Hello,
I am trying to auto create and mount home directories using a GPO, as per
https://wiki.samba.org/index.php/User_Home_Folders.
I currently have home directories being created, through the use of
pam_mkhomedir.so. with 'obey pam restrictions = yes' in my smb.conf
file.
I have also setup the share permissions and Windows ACLs as per the above
link.
Unfortunately, even though the user's home directory is being created on
the samba file server, I cannot see the new folder from Windows and my GPO
is not mapping the network drive. However, the same GPO does successfully
map a drive for a different share.
On the windows 7 PC, when I run 'gpresult /H gpo.html', I see that the
GPO
has been applied to my PC, but it does show an error message for the home
dir mapping. The error is 'Result: Failure (Error Code: 0x80070035)'.
A
Google search turns up potential issues with DNS or with the share name
being specified using a trailing slash in the GPO. Given the mapping of
the other share works just fine, I can rule out DNS. My share definition
in the GPO doesn't have a trailing slash, but it does use a variable
'%LogonUser%'. I also tried creating the GPO with the variable
'%username%', which didn't work either.
Here's my smb.conf
[global]
kerberos method = system keytab
workgroup = FTLC
security = ads
realm = AD.FTLCOMPUTING.COM
# Netbios is dead, let's make it explicit
disable netbios = yes
# Encrypting SMB traffic is a good basic defense
# As soon as Windows 7 goes away, we'll be able to
# change this to 'required'
smb encrypt = desired
# Logging
log file = /var/log/samba/%m.log
log level = 5
# We're using the RID method of mapping SIDs to UID/GID
idmap config FTLC : range = 2000000-2999999
idmap config FTLC : backend = rid
idmap config * : range = 10000-999999
idmap config * : backend = tdb
# Samba AD users will not have access to a shell on linux hosts
template shell = /bin/false
# Winbind
winbind use default domain = no
winbind refresh tickets = yes
winbind offline logon = yes
winbind enum groups = no
winbind enum users = no
# Map domain admin account to local root account
# and resolve other "net rpc" issues
username map = /etc/samba/user.map
bind interfaces only = yes
interfaces = lo eth0
# Enable Windows ACL support and make ACLs maximally compatible with NFTS
ACLs.
# The ignore system acls option, will hopefully eliminate the issues we have
# encountered with having to set POSIX and NT ACLs. This does mean that
all file
# access must be done through Samba
vfs objects = acl_xattr
acl_xattr:default acl style = windows
acl_xattr:ignore system acls = yes
map acl inherit = yes
store dos attributes = yes
# ---------------------------------------------------------------------
# Automatic creation of home directories
# In addition to the NT ACL settings above and the [users] share in the
# the shares section below, the following settings are needed in order for
# automatic creation of home directories to work
# Home directory path
template homedir = /srv/samba/users/%U
# To help with automated creation of user home directories,
# we need the following in this smb.conf file and we need
# 'session required pam_mkhomedir.so skel=/etc/skel/ umask=0022'
# added to /etc/pam.d/common-session
obey pam restrictions = yes
# end home dir settings -----------------------------------------------
##################################
# Shares #
##################################
# All shares will be created within the /srv/samba/shares/ folder,
# except for home dirs which are in /srv/samba/users/
# For example:
#[test]
# path = /srv/samba/shares/test
# comment = Test Share
# guest ok = no
# read only = no
[users]
path = /srv/samba/users/%U
comment = Share for user home dirs
guest ok = no
read only = no
[Operations]
path = /srv/samba/shares/Operations
comment = FTL Operations
guest ok = no
read only = no
--
Mason
> Hello, > > I am trying to auto create and mount home directories using a GPO, as per > https://wiki.samba.org/index.php/User_Home_Folders. > > I currently have home directories being created, through the use of > pam_mkhomedir.so. with 'obey pam restrictions = yes' in my smb.conf file. > I have also setup the share permissions and Windows ACLs as per the above > link. > > Unfortunately, even though the user's home directory is being created on > the samba file server, I cannot see the new folder from Windows and my > GPO > is not mapping the network drive. However, the same GPO does > successfully > map a drive for a different share. >Whilst you can use a GPO, you don't *need* a GPO to