On a Windows domain member client in the ADUC console, you specifiy the home dir path that is to be used on Windows machines on the "Profile" tab. As soon as you click 'Ok' (or 'Apply' for that matter), the folder is created (by the DC via your domain admin account) on the Samba server hosting the share the path you provided leads to. Try it, its nice an simple. However, not useful in my case, as I want to create a zfs data set. Am 21.10.2015 um 18:13 schrieb Rowland Penny:> On 21/10/15 16:49, Ole Traupe wrote: >> Oh, and of course the auto-creation works if you put the path >> \\server\home\user into the "Profiles" tab of the user properties in >> the ADUC console. This is explicitly, what the samba wiki suggests, >> as it is directed to using Windows clients. As soon as you press >> "Ok", the folder is created >> >> > > A users profile is different from a users Unix homedir and normally > you need to create the subdirectory manually and then when the user > logs in/out the users profile is created. I don't understand when you > say 'As soon as you press "Ok", the folder is created' , what 'OK' > button and where is the folder created? > > Rowland >
On 21/10/15 17:40, Ole Traupe wrote:> On a Windows domain member client in the ADUC console, you specifiy > the home dir path that is to be used on Windows machines on the > "Profile" tab. As soon as you click 'Ok' (or 'Apply' for that matter), > the folder is created (by the DC via your domain admin account) on the > Samba server hosting the share the path you provided leads to. Try it, > its nice an simple. However, not useful in my case, as I want to > create a zfs data set. > > >I usually set the users profile attribute directly when creating the user and as such, have never used ADUC to do this, but I am still struggling to understand how a windows machine can create the full directory path to a users profile on a Unix machine. Rowland
It is actually the DC creating a sub-folder for the user. Am 21.10.2015 um 18:51 schrieb Rowland Penny:> On 21/10/15 17:40, Ole Traupe wrote: >> On a Windows domain member client in the ADUC console, you specifiy >> the home dir path that is to be used on Windows machines on the >> "Profile" tab. As soon as you click 'Ok' (or 'Apply' for that >> matter), the folder is created (by the DC via your domain admin >> account) on the Samba server hosting the share the path you provided >> leads to. Try it, its nice an simple. However, not useful in my case, >> as I want to create a zfs data set. >> >> >> > > I usually set the users profile attribute directly when creating the > user and as such, have never used ADUC to do this, but I am still > struggling to understand how a windows machine can create the full > directory path to a users profile on a Unix machine. > > Rowland > >
Hai, i'll try to explain so here.. When you use ADUC console. This is what happens. ( for Profile tab in ADUC ) The ADUC user creates the user network dir, but only what you set the Drive letter: (connected with) \\servername.domain.tld\users\%username% If you set the local pad, its not created. This folder is created at the moment you clik OK, or Apply. For the profil folder, this is NOT created by the ADUC tool, but by the computer where the user is logging off. ( only created at logoff ) Normaly you set something like : \\servername.domain.tld\profiles\%username% Users can access these shares.. but only see there own folders IF the share and folder rights are set correctly. For example. All my users have 770 on \\servername.domain.tld\users\%username% Which gives in my case, username:Domain Users ( the unix primary group ) The share rights tells that "everybody" has all rights. ( you can change this to domain user for example, but i need everybody ) The Access rights ( security tab ) there we set domain users with the advanced settings to : Only this folder. So resulted in ( for windows ) user see only there folders, for linux users access to all user folders. Which i need for distributing file etc in user dirs. For the profile path \\servername.domain.tld\profiles\%username% Here key is, user "SYSTEM" is use for creating the profiles folders. Which is the account the computer users and most importand that "SYSTEM" has all rights. ( and which exists on all windows computers ) And the profile folder is created at Logoff, not like the users folder at klik OK/Apply. The "LOCAL PATH" is normaly ony used for terminal server. The Unix tab In this case. \\servername.domain.tld\users\%username% Which is /home/users/%username% Users is shared And GID is set to "domain users" So hope this is more clear... And i really advice to NOT user \\servername\home (or \homes ) Why? You can set \\servername\%username% for the user home dir BUT no auto-created home dir. And you dont want \\servername\username , for XP this was ok, because of path traversal problems but as Win Vista/7 and up easely blok that. (see above) Greetz Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny > Verzonden: woensdag 21 oktober 2015 18:52 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Can't get 'root preexec' to run > > On 21/10/15 17:40, Ole Traupe wrote: > > On a Windows domain member client in the ADUC console, you specifiy > > the home dir path that is to be used on Windows machines on the > > "Profile" tab. As soon as you click 'Ok' (or 'Apply' for that matter), > > the folder is created (by the DC via your domain admin account) on the > > Samba server hosting the share the path you provided leads to. Try it, > > its nice an simple. However, not useful in my case, as I want to > > create a zfs data set. > > > > > > > > I usually set the users profile attribute directly when creating the > user and as such, have never used ADUC to do this, but I am still > struggling to understand how a windows machine can create the full > directory path to a users profile on a Unix machine. