Discussion:
[Samba] Home Folder
Carlos A. P. Cunha
2016-07-09 22:31:02 UTC
Permalink
Hello! I am following the how to

https://wiki.samba.org/index.php/User_home_drives

But even though there reported a process for User X does not access the
home of Y User, this is happening

***@fileserver:/srv/samba# getfacl home/
# file: home/
# owner: root
# group: root
user::rwx
user:root:rwx
user:administrator:rwx
group::r-x
group:root:r-x
group:5007:r-x
group:domain\040admins:rwx
group:5024:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:administrator:rwx
default:group::r-x
default:group:root:r-x
default:group:domain\040admins:rwx
default:group:5024:rwx
default:mask::rwx
default:other::---

------------------

***@fileserver:/srv/samba/home# getfacl rs-01/
# file: rs-01/
# owner: administrator
# group: domain\040users
user::rwx
user:rs-01:rwx
user:administrator:rwx
group::r-x
group:domain\040users:r-x
group:BUILTIN\134administrators:rwx
group:domain\040admins:rwx
group:5024:rwx
mask::rwx
other::---
default:user::rwx
default:user:rs-01:rwx
default:user:administrator:rwx
default:group::r-x
default:group:domain\040users:r-x
default:group:BUILTIN\134administrators:rwx
default:group:domain\040admins:rwx
default:group:5024:rwx
default:mask::rwx
default:other::---


----------------------

From what I think is, the problem is with the permissions of the group
"Domain user" but that and automatically set, because it is the default
group of users.


Any idea ?

Thank you
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
mathias dufresne
2016-07-11 12:59:11 UTC
Permalink
Hi Carlos,

Your problem is userA can access home directory of userB?

If your issue is only that, then you are right, this issue comes from the
fact all AD users are, by default, in "Domain users" and your Home
directories grant "Domain Users" "r-x" which means "read and enter" when
applied to directory.

Simply remove "Domain Users" from these ACL or change "Domain Users" ACl
entry to "---".

Cheers,

mathias
Post by Carlos A. P. Cunha
Hello! I am following the how to
https://wiki.samba.org/index.php/User_home_drives
But even though there reported a process for User X does not access the
home of Y User, this is happening
# file: home/
# owner: root
# group: root
user::rwx
user:root:rwx
user:administrator:rwx
group::r-x
group:root:r-x
group:5007:r-x
group:domain\040admins:rwx
group:5024:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:administrator:rwx
default:group::r-x
default:group:root:r-x
default:group:domain\040admins:rwx
default:group:5024:rwx
default:mask::rwx
default:other::---
------------------
# file: rs-01/
# owner: administrator
# group: domain\040users
user::rwx
user:rs-01:rwx
user:administrator:rwx
group::r-x
group:domain\040users:r-x
group:BUILTIN\134administrators:rwx
group:domain\040admins:rwx
group:5024:rwx
mask::rwx
other::---
default:user::rwx
default:user:rs-01:rwx
default:user:administrator:rwx
default:group::r-x
default:group:domain\040users:r-x
default:group:BUILTIN\134administrators:rwx
default:group:domain\040admins:rwx
default:group:5024:rwx
default:mask::rwx
default:other::---
----------------------
From what I think is, the problem is with the permissions of the group
"Domain user" but that and automatically set, because it is the default
group of users.
Any idea ?
Thank you
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Carlos A. P. Cunha
2016-07-11 16:41:24 UTC
Permalink
Hello!
But when I add the User the way "Home folder" the folder is
automatically created it already comes with these permissions:


getfacl rs-01 /
# File: rs-01 /
# Owner: administrator
# Group: domain \ 040users
user :: rwx
user: rs-01: rwx
user: administrator: rwx
group :: r-x
group: domain \ 040users: r-x
group: BUILTIN \ 134administrators: rwx
mask :: rwx
other :: ---
default: user :: rwx
default: user: rs-01: rwx
default: user: administrator: rwx
default: x r-group ::
default: group: domain \ 040users: r-x
default: group: BUILTIN \ 134administrators: rwx
default: mask :: rwx
default: other :: ---


and something else as well "ACL entry to" --- "." ??