automatically create Users Home folders on the samba fileserver and map a drive in Windows. In ADUC on the Profile tab, connect the desired drive letter to the path to the users home folder, eg \\FILESERVER\USERS\%username% It is important to use the %username% instead of the actual username - that way the folder will get created automatically if it doesn't exist. Also the correct Windows ACLs must be set on the USERS directory for this to work correctly. See the WiKi at: https://wiki.samba.org/index.php/User_Home_Folders for details. When the user logs on to any windows machine in the domain, the appropriate drive letter will be automatically connected to the user's home folder on the samba fileserver. HTH, Roy
> > > I am trying to auto create and mount home directories using a GPO, as per > > https://wiki.samba.org/index.php/User_Home_Folders. > > > > I currently have home directories being created, through the use of > > pam_mkhomedir.so. with 'obey pam restrictions = yes' in my smb.conf file. > > I have also setup the share permissions and Windows ACLs as per the above > > link. > > > > Unfortunately, even though the user's home directory is being created on > > the samba file server, I cannot see the new folder from Windows and my > > GPO > > is not mapping the network drive. However, the same GPO does > > successfully > > map a drive for a different share. > > > Whilst you can use a GPO, you don't *need* a GPO to automatically create > Users Home folders on the samba fileserver and map a drive in Windows. > > In ADUC on the Profile tab, connect the desired drive letter to the path > to the users home folder, eg \\FILESERVER\USERS\%username% >This is what I'm trying to get away from. I don't want to have to specify a home dir drive letter and path for ever user, I'd rather create a new user and have group policy work out the mapping.> It is important to use the %username% instead of the actual username - > that way the folder will get created automatically if it doesn't exist. >When in ADUC, on the profile tab of a user, if I specify the path as '\\fileserver\users\%username%', Windows immediately replaces '%username%' with the actual username, so I don't think this is helping anything. From what I have experienced, folder creation in Samba has nothing to do with how a user's profile is setup in Windows. Folder creation in Samba seems to require *either *of the following in smb.conf: - Specifying a preexec script that will create the home dir and then creating the necessary script for samba to call. - Specifying ' obey pam restrictions = yes'and then adding'session required pam_mkhomedir.so skel=/etc/skel/ umask=0022'to /etc/pam.d/common-session I chose the latter option.> Also the correct Windows ACLs must be set on the USERS directory for this > to work correctly. See the WiKi at: > https://wiki.samba.org/index.php/User_Home_Folders for details. >Yes, as indicated in my initial email, I did setup the windows ACLs as per that wiki page. Should I perhaps be using a logon script, rather than the GPO map drive feature? I'm hoping someone is able to shed some light on this issue. What is working for others? Thanks, Mason
> In ADUC on the Profile tab, connect the desired drive letter to the path to > the users home folder, eg \\FILESERVER\USERS\%username% > > This is what I'm trying to get away from. I don't want to have to specify a > home dir drive letter and path for ever user, I'd rather create a new user and > have group policy work out the mapping. >OK,fair enough.> > It is important to use the %username% instead of the actual username - that > way the folder will get created automatically if it doesn't exist. > > When in ADUC, on the profile tab of a user, if I specify the path as > '\\fileserver\users\%username%', Windows immediately replaces > '%username%' with the actual username, so I don't think this is helping > anything.Yes, it replaces with the username, but if you specify %username% the user's folder will be auto-created - see https://blogs.technet.microsoft.com/askds/2008/06/30/automatic-creation-of-user-folders-for-home-roaming-profile-and-redirected-folders/ [snip]> > Should I perhaps be using a logon script, rather than the GPO map drive > feature?You could do, but the GPO should work too. Sometimes you have to log on twice before the GPO is applied when using Folder redirection for example; maybe that also applies with the mapped drive?> > I'm hoping someone is able to shed some light on this issue. What is working > for others? > > > Thanks, > Mason