Hello! I am following the how to https://wiki.samba.org/index.php/User_home_drives But even though there reported a process for User X does not access the home of Y User, this is happening root at fileserver:/srv/samba# getfacl home/ # file: home/ # owner: root # group: root user::rwx user:root:rwx user:administrator:rwx group::r-x group:root:r-x group:5007:r-x group:domain\040admins:rwx group:5024:rwx mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:administrator:rwx default:group::r-x default:group:root:r-x default:group:domain\040admins:rwx default:group:5024:rwx default:mask::rwx default:other::--- ------------------ root at fileserver:/srv/samba/home# getfacl rs-01/ # file: rs-01/ # owner: administrator # group: domain\040users user::rwx user:rs-01:rwx user:administrator:rwx group::r-x group:domain\040users:r-x group:BUILTIN\134administrators:rwx group:domain\040admins:rwx group:5024:rwx mask::rwx other::--- default:user::rwx default:user:rs-01:rwx default:user:administrator:rwx default:group::r-x default:group:domain\040users:r-x default:group:BUILTIN\134administrators:rwx default:group:domain\040admins:rwx default:group:5024:rwx default:mask::rwx default:other::--- ---------------------- From what I think is, the problem is with the permissions of the group "Domain user" but that and automatically set, because it is the default group of users. Any idea ? Thank you
Hi Carlos, Your problem is userA can access home directory of userB? If your issue is only that, then you are right, this issue comes from the fact all AD users are, by default, in "Domain users" and your Home directories grant "Domain Users" "r-x" which means "read and enter" when applied to directory. Simply remove "Domain Users" from these ACL or change "Domain Users" ACl entry to "---". Cheers, mathias 2016-07-10 0:31 GMT+02:00 Carlos A. P. Cunha <carlos.hollow at gmail.com>:> Hello! I am following the how to > > https://wiki.samba.org/index.php/User_home_drives > > But even though there reported a process for User X does not access the > home of Y User, this is happening > > root at fileserver:/srv/samba# getfacl home/ > # file: home/ > # owner: root > # group: root > user::rwx > user:root:rwx > user:administrator:rwx > group::r-x > group:root:r-x > group:5007:r-x > group:domain\040admins:rwx > group:5024:rwx > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:user:administrator:rwx > default:group::r-x > default:group:root:r-x > default:group:domain\040admins:rwx > default:group:5024:rwx > default:mask::rwx > default:other::--- > > ------------------ > > root at fileserver:/srv/samba/home# getfacl rs-01/ > # file: rs-01/ > # owner: administrator > # group: domain\040users > user::rwx > user:rs-01:rwx > user:administrator:rwx > group::r-x > group:domain\040users:r-x > group:BUILTIN\134administrators:rwx > group:domain\040admins:rwx > group:5024:rwx > mask::rwx > other::--- > default:user::rwx > default:user:rs-01:rwx > default:user:administrator:rwx > default:group::r-x > default:group:domain\040users:r-x > default:group:BUILTIN\134administrators:rwx > default:group:domain\040admins:rwx > default:group:5024:rwx > default:mask::rwx > default:other::--- > > > ---------------------- > > From what I think is, the problem is with the permissions of the group > "Domain user" but that and automatically set, because it is the default > group of users. > > > Any idea ? > > Thank you > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Hello! But when I add the User the way "Home folder" the folder is automatically created it already comes with these permissions: getfacl rs-01 / # File: rs-01 / # Owner: administrator # Group: domain \ 040users user :: rwx user: rs-01: rwx user: administrator: rwx group :: r-x group: domain \ 040users: r-x group: BUILTIN \ 134administrators: rwx mask :: rwx other :: --- default: user :: rwx default: user: rs-01: rwx default: user: administrator: