samba - Jun 2017 - Creating home folders on file server automatically

Hello Rowland,

Am 12.06.2017 um 19:32 schrieb Rowland Penny via samba:
> On Mon, 12 Jun 2017 10:04:56 -0700
> Luke Barone via samba <samba at lists.samba.org> wrote:
>
>> Hi list,
>>
>> We have a script we are using to create new users, and drop them into
>> the proper OUs on our Samba AD server, using samba-tool. We have a
>> Samba member file server (fs1) joined to the domain for hosting our
>> file shares. On there is also where we are putting the users' home
>> folders.
>>
>> I saw in the Samba Docs, and in the mailing list, that I can use
>> `--home-directory=\\server\directory\$username`. I have that added,
>> pointing to the file server's location. The issue is, the folder
does
>> not get created, even when the user logs in.
>>
>> The only way it seems to create the folder is if I go into ADUC on my
>> Admin computer, go into the user's properties, and change the text
>> for the Home Folder to something, then change it back, and hit OK.
>> The correct text shows up initially, but it is not getting created on
>> the member server automatically.
>>
>> Is there a known way to get past this limitation? We add thousands of
>> users each year (school setting).
> You are only doing half the job ;-)
>
> Add:
>
> session    required   pam_mkhomedir.so skel=/etc/skel/ umask=0022
>
> to /etc/pam.d/common-session on the Unix domain member
>
> NOTE: this on Debian, I believe there is something similar on red-hat
>
> Rowland
>
you suggested this solution to me a while ago. It definitely works, and 
creates a home folder for the user (at least on Ubuntu). However I 
noticed that the permissions of a folder created by the PAM module are 
different from the permissions of a folder created by the RSAT Tool.

I really can't say if this is a relevant issue when the home folder is 
only used to serve files and the user is not supposed to log into that 
server.

In the meantime I use "root preexec" in smb.conf and the following 
script. It creates the folder and mimics the permissions as created by 
the RSAT Tool.

#!/bin/bash
#
# Create Home Folder and mimic ACLs as created by RSAT Tools
#
# use in smb.conf:
#
# [home]
#
# root prexec = path_to/make_home_folder.sh '%D' '%U'
'%G' '%H'
#
# ;; %D = Domain or Workgroup of user ($1) --> "SAMDOM"
# ;; %U = Username                    ($2) --> "kbudwi"
# ;; %G = Groupname                   ($3) --> "SAMDOM\domain
users"
# ;; %H = Home Directory of User      ($4) --> "/home/kbudwi"
#
#

if [[ $# -ne 4 ]]; then
   echo "Usage: $0 <Domain or Workgroup> <Username>
<Groupname> <Home
Folder>"
   logger "$0: SCRIPT FAILED ARGC=$# ARGV=|$1|$2|$3|$4|"
   exit 1
fi

SN="$(basename "$0"): root prexec"

logger "$SN: Create Samba Home Folder $4: Domain=$1 User=$2 Group=$3"

if [[ -d "$4" ]]; then

     logger "$SN: Folder $4 exists"
     exit

   else

     #  BUILTIN\\administrators == S-1-5-32-544
     #
     BUILTIN_ADMINS_GID=$(wbinfo --sid-to-gid S-1-5-32-544);
     DOMAIN_ADMINS_GID=$(wbinfo --group-info="$1"\\"Domain
Admins" | cut
-d: -f3)

     BID=$(wbinfo --user-info="$1"\\"$2" | cut -d: -f3)
     GID=$(wbinfo --group-info="$3" | cut -d: -f3)

     logger "$SN: Creating folder $4 with UID=$BID and GID=$GID"

     mkdir -p   "$4"
     chown $BID "$4"
     chgrp $GID "$4"
     chmod 0770 "$4"

     logger "$SN: Base directory created: $(ls -ld $4)"

     # Extended User Attributes
     setfacl  -m u:$BID:rwx $4

     # Extended Group Attributes
     setfacl  -m g:$GID:--- $4
     setfacl  -m g:$DOMAIN_ADMINS_GID:rwx "$4"
     setfacl  -m g:$BUILTIN_ADMINS_GID:rwx $4

     # Extended Default Users Attributes
     setfacl  -dm u:$BID:rwx "$4"

     # Extended Default Group Attributes
     setfacl  -dm g:$GID:--- "$4"
     setfacl  -dm g:$DOMAIN_ADMINS_UID:rwx "$4"
     setfacl  -dm g:$BUILTIN_ADMINS_GID:rwx $4

     logger "$SN: setfacl commands executed"

     logger "$SN: Folder $4 created"
     ## getfacl "$4"
fi


Please comment, if you disagree with my solution.

