
default:mask::rwx
default:other::---
----------------------
From what I think is, the problem is with the permissions of the group
"Domain user" but that and automatically set, because it is the default
group of users.
Any idea ?
Thank you
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
mathias dufresne
Jul 11, 2016, 9:10:02 AM7/11/16
to
Hi Carlos,
Your problem is userA can access home directory of userB?
If your issue is only that, then you are right, this issue comes from the
fact all AD users are, by default, in "Domain users" and your Home
directories grant "Domain Users" "r-x" which means "read and enter" when
applied to directory.
Simply remove "Domain Users" from these ACL or change "Domain Users" ACl
entry to "---".
Cheers,
mathias
Your problem is userA can access home directory of userB?
If your issue is only that, then you are right, this issue comes from the
fact all AD users are, by default, in "Domain users" and your Home
directories grant "Domain Users" "r-x" which means "read and enter" when
applied to directory.
Simply remove "Domain Users" from these ACL or change "Domain Users" ACl
entry to "---".
Cheers,
mathias
Carlos A. P. Cunha
Jul 11, 2016, 12:50:04 PM7/11/16
to
Hello!
But when I add the User the way "Home folder" the folder is
automatically created it already comes with these permissions:
getfacl rs-01 /
# File: rs-01 /
# Owner: administrator
# Group: domain \ 040users
default: other :: ---
and something else as well "ACL entry to" --- "." ??
Thanks!!!
Em 11-07-2016 09:59, mathias dufresne escreveu:
> Hi Carlos,
>
> Your problem is userA can access home directory of userB?
>
> If your issue is only that, then you are right, this issue comes from
> the fact all AD users are, by default, in "Domain users" and your Home
> directories grant "Domain Users" "r-x" which means "read and enter"
> when applied to directory.
>
> Simply remove "Domain Users" from these ACL or change "Domain Users"
> ACl entry to "---".
>
> Cheers,
>
> mathias
>
> 2016-07-10 0:31 GMT+02:00 Carlos A. P. Cunha <carlos...@gmail.com
> <mailto:carlos...@gmail.com>>:
But when I add the User the way "Home folder" the folder is
automatically created it already comes with these permissions:
getfacl rs-01 /
# File: rs-01 /
# Owner: administrator
# Group: domain \ 040users
user :: rwx
user: rs-01: rwx
user: administrator: rwx
group :: r-x
group: domain \ 040users: r-x
group: BUILTIN \ 134administrators: rwx
user: rs-01: rwx
user: administrator: rwx
group :: r-x
group: domain \ 040users: r-x
group: BUILTIN \ 134administrators: rwx
mask :: rwx
other :: ---
default: user :: rwx
default: user: rs-01: rwx
default: user: administrator: rwx
default: x r-group ::
other :: ---
default: user :: rwx
default: user: rs-01: rwx
default: user: administrator: rwx
default: group: domain \ 040users: r-x
default: group: BUILTIN \ 134administrators: rwx
default: mask :: rwx
default: group: BUILTIN \ 134administrators: rwx
default: other :: ---
and something else as well "ACL entry to" --- "." ??
Thanks!!!
Em 11-07-2016 09:59, mathias dufresne escreveu:
> Hi Carlos,
>
> Your problem is userA can access home directory of userB?
>
> If your issue is only that, then you are right, this issue comes from
> the fact all AD users are, by default, in "Domain users" and your Home
> directories grant "Domain Users" "r-x" which means "read and enter"
> when applied to directory.
>
> Simply remove "Domain Users" from these ACL or change "Domain Users"
> ACl entry to "---".
>
> Cheers,
>
> mathias
>
> 2016-07-10 0:31 GMT+02:00 Carlos A. P. Cunha <carlos...@gmail.com
Carlos A. P. Cunha
Jul 12, 2016, 8:10:04 AM7/12/16
to
Sorry hehehehe
I mean, when access RSAT and add the "Home Folder" of the User, and give
a Apply, the folder is automatically created with the permissions below,
where the "Domain Users" is already linked:
getfacl rs-01 /
# File: rs-01 /
# Owner: administrator
# Group: domain \ 040users
user :: rwx
user: rs-01: rwx
user: administrator: rwx
group :: r-x
group: domain \ 040users: r-x
group: BUILTIN \ 134administrators: rwx
mask :: rwx
other :: ---
default: user :: rwx
default: user: rs-01: rwx
default: user: administrator: rwx
default: x r-group ::
default: group: domain \ 040users: r-x
default: group: BUILTIN \ 134administrators: rwx
default: mask :: rwx
default: other :: ---
and something else as well "ACL entry to" --- "." ??
Thanks!!!
Em 12-07-2016 05:31, mathias dufresne escreveu:
> Sorry I don't understand what you said.
>
> 2016-07-12 10:30 GMT+02:00 mathias dufresne <infra...@gmail.com
> <mailto:infra...@gmail.com>>:
>
> orry I don't understand what you said.
