samba - Apr 2016 - Home directory of AD-User

Rowland penny <rpenny at samba.org> schrieb:
> Can you post your entire smb.conf
> What OS ?
> What Samba version ?
Samba 4.1.6 on Ubuntu 14.04.
My smb.conf:

# Global parameters
[global]
        workgroup = CCH
        realm = CCH.INTRA
        netbios name = MAIN
        interfaces = lo, br50
        bind interfaces only = Yes
        server role = active directory domain controller
        dns forwarder = 192.168.8.19
        idmap_ldb:use rfc2307 = yes

# Damit die Nutzer sich auch in Linux anmelden können
        template shell = /bin/bash
# Homedir in /home
        template homedir = /home/%ACCOUNTNAME%
# Home automatisch anlegen
        root preexec = /etc/samba/mkhomedir.sh %ACCOUNTNAME%

[netlogon]
        path = /var/lib/samba/sysvol/cch.intra/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[homes]
        comment = Home Directories
        browseable = no
        writable = yes
        create mode = 0660
        directory mode = 0700
        browseable = yes
        read only = no
        create mask = 0770
        directory mask = 0770
        force user = "CCH.INTRA\%U"
        force group = users

[cch]
        comment = Public Stuff
        path = /home/shares/cch
        public = yes
        writable = yes
        browseable = yes
        force group = users
        create mode = 0660
        directory mode = 0770

[kfzwin]
        comment = KFZ-Win
        path = /home/shares/kfzwin
        public = yes
        writable = yes
        browseable = yes
        force group = users
        create mode = 0660
        directory mode = 0770

[wininst$]
        comment = Installationsimages
        path = /home/shares/wininst
        public = yes
        writable = no
        browseable = yes
        guest ok = yes

[tools]
        comment = Für die Admins
        path = /home/shares/tools
        public = no
        writable = yes
        browseable = yes
        valid users = +"CCH.INTRA\Domain Admins"
        force group = "CCH.INTRA\Domain Admins"
        create mode = 0660
        directory mode = 0770

[gp$]
        comment = Programme zu installieren
        path = /home/shares/gp
        public = yes
        writable = yes
        browseable = no
        valid users = +"CCH.INTRA\Domain Users"
        force group = "CCH.INTRA\Domain Users"

Thanks
Luca Bertoncello
(lucabert at lucabert.de)

On 11/04/16 20:50, Luca Bertoncello wrote:
> Rowland penny <rpenny at samba.org> schrieb:
>
>> Can you post your entire smb.conf
>> What OS ?
>> What Samba version ?
> Samba 4.1.6 on Ubuntu 14.04.
> My smb.conf:
>
> # Global parameters
> [global]
>          workgroup = CCH
>          realm = CCH.INTRA
>          netbios name = MAIN
>          interfaces = lo, br50
>          bind interfaces only = Yes
>          server role = active directory domain controller
>          dns forwarder = 192.168.8.19
>          idmap_ldb:use rfc2307 = yes
>
> # Damit die Nutzer sich auch in Linux anmelden können
>          template shell = /bin/bash
> # Homedir in /home
>          template homedir = /home/%ACCOUNTNAME%
> # Home automatisch anlegen
>          root preexec = /etc/samba/mkhomedir.sh %ACCOUNTNAME%
>
> [netlogon]
>          path = /var/lib/samba/sysvol/cch.intra/scripts
>          read only = No
>
> [sysvol]
>          path = /var/lib/samba/sysvol
>          read only = No
>
> [homes]
>          comment = Home Directories
>          browseable = no
>          writable = yes
>          create mode = 0660
>          directory mode = 0700
>          browseable = yes
>          read only = no
>          create mask = 0770
>          directory mask = 0770
>          force user = "CCH.INTRA\%U"
>          force group = users
>
> [cch]
>          comment = Public Stuff
>          path = /home/shares/cch
>          public = yes
>          writable = yes
>          browseable = yes
>          force group = users
>          create mode = 0660
>          directory mode = 0770
>
> [kfzwin]
>          comment = KFZ-Win
>          path = /home/shares/kfzwin
>          public = yes
>          writable = yes
>          browseable = yes
>          force group = users
>          create mode = 0660
>          directory mode = 0770
>
> [wininst$]
>          comment = Installationsimages
>          path = /home/shares/wininst
>          public = yes
>          writable = no
>          browseable = yes
>          guest ok = yes
>
> [tools]
>          comment = Für die Admins
>          path = /home/shares/tools
>          public = no
>          writable = yes
>          browseable = yes
>          valid users = +"CCH.INTRA\Domain Admins"
>          force group = "CCH.INTRA\Domain Admins"
>          create mode = 0660
>          directory mode = 0770
>
> [gp$]
>          comment = Programme zu installieren
>          path = /home/shares/gp
>          public = yes
>          writable = yes
>          browseable = no
>          valid users = +"CCH.INTRA\Domain Users"
>          force group = "CCH.INTRA\Domain Users"
>
> Thanks
> Luca Bertoncello
> (lucabert at lucabert.de)
>
You seem to be setting up your AD DC as if it was a Samba 3 machine, you 
would probably better off setting it up using ACLs instead of 'valid 
users' etc:

https://wiki.samba.org/index.php/Shares_with_Windows_ACLs

Also [homes] doesn't work on 4.1.x, see:

https://wiki.samba.org/index.php/User_home_drives

Finally 'browseable' is redundant on a Samba AD DC, there is no browsing
on an AD DC.

Rowland

>
> Finally 'browseable' is redundant on a Samba AD DC, there is no 
> browsing on an AD DC.
>
Well, sometimes you just *have* to do some file serving out of an AD DC. 
It happened to me.
In that case, if you don't have "browsable = yes" on a share, that
share
will not appear in the Computer Management applet in Windows and you 
won't be able to set its share permissions.

Am I wrong?