Best regards,

Udo

On Tue, 13 Jun 2017 10:33:43 +0200
Udo Willke via samba <samba at lists.samba.org> wrote:
> Hello Rowland,
> 
> Am 12.06.2017 um 19:32 schrieb Rowland Penny via samba:
> > On Mon, 12 Jun 2017 10:04:56 -0700
> > Luke Barone via samba <samba at lists.samba.org> wrote:
> >
> >> Hi list,
> >>
> >> We have a script we are using to create new users, and drop them
> >> into the proper OUs on our Samba AD server, using samba-tool. We
> >> have a Samba member file server (fs1) joined to the domain for
> >> hosting our file shares. On there is also where we are putting the
> >> users' home folders.
> >>
> >> I saw in the Samba Docs, and in the mailing list, that I can use
> >> `--home-directory=\\server\directory\$username`. I have that
added,
> >> pointing to the file server's location. The issue is, the
folder
> >> does not get created, even when the user logs in.
> >>
> >> The only way it seems to create the folder is if I go into ADUC on
> >> my Admin computer, go into the user's properties, and change
the
> >> text for the Home Folder to something, then change it back, and
> >> hit OK. The correct text shows up initially, but it is not getting
> >> created on the member server automatically.
> >>
> >> Is there a known way to get past this limitation? We add thousands
> >> of users each year (school setting).
> > You are only doing half the job ;-)
> >
> > Add:
> >
> > session    required   pam_mkhomedir.so skel=/etc/skel/ umask=0022
> >
> > to /etc/pam.d/common-session on the Unix domain member
> >
> > NOTE: this on Debian, I believe there is something similar on
> > red-hat
> >
> > Rowland
> >
> you suggested this solution to me a while ago. It definitely works,
> and creates a home folder for the user (at least on Ubuntu). However
> I noticed that the permissions of a folder created by the PAM module
> are different from the permissions of a folder created by the RSAT
> Tool.
> 
> I really can't say if this is a relevant issue when the home folder
> is only used to serve files and the user is not supposed to log into
> that server.
> 
> In the meantime I use "root preexec" in smb.conf and the
following
> script. It creates the folder and mimics the permissions as created
> by the RSAT Tool.
> 
> #!/bin/bash
> #
> # Create Home Folder and mimic ACLs as created by RSAT Tools
> #
> # use in smb.conf:
> #
> # [home]
> #
> # root prexec = path_to/make_home_folder.sh '%D' '%U'
'%G' '%H'
> #
> # ;; %D = Domain or Workgroup of user ($1) --> "SAMDOM"
> # ;; %U = Username                    ($2) --> "kbudwi"
> # ;; %G = Groupname                   ($3) --> "SAMDOM\domain
users"
> # ;; %H = Home Directory of User      ($4) --> "/home/kbudwi"
> #
> #
> 
> if [[ $# -ne 4 ]]; then
>    echo "Usage: $0 <Domain or Workgroup> <Username>
<Groupname> <Home
> Folder>"
>    logger "$0: SCRIPT FAILED ARGC=$# ARGV=|$1|$2|$3|$4|"
>    exit 1
> fi
> 
> SN="$(basename "$0"): root prexec"
> 
> logger "$SN: Create Samba Home Folder $4: Domain=$1 User=$2
Group=$3"
> 
> if [[ -d "$4" ]]; then
> 
>      logger "$SN: Folder $4 exists"
>      exit
> 
>    else
> 
>      #  BUILTIN\\administrators == S-1-5-32-544
>      #
>      BUILTIN_ADMINS_GID=$(wbinfo --sid-to-gid S-1-5-32-544);
>      DOMAIN_ADMINS_GID=$(wbinfo --group-info="$1"\\"Domain
Admins" |
> cut -d: -f3)
> 
>      BID=$(wbinfo --user-info="$1"\\"$2" | cut -d: -f3)
>      GID=$(wbinfo --group-info="$3" | cut -d: -f3)
> 
>      logger "$SN: Creating folder $4 with UID=$BID and GID=$GID"
> 
>      mkdir -p   "$4"
>      chown $BID "$4"
>      chgrp $GID "$4"
>      chmod 0770 "$4"
> 
>      logger "$SN: Base directory created: $(ls -ld $4)"
> 
>      # Extended User Attributes
>      setfacl  -m u:$BID:rwx $4
> 
>      # Extended Group Attributes
>      setfacl  -m g:$GID:--- $4
>      setfacl  -m g:$DOMAIN_ADMINS_GID:rwx "$4"
>      setfacl  -m g:$BUILTIN_ADMINS_GID:rwx $4
> 
>      # Extended Default Users Attributes
>      setfacl  -dm u:$BID:rwx "$4"
> 
>      # Extended Default Group Attributes
>      setfacl  -dm g:$GID:--- "$4"
>      setfacl  -dm g:$DOMAIN_ADMINS_UID:rwx "$4"
>      setfacl  -dm g:$BUILTIN_ADMINS_GID:rwx $4
> 
>      logger "$SN: setfacl commands executed"
> 
>      logger "$SN: Folder $4 created"
>      ## getfacl "$4"
> fi
> 
> 
> Please comment, if you disagree with my solution.
> 
The only problem I can see with that is, you are giving *_ADMINS full
control of any users home directory, I think this may be illegal in
some countries.