I mean, when access RSAT and add the "Home Folder" of the User, and give
a Apply, the folder is automatically created with the permissions below,
where the "Domain Users" is already linked:
getfacl rs-01 /
# File: rs-01 /
# Owner: administrator
# Group: domain \ 040users
user :: rwx
user: rs-01: rwx
user: administrator: rwx
group :: r-x
group: domain \ 040users: r-x
group: BUILTIN \ 134administrators: rwx
mask :: rwx
other :: ---
default: user :: rwx
default: user: rs-01: rwx
default: user: administrator: rwx
default: x r-group ::
default: group: domain \ 040users: r-x
default: group: BUILTIN \ 134administrators: rwx
default: mask :: rwx
default: other :: ---
and something else as well "ACL entry to" --- "." ??
Thanks!!!
> Sorry I don't understand what you said.
>
> 2016-07-12 10:30 GMT+02:00 mathias dufresne <infra...@gmail.com
> <mailto:infra...@gmail.com>>:
>
> orry I don't understand what you said.
mathias dufresne
Jul 12, 2016, 8:30:08 AM7/12/16
to
share, this tool come with default use case, the default use case is to
create a share owned by that user (for user permission in ACL) and by
user's default group (which is Windows RID 513 -> "Domain Users", its UNIX
UID can be anything else) for group ownership in ACL.
Use another tool to create your folders (homemade UNIX shell script should
do what you want) or change directory permissions after directory creation.
You could also change user's default windows group, set something else than
"domain users" but I don't think this is advisable (I mean I do believe it
is a BAD idea).
>
> and something else as well "ACL entry to" --- "." ??
>
>
> Thanks!!!
>
>
>
> Em 12-07-2016 05:31, mathias dufresne escreveu:
>
> Sorry I don't understand what you said.
>
> 2016-07-12 10:30 GMT+02:00 mathias dufresne <infra...@gmail.com>:
>
>> orry I don't understand what you said.
>>
>
>> orry I don't understand what you said.
>>
L.P.H. van Belle
Jul 12, 2016, 8:40:03 AM7/12/16
to
Just a tip.
If you create users with RSAT and you also uses unix id's ( UID/GID )
Used with AD backend.
The first assign the UID/GID and then apply the home dir folders in RSAT.
Only for user home dirs.
This can help if you also use ssh to login and you cant enter your own home dir.
Per example:
Your ACL ( for the user )
# file: home/users/username/
# owner: username
group::---
group:root:---
default:user: username:rwx
default:group::---
default:group:root:---
From within linux no user can enter the "username" folder.
Only the user and members of "Domain admins" (which is member of) BUILDIN\Administrator.
Or users which can kinit.
( p.s. i use homedirs over NFSv4 kerberized )
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Carlos A. P.
> Cunha
> Verzonden: dinsdag 12 juli 2016 14:05
> Aan: mathias dufresne; sa...@lists.samba.org
> Onderwerp: Re: [Samba] Home Folder
If you create users with RSAT and you also uses unix id's ( UID/GID )
Used with AD backend.
The first assign the UID/GID and then apply the home dir folders in RSAT.
Only for user home dirs.
This can help if you also use ssh to login and you cant enter your own home dir.
Per example:
Your ACL ( for the user )
> # File: rs-01 /
> # Owner: administrator
> # Group: domain \ 040users
> user :: rwx
> user: rs-01: rwx
> user: administrator: rwx
> group :: r-x
> group: domain \ 040users: r-x
> group: BUILTIN \ 134administrators: rwx
> mask :: rwx
> other :: ---
> default: user :: rwx
> default: user: rs-01: rwx
> default: user: administrator: rwx
> default: x r-group ::
> default: group: domain \ 040users: r-x
> default: group: BUILTIN \ 134administrators: rwx
> default: mask :: rwx
> default: other :: ---
My ACL
> # Owner: administrator
> # Group: domain \ 040users
> user :: rwx
> user: rs-01: rwx
> user: administrator: rwx
> group :: r-x
> group: domain \ 040users: r-x
> group: BUILTIN \ 134administrators: rwx
> mask :: rwx
> other :: ---
> default: user :: rwx
> default: user: rs-01: rwx
> default: user: administrator: rwx
> default: x r-group ::
> default: group: domain \ 040users: r-x
> default: group: BUILTIN \ 134administrators: rwx
> default: mask :: rwx
> default: other :: ---
# file: home/users/username/
# owner: username
# group: root
user::rwx
user:root:rwx
user: username:rwx
user::rwx
user:root:rwx
group::---
group:root:---
group:BUILTIN\134administrators:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
mask::rwx
other::---
default:user::rwx
default:user: username:rwx
default:group::---
default:group:root:---
default:group:BUILTIN\134administrators:rwx
default:mask::rwx
default:other::---
The difference.. my user is owner of its own homedir, yours its administrator.
default:mask::rwx
default:other::---
From within linux no user can enter the "username" folder.
Only the user and members of "Domain admins" (which is member of) BUILDIN\Administrator.
Or users which can kinit.
( p.s. i use homedirs over NFSv4 kerberized )
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Carlos A. P.
> Cunha
> Verzonden: dinsdag 12 juli 2016 14:05
> Aan: mathias dufresne; sa...@lists.samba.org
> Onderwerp: Re: [Samba] Home Folder
0 new messages