Thanks!!!
Post by mathias dufresne
Hi Carlos,
Your problem is userA can access home directory of userB?
If your issue is only that, then you are right, this issue comes from
the fact all AD users are, by default, in "Domain users" and your Home
directories grant "Domain Users" "r-x" which means "read and enter"
when applied to directory.
Simply remove "Domain Users" from these ACL or change "Domain Users"
ACl entry to "---".
Cheers,
mathias
Hello! I am following the how to
https://wiki.samba.org/index.php/User_home_drives
But even though there reported a process for User X does not
access the home of Y User, this is happening
# file: home/
# owner: root
# group: root
user::rwx
user:root:rwx
user:administrator:rwx
group::r-x
group:root:r-x
group:5007:r-x
group:domain\040admins:rwx
group:5024:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:administrator:rwx
default:group::r-x
default:group:root:r-x
default:group:domain\040admins:rwx
default:group:5024:rwx
default:mask::rwx
default:other::---
------------------
# file: rs-01/
# owner: administrator
# group: domain\040users
user::rwx
user:rs-01:rwx
user:administrator:rwx
group::r-x
group:domain\040users:r-x
group:BUILTIN\134administrators:rwx
group:domain\040admins:rwx
group:5024:rwx
mask::rwx
other::---
default:user::rwx
default:user:rs-01:rwx
default:user:administrator:rwx
default:group::r-x
default:group:domain\040users:r-x
default:group:BUILTIN\134administrators:rwx
default:group:domain\040admins:rwx
default:group:5024:rwx
default:mask::rwx
default:other::---
----------------------
From what I think is, the problem is with the permissions of the
group "Domain user" but that and automatically set, because it is
the default group of users.
Any idea ?
Thank you
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Carlos A. P. Cunha
2016-07-12 12:05:21 UTC
Permalink
Sorry hehehehe
I mean, when access RSAT and add the "Home Folder" of the User, and give
a Apply, the folder is automatically created with the permissions below,
where the "Domain Users" is already linked:

getfacl rs-01 /
# File: rs-01 /
# Owner: administrator
# Group: domain \ 040users
user :: rwx
user: rs-01: rwx
user: administrator: rwx
group :: r-x
group: domain \ 040users: r-x
group: BUILTIN \ 134administrators: rwx
mask :: rwx
other :: ---
default: user :: rwx
default: user: rs-01: rwx
default: user: administrator: rwx
default: x r-group ::
default: group: domain \ 040users: r-x
default: group: BUILTIN \ 134administrators: rwx
default: mask :: rwx
default: other :: ---


and something else as well "ACL entry to" --- "." ??


Thanks!!!
Sorry I don't understand what you said.
orry I don't understand what you said.
2016-07-11 18:41 GMT+02:00 Carlos A. P. Cunha
Hello!
But when I add the User the way "Home folder" the folder is
getfacl rs-01 /
# File: rs-01 /
# Owner: administrator
# Group: domain \ 040users
user :: rwx
user: rs-01: rwx
user: administrator: rwx
group :: r-x
group: domain \ 040users: r-x
group: BUILTIN \ 134administrators: rwx
mask :: rwx
other :: ---
default: user :: rwx
default: user: rs-01: rwx
default: user: administrator: rwx
default: group: domain \ 040users: r-x
default: group: BUILTIN \ 134administrators: rwx
default: mask :: rwx
default: other :: ---
and something else as well "ACL entry to" --- "." ??
Thanks!!!
Post by mathias dufresne
Hi Carlos,
Your problem is userA can access home directory of userB?
If your issue is only that, then you are right, this issue
comes from the fact all AD users are, by default, in "Domain
users" and your Home directories grant "Domain Users" "r-x"
which means "read and enter" when applied to directory.
Simply remove "Domain Users" from these ACL or change "Domain
Users" ACl entry to "---".
Cheers,
mathias
2016-07-10 0:31 GMT+02:00 Carlos A. P. Cunha
Hello! I am following the how to
https://wiki.samba.org/index.php/User_home_drives
But even though there reported a process for User X does
not access the home of Y User, this is happening
# file: home/
# owner: root
# group: root
user::rwx
user:root:rwx
user:administrator:rwx
group::r-x
group:root:r-x
group:5007:r-x
group:domain\040admins:rwx
group:5024:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:administrator:rwx
default:group::r-x
default:group:root:r-x
default:group:domain\040admins:rwx
default:group:5024:rwx
default:mask::rwx
default:other::---
------------------
# file: rs-01/
# owner: administrator
# group: domain\040users
user::rwx
user:rs-01:rwx
user:administrator:rwx
group::r-x
group:domain\040users:r-x
group:BUILTIN\134administrators:rwx
group:domain\040admins:rwx
group:5024:rwx
mask::rwx
other::---
default:user::rwx
default:user:rs-01:rwx
default:user:administrator:rwx
default:group::r-x
default:group:domain\040users:r-x
default:group:BUILTIN\134administrators:rwx
default:group:domain\040admins:rwx
default:group:5024:rwx
default:mask::rwx
default:other::---
----------------------
From what I think is, the problem is with the permissions
of the group "Domain user" but that and automatically
set, because it is the default group of users.
Any idea ?
Thank you
--
To unsubscribe from this list go to the following URL and
read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
mathias dufresne
2016-07-12 12:19:13 UTC
Permalink
Post by Carlos A. P. Cunha
Sorry hehehehe
I mean, when access RSAT and add the "Home Folder" of the User, and give a
Apply, the folder is automatically created with the permissions below, where
getfacl rs-01 /
# File: rs-01 /
# Owner: administrator
# Group: domain \ 040users
user :: rwx
user: rs-01: rwx
user: administrator: rwx
group :: r-x
group: domain \ 040users: r-x
group: BUILTIN \ 134administrators: rwx
mask :: rwx
other :: ---
default: user :: rwx
default: user: rs-01: rwx
default: user: administrator: rwx
default: group: domain \ 040users: r-x
default: group: BUILTIN \ 134administrators: rwx
default: mask :: rwx
default: other :: ---
That sounds normal to me. You are using Microsoft tools to create your
share, this tool come with default use case, the default use case is to
create a share owned by that user (for user permission in ACL) and by
user's default group (which is Windows RID 513 -> "Domain Users", its UNIX
UID can be anything else) for group ownership in ACL.