Thinking about privacy, perhaps the PAM line should be:

session    required   pam_mkhomedir.so skel=/etc/skel/ umask=0077

This way only the user gets any permissions on the share.

Rowland

On Tue, 13 Jun 2017 10:34:10 +0100
Rowland Penny via samba <samba at lists.samba.org> wrote:
> 
> The only problem I can see with that is, you are giving *_ADMINS full
> control of any users home directory, I think this may be illegal in
> some countries.
> 
> Thinking about privacy, perhaps the PAM line should be:
> 
> session    required   pam_mkhomedir.so skel=/etc/skel/ umask=0077
> 
> This way only the user gets any permissions on the share.
> 
> Rowland
> 
> 
I have been thinking about this a bit more and the problem seems to be
that by using '0022' I was following Unix permissions, but I wasn't
following Unix ownership.

Unix users have a private group and when a Unix users home directory is
created, it gets '0755' permissions and username:usergroup ownership.

So, PAM setting '0022' (this is the umask for '0755') means it
is just
following Unix practise. One problem is, because you cannot have a user
private group in AD, Domain Users is used instead, this means that any
user can read any other users home directory. This is (following Unix
practice) not a problem, because the permissions (0755) also allow this.

I therefore think that if you require an AD Unix home directory that is
only readable by the user that owns the directory, you will need to set
'0700' permissions on the directory, or '0077' with PAM

Rowland

Hello Rowland,

Am 13.06.2017 um 11:34 schrieb Rowland Penny via samba:
> The only problem I can see with that is, you are giving *_ADMINS full
> control of any users home directory, I think this may be illegal in
> some countries.
Oh, this was not my idea. My understanding is that this comes from the 
home share definition as described in the wiki

<https://wiki.samba.org/index.php/User_Home_Folders>

Principal: Domain Admins - Access: Full control - Applies to : This 
folder, subfolders and files

I only reverse-engineered the permissions the RSAT Tool created on my 
test home folder.
>
> Thinking about privacy, perhaps the PAM line should be:
>
> session    required   pam_mkhomedir.so skel=/etc/skel/  umask=0077
>
> This way only the user gets any permissions on the share.
Yes, certainly an improvement. My point was that the PAM Module creates 
a classic unix home dir without any Windows ACEs (if my memory serves me 
well) and wondered if this could have repercussions at a later point in 
time.

Thanks and best regards,

Udo