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Louis, I agree with you, with some exceptions: Am 22.10.2015 um 10:44 schrieb L.P.H. van Belle:> Hai, i'll try to explain so here.. > > When you use ADUC console. This is what happens. > > ( for Profile tab in ADUC ) > > The ADUC user creates the user network dir, but only what you set the > Drive letter: (connected with) \\servername.domain.tld\users\%username% > If you set the local pad, its not created. > This folder is created at the moment you clik OK, or Apply. > > For the profil folder, this is NOT created by the ADUC tool, but by the computer where the user is logging off. ( only created at logoff ) > Normaly you set something like : > \\servername.domain.tld\profiles\%username%You probably mean 'logon', right?> > Users can access these shares.. but only see there own folders IF the share and folder rights are set correctly. > > For example. All my users have 770 on \\servername.domain.tld\users\%username% > Which gives in my case, username:Domain Users ( the unix primary group ) > > The share rights tells that "everybody" has all rights. > ( you can change this to domain user for example, but i need everybody ) > > The Access rights ( security tab ) there we set domain users with the advanced settings to : Only this folder. > > So resulted in ( for windows ) user see only there folders, for linux users access to all user folders. Which i need for distributing file etc in user dirs.I actually see a problem here, as we have linux member servers, where users shouldn't be allowed to browse each others files. This linux behavior gives me a real headache sometimes. Therefore I use username:Domain Admins.> > For the profile path > \\servername.domain.tld\profiles\%username% > Here key is, user "SYSTEM" is use for creating the profiles folders. > Which is the account the computer users and most importand that "SYSTEM" has all rights. ( and which exists on all windows computers ) > And the profile folder is created at Logoff, not like the users folder at klik OK/Apply. > The "LOCAL PATH" is normaly ony used for terminal server. > > The Unix tab > In this case. > \\servername.domain.tld\users\%username% > Which is /home/users/%username% > > Users is sharedWhat do you mean by that?> And GID is set to "domain users"Louis, do you always put the user in the "Unix Attributes" of the Domain Users group? Probably that is necessary for group membership to work correctly on linux, right? I just recently discovered this tab and was wondering about it.> > So hope this is more clear... > > And i really advice to NOT user \\servername\home (or \homes ) > Why? You can set \\servername\%username% for the user home dir BUT no auto-created home dir.That is not entirely true and applys to Rowlands last posting as well: if you use 'root preexec' in the [homes] section, you can use scripted auto-creation of user home share. I just successfully tried this and it confirms my reading of the man pages that only if a share is requested that is not actually existing, the [homes] section applies and 'root preexec' there is executed (in case username exists and password is correct). However, I wouldn't want to use \\server\%username% as home dir location, was well.> > And you dont want \\servername\username , for XP this was ok, because of path traversal problems but as Win Vista/7 and up easely blok that. > (see above) > > Greetz > > Louis > > > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny >> Verzonden: woensdag 21 oktober 2015 18:52 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] Can't get 'root preexec' to run >> >> On 21/10/15 17:40, Ole Traupe wrote: >>> On a Windows domain member client in the ADUC console, you specifiy >>> the home dir path that is to be used on Windows machines on the >>> "Profile" tab. As soon as you click 'Ok' (or 'Apply' for that matter), >>> the folder is created (by the DC via your domain admin account) on the >>> Samba server hosting the share the path you provided leads to. Try it, >>> its nice an simple. However, not useful in my case, as I want to >>> create a zfs data set. >>> >>> >>> >> I usually set the users profile attribute directly when creating the >> user and as such, have never used ADUC to do this, but I am still >> struggling to understand how a windows machine can create the full >> directory path to a users profile on a Unix machine. >> >> Rowland >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > >
Commented within...> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe > Verzonden: donderdag 22 oktober 2015 11:13 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Can't get 'root preexec' to run > > Louis, I agree with you, with some exceptions: > > Am 22.10.2015 um 10:44 schrieb L.P.H. van Belle: > > Hai, i'll try to explain so here.. > > > > When you use ADUC console. This is what happens. > > > > ( for Profile tab in ADUC ) > > > > The ADUC user creates the user network dir, but only what you set the > > Drive letter: (connected with) \\servername.domain.tld\users\%username% > > If you set the local pad, its not created. > > This folder is created at the moment you clik OK, or Apply. > > > > For the profil folder, this is NOT created by the ADUC tool, but by the > computer where the user is logging off. ( only created at logoff ) > > Normaly you set something like : > > \\servername.domain.tld\profiles\%username% > You probably mean 'logon', right?