samba - Sep 2006 - Mounting home directory from Windows in Linux

Hi All,

 

I'm using samba 3.0.10-1 on RedHat Enterprise Linux 4.

 

I'm authentication to our PDC using Winbind and also mounting our home
directory share (from Windows) onto our main Linux server such that when
a user logs on to the Linux server, their Windows home directory is
mounted also.

 

I'm using the domain admin account to mount the home directory share,
which I feel is probably not the best way to go about doing this because
when a user logs in to their account they can "cd .." and traverse
other
user accounts.

 

How should this share be correctly mounted using Samba ?

 

I've pasted smb.conf below, I've tried multiple arrangements of
'create
mask', 'directory mask' and 'directory security mask' even
though (if
I'm right) they shouldn't be needed when using winbind.

 

Can anybody please shed any light on this?


Kind Regards,

 

Shaun O'Callaghan

 

 

smb.conf

 

[global]

   workgroup = OUR_DOMAIN

   server string = Linux

   printcap name = /etc/printcap

   load printers = yes

   cups options = raw

   log file = /var/log/samba/%m.log

   max log size = 50

   security = ads

   realm = OUR_FULLY_QUALIFIED_DOMAIN

   encrypt passwords = yes

   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

   dns proxy = no

 

   idmap uid = 16777216-33554431

   idmap gid = 16777216-33554431

   template shell = /bin/bash

   winbind use default domain = yes

   password server = IP_OF_PDC

 

[homes]

   comment = Home Directories

   path = /home/DOMAIN/

   browseable = no

   create mask = 0700

   directory mask = 0700

   directory security mask = 0700

   admin users = OUR_DOMAIN\ADMINISTRATOR

   writable = yes

 

[printers]

   comment = All Printers

   path = /var/spool/samba

   browseable = no

   guest ok = no

   writable = no

   printable = yes

Try "valid users = DOMAIN\%S"
Keep in mind that this parameter is broken in 3.0.23, but has been 
resolved in 3.0.23c.
I'm still waiting on the updated debs so that I can upgrade.

Dale

Shaun J. O'Callaghan wrote:
> Hi All,
>
>  
>
> I'm using samba 3.0.10-1 on RedHat Enterprise Linux 4.
>
>  
>
> I'm authentication to our PDC using Winbind and also mounting our home
> directory share (from Windows) onto our main Linux server such that when
> a user logs on to the Linux server, their Windows home directory is
> mounted also.
>
>  
>
> I'm using the domain admin account to mount the home directory share,
> which I feel is probably not the best way to go about doing this because
> when a user logs in to their account they can "cd .." and
traverse other
> user accounts.
>
>  
>
> How should this share be correctly mounted using Samba ?
>
>  
>
> I've pasted smb.conf below, I've tried multiple arrangements of
'create
> mask', 'directory mask' and 'directory security mask'
even though (if
> I'm right) they shouldn't be needed when using winbind.
>
>  
>
> Can anybody please shed any light on this?
>
>
> Kind Regards,
>
>  
>
> Shaun O'Callaghan
>
>  
>
>  
>
> smb.conf
>
>  
>
> [global]
>
>    workgroup = OUR_DOMAIN
>
>    server string = Linux
>
>    printcap name = /etc/printcap
>
>    load printers = yes
>
>    cups options = raw
>
>    log file = /var/log/samba/%m.log
>
>    max log size = 50
>
>    security = ads
>
>    realm = OUR_FULLY_QUALIFIED_DOMAIN
>
>    encrypt passwords = yes
>
>    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>
>    dns proxy = no
>
>  
>
>    idmap uid = 16777216-33554431
>
>    idmap gid = 16777216-33554431
>
>    template shell = /bin/bash
>
>    winbind use default domain = yes
>
>    password server = IP_OF_PDC
>
>  
>
> [homes]
>
>    comment = Home Directories
>
>    path = /home/DOMAIN/
>
>    browseable = no
>
>    create mask = 0700
>
>    directory mask = 0700
>
>    directory security mask = 0700
>
>    admin users = OUR_DOMAIN\ADMINISTRATOR
>
>    writable = yes
>
>    ***valid users = DOMAIN\%S***
>
>

Dale,

 

Thanks for your reply.

 

I've just added valid users = OUR_DOMAIN\%S but no luck.

 

Any user can still traverse any directory.  Should the filesystem be
mounted as root?  Could there be a problem with ACLs ?

 

We're running 3.0.10-1

 

Any further advice would be great.

 

Kind Regards,

 

Shaun James O'Callaghan

 

 

________________________________

From: Dale Schroeder [mailto:dale@BriannasSaladDressing.com] 
Sent: 07 September 2006 16:25
To: Shaun J. O'Callaghan; samba@lists.samba.org
Subject: Re: [Samba] Mounting home directory from Windows in Linux

 

Try "valid users = DOMAIN\%S"
Keep in mind that this parameter is broken in 3.0.23, but has been
resolved in 3.0.23c.
I'm still waiting on the updated debs so that I can upgrade.

Dale

Shaun J. O'Callaghan wrote: 

Hi All,
 
 
 
I'm using samba 3.0.10-1 on RedHat Enterprise Linux 4.
 
 
 
I'm authentication to our PDC using Winbind and also mounting our home
directory share (from Windows) onto our main Linux server such that when
a user logs on to the Linux server, their Windows home directory is
mounted also.
 
 
 
I'm using the domain admin account to mount the home directory share,
which I feel is probably not the best way to go about doing this because
when a user logs in to their account they can "cd .." and traverse
other
user accounts.
 
 
 
How should this share be correctly mounted using Samba ?
 
 
 
I've pasted smb.conf below, I've tried multiple arrangements of
'create
mask', 'directory mask' and 'directory security mask' even
though (if
I'm right) they shouldn't be needed when using winbind.
 
 
 
Can anybody please shed any light on this?
 
 
Kind Regards,
 
 
 
Shaun O'Callaghan
 
 
 
 
 
smb.conf
 
 
 
[global]
 
   workgroup = OUR_DOMAIN
 
   server string = Linux
 
   printcap name = /etc/printcap
 
   load printers = yes
 
   cups options = raw
 
   log file = /var/log/samba/%m.log
 
   max log size = 50
 
   security = ads
 
   realm = OUR_FULLY_QUALIFIED_DOMAIN
 
   encrypt passwords = yes
 
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
 
   dns proxy = no
 
 
 
   idmap uid = 16777216-33554431
 
   idmap gid = 16777216-33554431
 
   template shell = /bin/bash
 
   winbind use default domain = yes
 
   password server = IP_OF_PDC
 
 
 
[homes]
 
   comment = Home Directories
 
   path = /home/DOMAIN/
 
   browseable = no
 
   create mask = 0700
 
   directory mask = 0700
 
   directory security mask = 0700
 
   admin users = OUR_DOMAIN\ADMINISTRATOR
 
   writable = yes
 
   **valid users = DOMAIN\%S**

Dale,

 

Thanks for your reply, let me clarify.

 

We have a Windows 2003 domain of which contains a share for our user
home directories.

 

We've recently integrated a Linux server running Samba into our domain
which users are going to be using and we want to provide access to their
Windows based files.  As I mentioned, I've mounted the share in linux
and I'm authenticating through Winbind but every user has access to
every other users files.  Could this be something to do with the fact
I've mounted the share with Domain Administrator privileges or not?

 

Kind Regards,

 

Shaun

 

 

________________________________

From: Dale Schroeder [mailto:dale@BriannasSaladDressing.com] 
Sent: 07 September 2006 17:56
To: Shaun J. O'Callaghan
Subject: Re: [Samba] Mounting home directory from Windows in Linux

 

Shaun,

Maybe I misread your post.  Are these home directories on the Samba
server or the Windows PDC? 
Assuming Samba server homes as viewed from Windows, this answer is based
on your smb.conf [homes] entry of  "path = /home/DOMAIN".  In our
network, in addition to the "valid users" directive, I have set the
POSIX permissions of the home directories to drwxr----- .  The
directories are owned by "the_user:Domain Users".   From Windows
Explorer, only the owner can view the files within.
No special (root) mounting should be required, and I don't feel
qualified to comment on POSIX ACL's.