Use another tool to create your folders (homemade UNIX shell script should
do what you want) or change directory permissions after directory creation.
You could also change user's default windows group, set something else than
"domain users" but I don't think this is advisable (I mean I do believe it
is a BAD idea).
Post by Carlos A. P. Cunha
and something else as well "ACL entry to" --- "." ??
Thanks!!!
Sorry I don't understand what you said.
orry I don't understand what you said.
Post by Carlos A. P. Cunha
Hello!
But when I add the User the way "Home folder" the folder is automatically
getfacl rs-01 /
# File: rs-01 /
# Owner: administrator
# Group: domain \ 040users
user :: rwx
user: rs-01: rwx
user: administrator: rwx
group :: r-x
group: domain \ 040users: r-x
group: BUILTIN \ 134administrators: rwx
mask :: rwx
other :: ---
default: user :: rwx
default: user: rs-01: rwx
default: user: administrator: rwx
default: group: domain \ 040users: r-x
default: group: BUILTIN \ 134administrators: rwx
default: mask :: rwx
default: other :: ---
and something else as well "ACL entry to" --- "." ??
Thanks!!!
Hi Carlos,
Your problem is userA can access home directory of userB?
If your issue is only that, then you are right, this issue comes from
the fact all AD users are, by default, in "Domain users" and your Home
directories grant "Domain Users" "r-x" which means "read and enter" when
applied to directory.
Simply remove "Domain Users" from these ACL or change "Domain Users" ACl
entry to "---".
Cheers,
mathias
Post by Carlos A. P. Cunha
Hello! I am following the how to
https://wiki.samba.org/index.php/User_home_drives
But even though there reported a process for User X does not access the
home of Y User, this is happening
# file: home/
# owner: root
# group: root
user::rwx
user:root:rwx
user:administrator:rwx
group::r-x
group:root:r-x
group:5007:r-x
group:domain\040admins:rwx
group:5024:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:administrator:rwx
default:group::r-x
default:group:root:r-x
default:group:domain\040admins:rwx
default:group:5024:rwx
default:mask::rwx
default:other::---
------------------
# file: rs-01/
# owner: administrator
# group: domain\040users
user::rwx
user:rs-01:rwx
user:administrator:rwx
group::r-x
group:domain\040users:r-x
group:BUILTIN\134administrators:rwx
group:domain\040admins:rwx
group:5024:rwx
mask::rwx
other::---
default:user::rwx
default:user:rs-01:rwx
default:user:administrator:rwx
default:group::r-x
default:group:domain\040users:r-x
default:group:BUILTIN\134administrators:rwx
default:group:domain\040admins:rwx
default:group:5024:rwx
default:mask::rwx
default:other::---
----------------------
From what I think is, the problem is with the permissions of the group
"Domain user" but that and automatically set, because it is the default
group of users.
Any idea ?
Thank you
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2016-07-12 12:28:14 UTC
Permalink
Just a tip.
If you create users with RSAT and you also uses unix id's ( UID/GID )
Used with AD backend.

The first assign the UID/GID and then apply the home dir folders in RSAT.
Only for user home dirs.
This can help if you also use ssh to login and you cant enter your own home dir.

