samba - Jun 2017 - Creating home folders on file server automatically

Hi list,

We have a script we are using to create new users, and drop them into the
proper OUs on our Samba AD server, using samba-tool. We have a Samba member
file server (fs1) joined to the domain for hosting our file shares. On
there is also where we are putting the users' home folders.

I saw in the Samba Docs, and in the mailing list, that I can use
`--home-directory=\\server\directory\$username`. I have that added,
pointing to the file server's location. The issue is, the folder does not
get created, even when the user logs in.

The only way it seems to create the folder is if I go into ADUC on my Admin
computer, go into the user's properties, and change the text for the Home
Folder to something, then change it back, and hit OK. The correct text
shows up initially, but it is not getting created on the member server
automatically.

Is there a known way to get past this limitation? We add thousands of users
each year (school setting).

On Mon, 12 Jun 2017 10:04:56 -0700
Luke Barone via samba <samba at lists.samba.org> wrote:
> Hi list,
> 
> We have a script we are using to create new users, and drop them into
> the proper OUs on our Samba AD server, using samba-tool. We have a
> Samba member file server (fs1) joined to the domain for hosting our
> file shares. On there is also where we are putting the users' home
> folders.
> 
> I saw in the Samba Docs, and in the mailing list, that I can use
> `--home-directory=\\server\directory\$username`. I have that added,
> pointing to the file server's location. The issue is, the folder does
> not get created, even when the user logs in.
> 
> The only way it seems to create the folder is if I go into ADUC on my
> Admin computer, go into the user's properties, and change the text
> for the Home Folder to something, then change it back, and hit OK.
> The correct text shows up initially, but it is not getting created on
> the member server automatically.
> 
> Is there a known way to get past this limitation? We add thousands of
> users each year (school setting).
You are only doing half the job ;-)

Add:

session    required   pam_mkhomedir.so skel=/etc/skel/ umask=0022

to /etc/pam.d/common-session on the Unix domain member

NOTE: this on Debian, I believe there is something similar on red-hat

Rowland

Hi Luke,
>
> We have a script we are using to create new users, and drop them into the
> proper OUs on our Samba AD server, using samba-tool. We have a Samba member
> file server (fs1) joined to the domain for hosting our file shares. On
> there is also where we are putting the users' home folders.
>
> I saw in the Samba Docs, and in the mailing list, that I can use
> `--home-directory=\\server\directory\$username`. I have that added,
> pointing to the file server's location. The issue is, the folder does
not
> get created, even when the user logs in.
>
> The only way it seems to create the folder is if I go into ADUC on my Admin
> computer, go into the user's properties, and change the text for the
Home
> Folder to something, then change it back, and hit OK. The correct text
> shows up initially, but it is not getting created on the member server
> automatically.
>
> Is there a known way to get past this limitation? We add thousands of users
> each year (school setting).
You can use the "root preexec" parameters to call a script that will 
create your user home dir and set the proper acls when they connect to 
the homes share:

[homes]
   path = /home/homes/%U
   read only = no
   root preexec = /opt/mkprofile.sh %U

Cheers,

Denis
>
-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr

Hello Rowland,

Am 12.06.2017 um 19:32 schrieb Rowland Penny via samba:
> On Mon, 12 Jun 2017 10:04:56 -0700
> Luke Barone via samba <samba at lists.samba.org> wrote:
>
>> Hi list,
>>
>> We have a script we are using to create new users, and drop them into
>> the proper OUs on our Samba AD server, using samba-tool. We have a
>> Samba member file server (fs1) joined to the domain for hosting our
>> file shares. On there is also where we are putting the users' home
>> folders.
>>
>> I saw in the Samba Docs, and in the mailing list, that I can use
>> `--home-directory=\\server\directory\$username`. I have that added,
>> pointing to the file server's location. The issue is, the folder
does
>> not get created, even when the user logs in.
>>
>> The only way it seems to create the folder is if I go into ADUC on my
>> Admin computer, go into the user's properties, and change the text
>> for the Home Folder to something, then change it back, and hit OK.
>> The correct text shows up initially, but it is not getting created on
>> the member server automatically.
>>
>> Is there a known way to get past this limitation? We add thousands of
>> users each year (school setting).
> You are only doing half the job ;-)
>
> Add:
>
> session    required   pam_mkhomedir.so skel=/etc/skel/ umask=0022
>
> to /etc/pam.d/common-session on the Unix domain member
>
> NOTE: this on Debian, I believe there is something similar on red-hat
>
> Rowland
>
you suggested this solution to me a while ago. It definitely works, and 
creates a home folder for the user (at least on Ubuntu). However I 
noticed that the permissions of a folder created by the PAM module are 
different from the permissions of a folder created by the RSAT Tool.

I really can't say if this is a relevant issue when the home folder is 
only used to serve files and the user is not supposed to log into that 
server.

In the meantime I use "root preexec" in smb.conf and the following 
script. It creates the folder and mimics the permissions as created by 
the RSAT Tool.

#!/bin/bash
#
# Create Home Folder and mimic ACLs as created by RSAT Tools
#
# use in smb.conf:
#
# [home]
#
# root prexec = path_to/make_home_folder.sh '%D' '%U'
'%G' '%H'
#
# ;; %D = Domain or Workgroup of user ($1) --> "SAMDOM"
# ;; %U = Username                    ($2) --> "kbudwi"
# ;; %G = Groupname                   ($3) --> "SAMDOM\domain
users"
# ;; %H = Home Directory of User      ($4) --> "/home/kbudwi"
#
#

if [[ $# -ne 4 ]]; then
   echo "Usage: $0 <Domain or Workgroup> <Username>
<Groupname> <Home
Folder>"
   logger "$0: SCRIPT FAILED ARGC=$# ARGV=|$1|$2|$3|$4|"
   exit 1
fi

SN="$(basename "$0"): root prexec"

logger "$SN: Create Samba Home Folder $4: Domain=$1 User=$2 Group=$3"

if [[ -d "$4" ]]; then

     logger "$SN: Folder $4 exists"
     exit

   else

     #  BUILTIN\\administrators == S-1-5-32-544
     #
     BUILTIN_ADMINS_GID=$(wbinfo --sid-to-gid S-1-5-32-544);
     DOMAIN_ADMINS_GID=$(wbinfo --group-info="$1"\\"Domain
Admins" | cut
-d: -f3)

     BID=$(wbinfo --user-info="$1"\\"$2" | cut -d: -f3)
     GID=$(wbinfo --group-info="$3" | cut -d: -f3)

     logger "$SN: Creating folder $4 with UID=$BID and GID=$GID"

     mkdir -p   "$4"
     chown $BID "$4"
     chgrp $GID "$4"
     chmod 0770 "$4"

     logger "$SN: Base directory created: $(ls -ld $4)"

     # Extended User Attributes
     setfacl  -m u:$BID:rwx $4

     # Extended Group Attributes
     setfacl  -m g:$GID:--- $4
     setfacl  -m g:$DOMAIN_ADMINS_GID:rwx "$4"
     setfacl  -m g:$BUILTIN_ADMINS_GID:rwx $4

     # Extended Default Users Attributes
     setfacl  -dm u:$BID:rwx "$4"

     # Extended Default Group Attributes
     setfacl  -dm g:$GID:--- "$4"
     setfacl  -dm g:$DOMAIN_ADMINS_UID:rwx "$4"
     setfacl  -dm g:$BUILTIN_ADMINS_GID:rwx $4

     logger "$SN: setfacl commands executed"

     logger "$SN: Folder $4 created"
     ## getfacl "$4"
fi


Please comment, if you disagree with my solution.

Best regards,

Udo