rwx default: x r-group :: default: group: domain \ 040users: r-x default: group: BUILTIN \ 134administrators: rwx default: mask :: rwx default: other :: --- and something else as well "ACL entry to" --- "." ?? Thanks!!! Em 11-07-2016 09:59, mathias dufresne escreveu:> Hi Carlos, > > Your problem is userA can access home directory of userB? > > If your issue is only that, then you are right, this issue comes from > the fact all AD users are, by default, in "Domain users" and your Home > directories grant "Domain Users" "r-x" which means "read and enter" > when applied to directory. > > Simply remove "Domain Users" from these ACL or change "Domain Users" > ACl entry to "---". > > Cheers, > > mathias > > 2016-07-10 0:31 GMT+02:00 Carlos A. P. Cunha <carlos.hollow at gmail.com > <mailto:carlos.hollow at gmail.com>>: > > Hello! I am following the how to > > https://wiki.samba.org/index.php/User_home_drives > > But even though there reported a process for User X does not > access the home of Y User, this is happening > > root at fileserver:/srv/samba# getfacl home/ > # file: home/ > # owner: root > # group: root > user::rwx > user:root:rwx > user:administrator:rwx > group::r-x > group:root:r-x > group:5007:r-x > group:domain\040admins:rwx > group:5024:rwx > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:user:administrator:rwx > default:group::r-x > default:group:root:r-x > default:group:domain\040admins:rwx > default:group:5024:rwx > default:mask::rwx > default:other::--- > > ------------------ > > root at fileserver:/srv/samba/home# getfacl rs-01/ > # file: rs-01/ > # owner: administrator > # group: domain\040users > user::rwx > user:rs-01:rwx > user:administrator:rwx > group::r-x > group:domain\040users:r-x > group:BUILTIN\134administrators:rwx > group:domain\040admins:rwx > group:5024:rwx > mask::rwx > other::--- > default:user::rwx > default:user:rs-01:rwx > default:user:administrator:rwx > default:group::r-x > default:group:domain\040users:r-x > default:group:BUILTIN\134administrators:rwx > default:group:domain\040admins:rwx > default:group:5024:rwx > default:mask::rwx > default:other::--- > > > ---------------------- > > From what I think is, the problem is with the permissions of the > group "Domain user" but that and automatically set, because it is > the default group of users. > > > Any idea ? > > Thank you > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Sorry hehehehe I mean, when access RSAT and add the "Home Folder" of the User, and give a Apply, the folder is automatically created with the permissions below, where the "Domain Users" is already linked: getfacl rs-01 / # File: rs-01 / # Owner: administrator # Group: domain \ 040users user :: rwx user: rs-01: rwx user: administrator: rwx group :: r-x group: domain \ 040users: r-x group: BUILTIN \ 134administrators: rwx mask :: rwx other :: --- default: user :: rwx default: user: rs-01: rwx default: user: administrator: rwx default: x r-group :: default: group: domain \ 040users: r-x default: group: BUILTIN \ 134administrators: rwx default: mask :: rwx default: other :: --- and something else as well "ACL entry to" --- "." ?? Thanks!!! Em 12-07-2016 05:31, mathias dufresne escreveu:> Sorry I don't understand what you said. > > 2016-07-12 10:30 GMT+02:00 mathias dufresne <infractory at gmail.com > <mailto:infractory at gmail.com>>: > > orry I don't understand what you said. > > 2016-07-11 18:41 GMT+02:00 Carlos A. P. Cunha > <carlos.hollow at gmail.com <mailto:carlos.hollow at gmail.com>>: > > Hello! > But when I add the User the way "Home folder" the folder is > automatically created it already comes with these permissions: > > > getfacl rs-01 / > # File: rs-01 / > # Owner: administrator > # Group: domain \ 040users > user :: rwx > user: rs-01: rwx > user: administrator: rwx > group :: r-x > group: domain \ 040users: r-x > group: BUILTIN \ 134administrators: rwx > mask :: rwx > other :: --- > default: user :: rwx > default: user: rs-01: rwx > default: user: administrator: rwx > default: x r-group :: > default: group: domain \ 040users: r-x > default: group: BUILTIN \ 134administrators: rwx > default: mask :: rwx > default: other :: --- > > > and something else as well "ACL entry to" --- "." ?? > > > Thanks!!! > > > Em 11-07-2016 09:59, mathias dufresne escreveu: >> Hi Carlos, >> >> Your problem is userA can access home directory of userB? >> >> If your issue is only that, then you are right, this issue >> comes from the fact all AD users are, by default, in "Domain >> users" and your Home directories grant "Domain Users" "r-x" >> which means "read and enter" when applied to directory. >> >> Simply remove "Domain Users" from these ACL or change "Domain >> Users" ACl entry to "---". >> >> Cheers, >> >> mathias >> >> 2016-07-10 0:31 GMT+02:00 Carlos A. P. Cunha >> <carlos.hollow at gmail.com <mailto:carlos.hollow at gmail.com>>: >> >> Hello! I am following the how to >> >> https://wiki.samba.org/index.php/User_home_drives >> >> But even though there reported a process for User X does >> not access the home of Y User, this is happening >> >> root at fileserver:/srv/samba# getfacl home/ >> # file: home/ >> # owner: root >> # group: root >> user::rwx >> user:root:rwx >> user:administrator:rwx >> group::r-x >> group:root:r-x >> group:5007:r-x >> group:domain\040admins:rwx >> group:5024:rwx >> mask::rwx >> other::--- >> default:user::rwx >> default:user:root:rwx >> default:user:administrator:rwx >> default:group::r-x >> default:group:root:r-x >> default:group:domain\040admins:rwx >> default:group:5024:rwx >> default:mask::rwx >> default:other::--- >> >> ------------------ >> >> root at fileserver:/srv/samba/home# getfacl rs-01/ >> # file: rs-01/ >> # owner: administrator >> # group: domain\040users >> user::rwx >> user:rs-01:rwx >> user:administrator:rwx >> group::r-x >> group:domain\040users:r-x >> group:BUILTIN\134administrators:rwx >> group:domain\040admins:rwx >> group:5024:rwx >> mask::rwx >> other::--- >> default:user::rwx >> default:user:rs-01:rwx >> default:user:administrator:rwx >> default:group::r-x >> default:group:domain\040users:r-x >> default:group:BUILTIN\134administrators:rwx >> default:group:domain\040admins:rwx >> default:group:5024:rwx >> default:mask::rwx >> default:other::--- >> >> >> ---------------------- >> >> From what I think is, the problem is with the permissions >> of the group "Domain user" but that and automatically >> set, because it is the default group of users. >> >> >> Any idea ? >> >> Thank you >> >> >> >> >> >> -- >> To unsubscribe from this list go to the following URL and >> read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> > > >
2016-07-12 14:05 GMT+02:00 Carlos A. P. Cunha <carlos.hollow at gmail.com>:> Sorry hehehehe > I mean, when access RSAT and add the "Home Folder" of the User, and give a > Apply, the folder is automatically created with the permissions below, where > the "Domain Users" is already linked: > getfacl rs-01 / > # File: rs-01 / > # Owner: administrator > # Group: domain \ 040users > user :: rwx > user: rs-01: rwx > user: administrator: rwx > group :: r-x > group: domain \ 040users: r-x > group: BUILTIN \ 134administrators: rwx > mask :: rwx > other :: --- > default: user :: rwx > default: user: rs-01: rwx > default: user: administrator: rwx > default: x r-group :: > default: group: domain \ 040users: r-x > default: group: BUILTIN \ 134administrators: rwx > default: mask :: rwx > default: other :: --- > >That sounds normal to me. You are using Microsoft tools to create your share, this tool come with default use case, the default use case is to create a share owned by that user (for user permission in ACL) and by user's default group (which is Windows RID 513 -> "Domain Users", its UNIX UID can be anything else) for group ownership in ACL. Use another tool to create your folders (homemade UNIX shell script should do what you want) or change directory permissions after directory creation. You could also change user's default windows group, set something else than "domain users" but I don't think this is advisable (I mean I do believe it is a BAD idea).