Samba4 [homes] share
Solution 1
Try something like:
[homes]
browseable = no
read only = no
create mask = 0700
directory mask = 0700
valid users = %S
That should set it so that users can't see each other's home folders, files/folders are created securely, and should auto-create the folders.
Solution 2
Check your /etc/pam.d/common-session file:
session required pam_unix.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
You also need to add the following under [homes]
path = /home/%U
KJS
Related videos on Youtube
SambaDrivesMeCrazy
Updated on September 18, 2022Comments
-
SambaDrivesMeCrazy almost 2 years
I am having issues with the [homes] share. OS is Ubuntu 12.04. I've installed samba 4.0.3, bind9 dlz, ntp, winbind, everything but pam modules, and did all the tests from https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO.
Running getent passwd and getent user work just fine. Creating a simple share works just fine too. I can manage the users, GPOs, and DNS from the windows mmc snap-ins. I can join winxp,7,8 to the domain and log on perfectly. I can change my passwords from windows, etc..etc..
I could say that everything is fine and be happy :) buuuut, no, home directories do not work.
Searching in here, and on our good friend google I gathered that a simple
[homes] read only = no path = /storage-server/users/
and mapping the user's home folder in dsa.msc to \\server-001\username or \\server-001\homes should get me a home share I could map for my user homedir. But the snap-in give me an error saying that it cannot create the home folder because the network name has not been found (rough translation from portuguese).
also, running
root@server-001:/storage-server/users# smbclient //server-001/test -Utest%'12345678' -c 'ls' Domain=[MYDOMAIN] OS=[Unix] Server=[Samba 4.0.3] tree connect failed: NT_STATUS_BAD_NETWORK_NAME
Server name is alright, if I go for a simple share on the same server it opens just fine. If I map the user homedir to this simple share it works.
What I want is that I dont have to go and manually make a new folder on linux everytime I create a new user on windows.
It looks like permissions but I cant find any documentation on this (yes I've tried the manpages, but its hard to tell with so many options on man smb.conf alone).
My smb.conf right now looks like this (pretty simple I know)
# Global parameters [global] workgroup = MYDOMAIN realm = MYDOMAIN.LAN netbios name = SERVER-001 server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate [netlogon] path = /usr/local/samba/var/locks/sysvol/mydomain.lan/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No [homes] read only = no path = /storage-server/users
Folder permissions /storage-server drwxr-xr-x 6 root root 4096 Fev 15 15:17 storage-server
/storage-server/users drwxrwxrwx 6 root root 4096 Fev 18 17:05 users/
Yes, I was desperate enough to set 777 on the users folder... not proud of it.
Any pointers in the right direction would be very welcome.
Edited to include:
root@server-001:/# wbinfo --user-info=test MYDOMAIN\test:*:3000045:100:test:/home/MYDOMAIN/test:/bin/false root@server-001:/# wbinfo -n test S-1-5-21-1957592451-3401938807-633234758-1128 SID_USER (1) root@server-001:/# id test uid=3000045(MYDOMAIN\test) gid=100(users) grupos=100(users) root@server-001:/# wbinfo -U 3000045 S-1-5-21-1957592451-3401938807-633234758-1128 root@server-001:/#
Edit 2:
getent passwd | grep test
MYDOMAIN\test:*:3000045:100:test:/home/MYDOMAIN/test:/bin/false
I have no idea how to change that home folder to /storage-server/users/test so I just went and ln -s /storage-server/users /home/MYDOMAIN just in case. still, no changes, same errors.
Edit 3
On log.smbd I get the following error when trying to set the test user home folder to \server-001\test
[2013/02/20 14:22:08.446658, 2] ../source3/smbd/service.c:418(create_connection_session_info) user 'MYDOMAIN\Administrator' (from session setup) not permitted to access this share (test)
-
mdpc over 11 yearsDoes the UID obtained from the AD server match that of the Samba server for a given user?
-
SambaDrivesMeCrazy over 11 yearsyou mean the UID on the dsa.msc user properties/unix attributes compared to running id username? on the unix attributes tab I get no UID/GID for the user.
-
SambaDrivesMeCrazy over 11 yearsor..
root@server-001:/# wbinfo --user-info=test
MYDOMAIN\test:*:3000045:100:test:/home/MYDOMAIN/test:/bin/false
root@server-001:/# wbinfo -n test
S-1-5-21-1957592451-3401938807-633234758-1128 SID_USER (1)
root@server-001:/# id test
uid=3000045(MYDOMAIN\test) gid=100(users) grupos=100(users)
root@server-001:/# wbinfo -U 3000045
S-1-5-21-1957592451-3401938807-633234758-1128
root@server-001:/#
-
SambaDrivesMeCrazy over 11 yearssorry. it seens I cant properly format code in comments... (tied searching meta to no avail).
-
jscott over 11 years@SambaDrivesMeCrazy You may also edit your question to include the updated information - formatting should work better there.
-
SambaDrivesMeCrazy over 11 years@jscott tks for the tip on formatting.
-
SambaDrivesMeCrazy over 11 yearsEdit2 to add getent results.
-
SambaDrivesMeCrazy over 11 yearsraised log level = 9 but found no really usefull information :/
-
SambaDrivesMeCrazy over 11 yearsI just saw on the log.smbd file that whenever I try to apply \\server-001\test to the test user homefolder I get the following error.
[2013/02/20 14:22:08.446658, 2] ../source3/smbd/service.c:418(create_connection_session_info) user 'MYDOMAIN\Administrator' (from session setup) not permitted to access this share (test)
-
SambaDrivesMeCrazy over 11 yearsWell.. this questions keeps eluding me, I'll just give up and make the home folders by hand till I manage to get samba4 to make them, hopefully in a future release. even joining a samba3 server to the samba4 AD didnt do the work. same stuff, no auto home folder.
-
SambaDrivesMeCrazy over 11 yearsGave up, just made a shell script to list users and check if there are homefolders for them, if theres no folder then it makes it and gives proper permissions e ownership.
-
-
CIA over 11 yearsDid you configure selinux to allow SMB or disbaled selinux altogether?
-
SambaDrivesMeCrazy over 11 yearstheres no selinux installed, only apparmor. i tried removing apparmor, tried giving rights to samba to write everywhere, no luck.
-
SambaDrivesMeCrazy over 11 yearsright now trying to get a samba3 server to join the samba4 ad to serve files, but of course i'd be unlucky with that too :)