Per example:

Your ACL ( for the user )
Post by Carlos A. P. Cunha
# File: rs-01 /
# Owner: administrator
# Group: domain \ 040users
user :: rwx
user: rs-01: rwx
user: administrator: rwx
group :: r-x
group: domain \ 040users: r-x
group: BUILTIN \ 134administrators: rwx
mask :: rwx
other :: ---
default: user :: rwx
default: user: rs-01: rwx
default: user: administrator: rwx
default: group: domain \ 040users: r-x
default: group: BUILTIN \ 134administrators: rwx
default: mask :: rwx
default: other :: ---
My ACL
# file: home/users/username/
# owner: username
# group: root
user::rwx
user:root:rwx
user: username:rwx
group::---
group:root:---
group:BUILTIN\134administrators:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user: username:rwx
default:group::---
default:group:root:---
default:group:BUILTIN\134administrators:rwx
default:mask::rwx
default:other::---

The difference.. my user is owner of its own homedir, yours its administrator.

From within linux no user can enter the "username" folder.
Only the user and members of "Domain admins" (which is member of) BUILDIN\Administrator.
Or users which can kinit.

( p.s. i use homedirs over NFSv4 kerberized )


Greetz,

Louis
Post by Carlos A. P. Cunha
-----Oorspronkelijk bericht-----
Cunha
Verzonden: dinsdag 12 juli 2016 14:05
Onderwerp: Re: [Samba] Home Folder
Sorry hehehehe
I mean, when access RSAT and add the "Home Folder" of the User, and give
a Apply, the folder is automatically created with the permissions below,
getfacl rs-01 /
# File: rs-01 /
# Owner: administrator
# Group: domain \ 040users
user :: rwx
user: rs-01: rwx
user: administrator: rwx
group :: r-x
group: domain \ 040users: r-x
group: BUILTIN \ 134administrators: rwx
mask :: rwx
other :: ---
default: user :: rwx
default: user: rs-01: rwx
default: user: administrator: rwx
default: group: domain \ 040users: r-x
default: group: BUILTIN \ 134administrators: rwx
default: mask :: rwx
default: other :: ---
and something else as well "ACL entry to" --- "." ??
Thanks!!!
Sorry I don't understand what you said.
orry I don't understand what you said.
2016-07-11 18:41 GMT+02:00 Carlos A. P. Cunha
Hello!
But when I add the User the way "Home folder" the folder is
getfacl rs-01 /
# File: rs-01 /
# Owner: administrator
# Group: domain \ 040users
user :: rwx
user: rs-01: rwx
user: administrator: rwx
group :: r-x
group: domain \ 040users: r-x
group: BUILTIN \ 134administrators: rwx
mask :: rwx
other :: ---
default: user :: rwx
default: user: rs-01: rwx
default: user: administrator: rwx
default: group: domain \ 040users: r-x
default: group: BUILTIN \ 134administrators: rwx
default: mask :: rwx
default: other :: ---
and something else as well "ACL entry to" --- "." ??
Thanks!!!
Post by mathias dufresne
Hi Carlos,
Your problem is userA can access home directory of userB?
If your issue is only that, then you are right, this issue
comes from the fact all AD users are, by default, in "Domain
users" and your Home directories grant "Domain Users" "r-x"
which means "read and enter" when applied to directory.
Simply remove "Domain Users" from these ACL or change "Domain
Users" ACl entry to "---".
Cheers,
mathias
2016-07-10 0:31 GMT+02:00 Carlos A. P. Cunha
Hello! I am following the how to
https://wiki.samba.org/index.php/User_home_drives
But even though there reported a process for User X does
not access the home of Y User, this is happening
# file: home/
# owner: root
# group: root
user::rwx
user:root:rwx
user:administrator:rwx
group::r-x
group:root:r-x
group:5007:r-x
group:domain\040admins:rwx
group:5024:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:administrator:rwx
default:group::r-x
default:group:root:r-x
default:group:domain\040admins:rwx
default:group:5024:rwx
default:mask::rwx
default:other::---
------------------
# file: rs-01/
# owner: administrator
# group: domain\040users
user::rwx
user:rs-01:rwx
user:administrator:rwx
group::r-x
group:domain\040users:r-x
group:BUILTIN\134administrators:rwx
group:domain\040admins:rwx
group:5024:rwx
mask::rwx
other::---
default:user::rwx
default:user:rs-01:rwx
default:user:administrator:rwx
default:group::r-x
default:group:domain\040users:r-x
default:group:BUILTIN\134administrators:rwx
default:group:domain\040admins:rwx
default:group:5024:rwx
default:mask::rwx
default:other::---
----------------------
From what I think is, the problem is with the permissions
of the group "Domain user" but that and automatically
set, because it is the default group of users.
Any idea ?
Thank you
--
To unsubscribe from this list go to the following URL and
read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Loading...