> > and something else as well "ACL entry to" --- "." ?? > > > Thanks!!! > > > > Em 12-07-2016 05:31, mathias dufresne escreveu: > > Sorry I don't understand what you said. > > 2016-07-12 10:30 GMT+02:00 mathias dufresne <infractory at gmail.com>: > >> orry I don't understand what you said. >> >> 2016-07-11 18:41 GMT+02:00 Carlos A. P. Cunha <carlos.hollow at gmail.com>: >> >>> Hello! >>> But when I add the User the way "Home folder" the folder is automatically >>> created it already comes with these permissions: >>> >>> >>> getfacl rs-01 / >>> # File: rs-01 / >>> # Owner: administrator >>> # Group: domain \ 040users >>> user :: rwx >>> user: rs-01: rwx >>> user: administrator: rwx >>> group :: r-x >>> group: domain \ 040users: r-x >>> group: BUILTIN \ 134administrators: rwx >>> mask :: rwx >>> other :: --- >>> default: user :: rwx >>> default: user: rs-01: rwx >>> default: user: administrator: rwx >>> default: x r-group :: >>> default: group: domain \ 040users: r-x >>> default: group: BUILTIN \ 134administrators: rwx >>> default: mask :: rwx >>> default: other :: --- >>> >>> >>> and something else as well "ACL entry to" --- "." ?? >>> >>> >>> Thanks!!! >>> >>> Em 11-07-2016 09:59, mathias dufresne escreveu: >>> >>> Hi Carlos, >>> >>> Your problem is userA can access home directory of userB? >>> >>> If your issue is only that, then you are right, this issue comes from >>> the fact all AD users are, by default, in "Domain users" and your Home >>> directories grant "Domain Users" "r-x" which means "read and enter" when >>> applied to directory. >>> >>> Simply remove "Domain Users" from these ACL or change "Domain Users" ACl >>> entry to "---". >>> >>> Cheers, >>> >>> mathias >>> >>> 2016-07-10 0:31 GMT+02:00 Carlos A. P. Cunha <carlos.hollow at gmail.com>: >>> >>>> Hello! I am following the how to >>>> >>>> https://wiki.samba.org/index.php/User_home_drives >>>> >>>> But even though there reported a process for User X does not access the >>>> home of Y User, this is happening >>>> >>>> root at fileserver:/srv/samba# getfacl home/ >>>> # file: home/ >>>> # owner: root >>>> # group: root >>>> user::rwx >>>> user:root:rwx >>>> user:administrator:rwx >>>> group::r-x >>>> group:root:r-x >>>> group:5007:r-x >>>> group:domain\040admins:rwx >>>> group:5024:rwx >>>> mask::rwx >>>> other::--- >>>> default:user::rwx >>>> default:user:root:rwx >>>> default:user:administrator:rwx >>>> default:group::r-x >>>> default:group:root:r-x >>>> default:group:domain\040admins:rwx >>>> default:group:5024:rwx >>>> default:mask::rwx >>>> default:other::--- >>>> >>>> ------------------ >>>> >>>> root at fileserver:/srv/samba/home# getfacl rs-01/ >>>> # file: rs-01/ >>>> # owner: administrator >>>> # group: domain\040users >>>> user::rwx >>>> user:rs-01:rwx >>>> user:administrator:rwx >>>> group::r-x >>>> group:domain\040users:r-x >>>> group:BUILTIN\134administrators:rwx >>>> group:domain\040admins:rwx >>>> group:5024:rwx >>>> mask::rwx >>>> other::--- >>>> default:user::rwx >>>> default:user:rs-01:rwx >>>> default:user:administrator:rwx >>>> default:group::r-x >>>> default:group:domain\040users:r-x >>>> default:group:BUILTIN\134administrators:rwx >>>> default:group:domain\040admins:rwx >>>> default:group:5024:rwx >>>> default:mask::rwx >>>> default:other::--- >>>> >>>> >>>> ---------------------- >>>> >>>> From what I think is, the problem is with the permissions of the group >>>> "Domain user" but that and automatically set, because it is the default >>>> group of users. >>>> >>>> >>>> Any idea ? >>>> >>>> Thank you >>>> >>>> >>>> >>>> >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>> >>> >>> >> > >