Hope this helps.

Dale

Shaun J. O'Callaghan wrote: 

Dale,

 

Thanks for your reply.

 

I've just added valid users = OUR_DOMAIN\%S but no luck.

 

Any user can still traverse any directory.  Should the filesystem be
mounted as root?  Could there be a problem with ACLs ?

 

We're running 3.0.10-1

 

Any further advice would be great.

 

Kind Regards,

 

Shaun James O'Callaghan

 

 

________________________________

From: Dale Schroeder [mailto:dale@BriannasSaladDressing.com] 
Sent: 07 September 2006 16:25
To: Shaun J. O'Callaghan; samba@lists.samba.org
Subject: Re: [Samba] Mounting home directory from Windows in Linux

 

Try "valid users = DOMAIN\%S"
Keep in mind that this parameter is broken in 3.0.23, but has been
resolved in 3.0.23c.
I'm still waiting on the updated debs so that I can upgrade.

Dale

Shaun J. O'Callaghan wrote: 

Hi All,
 
 
 
I'm using samba 3.0.10-1 on RedHat Enterprise Linux 4.
 
 
 
I'm authentication to our PDC using Winbind and also mounting our home
directory share (from Windows) onto our main Linux server such that when
a user logs on to the Linux server, their Windows home directory is
mounted also.
 
 
 
I'm using the domain admin account to mount the home directory share,
which I feel is probably not the best way to go about doing this because
when a user logs in to their account they can "cd .." and traverse
other
user accounts.
 
 
 
How should this share be correctly mounted using Samba ?
 
 
 
I've pasted smb.conf below, I've tried multiple arrangements of
'create
mask', 'directory mask' and 'directory security mask' even
though (if
I'm right) they shouldn't be needed when using winbind.
 
 
 
Can anybody please shed any light on this?
 
 
Kind Regards,
 
 
 
Shaun O'Callaghan
 
 
 
 
 
smb.conf
 
[homes]
 
   comment = Home Directories
 
   path = /home/DOMAIN/
 
   browseable = no
 
   create mask = 0700
 
   directory mask = 0700
 
   directory security mask = 0700
 
   admin users = OUR_DOMAIN\ADMINISTRATOR
 
   writable = yes
 
   **valid users = DOMAIN\%S**
 
  
 



________________________________



 
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.1.406 / Virus Database: 268.12.1/440 - Release Date:
09/06/2006

Dale,

 

Because Windows users need to be able to access files from Linux that
reside in Windows shares.

 

I'm pretty confident that this is a problem that's came up many times on
this list, I just can't find the answer.

 

Shaun

 

 

________________________________

From: Dale Schroeder [mailto:dale@BriannasSaladDressing.com] 
Sent: 07 September 2006 20:05
To: Shaun J. O'Callaghan
Subject: Re: [Samba] Mounting home directory from Windows in Linux

 

Shaun,

I have never tried what you are describing, but mounting with domain
administrator privileges would give full access to everything in the
mount.  I am deducing from that fact that anyone with share privileges
would therefore be able to do anything with everything in that mount.
However, deduction is hardly infallible, and quite often wrong.  I wish
I had a better answer.
To satisfy my own curiosity, why do you wish to share a Windows
directory through Samba instead of natively through Windows?

Dale


Shaun J. O'Callaghan wrote: 

Dale,

 

Thanks for your reply, let me clarify.

 

We have a Windows 2003 domain of which contains a share for our user
home directories.

 

We've recently integrated a Linux server running Samba into our domain
which users are going to be using and we want to provide access to their
Windows based files.  As I mentioned, I've mounted the share in linux
and I'm authenticating through Winbind but every user has access to
every other users files.  Could this be something to do with the fact
I've mounted the share with Domain Administrator privileges or not?

 

Kind Regards,

 

Shaun

 

 

________________________________