[L.P.H. van Belle] No, profile folders are created at logoff. Test is yourself, create a new user, set the homedir and profile path. Login as the user, now goto the \\servername\profiles share, And you see no folder of the newly created user. ;-)> > > > > Users can access these shares.. but only see there own folders IF the > share and folder rights are set correctly. > > > > For example. All my users have 770 on > \\servername.domain.tld\users\%username% > > Which gives in my case, username:Domain Users ( the unix primary group > ) > > > > The share rights tells that "everybody" has all rights. > > ( you can change this to domain user for example, but i need everybody ) > > > > The Access rights ( security tab ) there we set domain users with the > advanced settings to : Only this folder. > > > > So resulted in ( for windows ) user see only there folders, for linux > users access to all user folders. Which i need for distributing file etc > in user dirs. > I actually see a problem here, as we have linux member servers, where > users shouldn't be allowed to browse each others files. This linux > behavior gives me a real headache sometimes. Therefore I use > username:Domain Admins.[L.P.H. van Belle] thats a possebilty yes, but i suggest dont abuse the "Domain Admins" just create an other group set GID and use that one. You will be even more flexible.> > > > > For the profile path > > \\servername.domain.tld\profiles\%username% > > Here key is, user "SYSTEM" is use for creating the profiles folders. > > Which is the account the computer users and most importand that "SYSTEM" > has all rights. ( and which exists on all windows computers ) > > And the profile folder is created at Logoff, not like the users folder > at klik OK/Apply. > > The "LOCAL PATH" is normaly ony used for terminal server. > > > > The Unix tab > > In this case. > > \\servername.domain.tld\users\%username% > > Which is /home/users/%username% > > > > Users is shared > What do you mean by that?[L.P.H. van Belle] in ADUC tab Profile \\servername.domain.tld\users\%username% = "connect to drive" + path In ADUC tab Unix attributes. /home/users/%username% Which is the same as above. In profile tab.> > > And GID is set to "domain users" > Louis, do you always put the user in the "Unix Attributes" of the Domain > Users group? Probably that is necessary for group membership to work > correctly on linux, right? I just recently discovered this tab and was > wondering about it.[L.P.H. van Belle] Yes, in 90% of all case i use "domain users" why .. All computer are member of "domain users" All users are member of "domain users" With share rights and security rights you protect the company folders. Example. \\servername\data \Folder1 \Folder2 Group right on folder1 is "group users folder1 " anyone member of folder 1 can write, set "group creating special right" Now everyone in this folder can write but set to group rights = domain users. Result, no problems with file created by users, and users Owning files. Same for folder 2. BUT, users in "folder 1 group" can not access the Folder2, because of "GROUP Folder access" I hope it explains a bit.. For the places where i need linux access, these user have there GID set to a group other then domain users. And or set creating special right and user special right. Test a bit with it, and dont forget the share rights and security rights.> > > > > So hope this is more clear... > > > > And i really advice to NOT user \\servername\home (or \homes ) > > Why? You can set \\servername\%username% for the user home dir BUT no > auto-created home dir. > That is not entirely true and applys to Rowlands last posting as well: > if you use 'root preexec' in the [homes] section, you can use scripted > auto-creation of user home share. I just successfully tried this and it > confirms my reading of the man pages that only if a share is requested > that is not actually existing, the [homes] section applies and 'root > preexec' there is executed (in case username exists and password is > correct). > > However, I wouldn't want to use \\server\%username% as home dir > location, was well. >[L.P.H. van Belle] yes, Rowland is correct, if you dont use ADUC or if you dont create folders from within windows but im doing everything from windows, ( most people are ) and no scripts etc run from linux or are set in samba. I think it should not be needed, but this depends totaly on what you want and how you setup. I do almost everything with group policies. And 2 VB script for installing certificates.> > > > > And you dont want \\servername\username , for XP this was ok, because of > path traversal problems but as Win Vista/7 and up easely blok that. > > (see above) > > > > Greetz > > > > Louis > > > > > > > > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny > >> Verzonden: woensdag 21 oktober 2015 18:52 > >> Aan: samba at lists.samba.org > >> Onderwerp: Re: [Samba] Can't get 'root preexec' to run > >> > >> On 21/10/15 17:40, Ole Traupe wrote: > >>> On a Windows domain member client in the ADUC console, you specifiy > >>> the home dir path that is to be used on Windows machines on the > >>> "Profile" tab. As soon as you click 'Ok' (or 'Apply' for that matter), > >>> the folder is created (by the DC via your domain admin account) on the > >>> Samba server hosting the share the path you provided leads to. Try it, > >>> its nice an simple. However, not useful in my case, as I want to > >>> create a zfs data set. > >>> > >>> > >>> > >> I usually set the users profile attribute directly when creating the > >> user and as such, have never used ADUC to do this, but I am still > >> struggling to understand how a windows machine can create the full > >> directory path to a users profile on a Unix machine. > >> > >> Rowland > >> > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba