samba - Mar 2019 - Map user home dir using GPO failing

>
> > I am trying to auto create and mount home directories using a GPO, as
per
> > https://wiki.samba.org/index.php/User_Home_Folders.
> >
> > I currently have home directories being created, through the use of
> > pam_mkhomedir.so. with 'obey pam restrictions = yes' in my
smb.conf file.
> > I have also setup the share permissions and Windows ACLs as per the
above
> > link.
> >
> > Unfortunately, even though the user's home directory is being
created on
> > the samba file server, I cannot see the new folder from Windows and my
> > GPO
> > is not mapping the network drive.  However, the same GPO does
> > successfully
> > map a drive for a different share.
> >
> Whilst you can use a GPO, you don't *need* a GPO to automatically
create
> Users Home folders on the samba fileserver and map a drive in Windows.
>
> In ADUC on the Profile tab, connect the desired drive letter to the path
> to the users home folder, eg \\FILESERVER\USERS\%username%
>
This is what I'm trying to get away from.  I don't want to have to
specify
a home dir drive letter and path for ever user, I'd rather create a new
user and have group policy work out the mapping.


> It is important to use the %username% instead of the actual username -
> that way the folder will get created automatically if it doesn't exist.
>
When in ADUC, on the profile tab of a user, if I specify the path as
'\\fileserver\users\%username%', Windows immediately replaces
'%username%'
with the actual username, so I don't think this is helping anything.  From
what I have experienced, folder creation in Samba has nothing to do with
how a user's profile is setup in Windows.  Folder creation in Samba seems
to require *either *of the following in smb.conf:

   - Specifying a preexec script that will create the home dir and then
   creating the necessary script for samba to call.
   - Specifying ' obey pam restrictions = yes'and then
adding'session
   required pam_mkhomedir.so skel=/etc/skel/ umask=0022'to
   /etc/pam.d/common-session

I chose the latter option.


> Also the correct Windows ACLs must be set on the USERS directory for this
> to work correctly.   See the WiKi at:
> https://wiki.samba.org/index.php/User_Home_Folders for details.
>
Yes, as indicated in my initial email, I did setup the windows ACLs as per
that wiki page.

Should I perhaps be using a logon script, rather than the GPO map drive
feature?

I'm hoping someone is able to shed some light on this issue.  What is
working for others?


Thanks,
Mason

This mailing list seems to have magical powers...  Twice now I have sent
emails to this list asking for help, both times I have not received the
correct answer to my question, but each response has inadvertently helped
me to see my problem from a new angle and thus I have been able to resolve
my own issue!

As neither the wiki nor any past mailing list messages (that I could find)
correctly answer this question, I'm going to document the solution for the
next person that runs into it.

*Goals:*

   - Auto create home dir when AD domain user logs in
   - Map home drive using group policy
   - Use NT ACLs in order to provide maximum compatibility with Windows
   clients

Note that this does work with selinux enabled, which makes my inner
security nut, happy :)

*Procedure*

*Setup the Samba Share*
Follow the instructions at
https://wiki.samba.org/index.php/User_Home_Folders, *but only* the
following sections:

   - Setting up the Share on the Samba File Server > Using Windows ACLs
   - Creating the Home Folder for a New User > Using a Group Policy
   Preference


*Create the smb.conf and PAM configs*
There are 6 smb.conf entries that are critical to making this work, they
are:

   - vfs objects = acl_xattr # I'm not certain that the two other acl_xattr
   entries, in the smb.conf below, are absolutely necessary
   - map acl inherit = yes
   - store dos attributes = yes
   - template homedir = /srv/samba/users/%U  # Note the %U here
   - obey pam restrictions = yes  # with the corresponding entry in
   /etc/pam.d/common-session as per the comments in the smb.conf below
   -  [users]
           path = /srv/samba/users   # Very important! Don't put the %U
   here!
           comment = Share for user home dirs
           guest ok = no
           read only = no


*The full working smb.conf file*
[global]
kerberos method = system keytab
workgroup = FTLC
security = ads
realm = FTLC.FTLCOMPUTING.COM

# Netbios is dead, let's make it explicit
# There's no need to run nmbd either, so disable it using systemctl disable
nmbd
disable netbios = yes

# Encrypting SMB traffic is a good basic defense
# As soon as Windows 7 goes away, we'll be able to
# change this to 'required'
smb encrypt = desired

# Logging
log file = /var/log/samba/%m.log
log level = 5

# We're using the RID method of mapping SIDs to UID/GID
idmap config FTLC : range = 2000000-2999999
idmap config FTLC : backend = rid
idmap config * : range = 10000-999999
idmap config * : backend = tdb

# Samba AD users will not have access to a shell on linux hosts
template shell = /bin/false

# Winbind
winbind use default domain = no
winbind refresh tickets = yes
winbind offline logon = yes
winbind enum groups = no
winbind enum users = no

# Map domain admin account to local root account
# and resolve other "net rpc" issues
username map = /etc/samba/user.map
bind interfaces only = yes
interfaces = lo eth0

# Enable Windows ACL support and make ACLs maximally compatible with NFTS
ACLs.
# The ignore system acls option, will hopefully eliminate the issues we have
# encountered with having to set POSIX and NT ACLs.  This does mean that
all file
# access should be done through Samba
vfs objects = acl_xattr
acl_xattr:default acl style = windows
acl_xattr:ignore system acls = yes
map acl inherit = yes
store dos attributes = yes

# ---------------------------------------------------------------------
# Automatic creation of home directories

# In addition to the NT ACL settings above and the [users] share in the
# the shares section below, the following settings are needed in order for
# automatic creation of home directories to work

# Home directory path
template homedir = /srv/samba/users/%U

# To help with automated creation of user home directories,
# we need the following in this smb.conf file and we need
# 'session    required   pam_mkhomedir.so skel=/etc/skel/ umask=0022'
# added to /etc/pam.d/common-session
obey pam restrictions = yes

# end home dir settings -----------------------------------------------

##################################
#           Shares               #
##################################
# All shares will be created within the /srv/samba/shares/ folder,
# except for home dirs which are in /srv/samba/users/

[users]
        path = /srv/samba/users
        comment = Share for user home dirs
        guest ok = no
        read only = no


Futher work - help needed
I was surprised to find that once the home drive has been mapped and users
begin creating their own files and folders, that the POSIX permissions on
the file server are wide open - ie 777.  Even though AD users will not be
logging in to the file server and the files won't be shared via NFS, I
still really don't like seeing files being world rwx.

Why does samba set these permissions?  What can be done to lock them down?

Thanks,
Mason
>

Of course the procedure should have been in reverse order...

   - Create the smb.conf and PAM configs
   - Setup the Samba Share



On Sun, 3 Mar 2019 at 15:10, Mason Schmitt <mason at ftlcomputing.com>
wrote:
> This mailing list seems to have magical powers...  Twice now I have sent
> emails to this list asking for help, both times I have not received the
> correct answer to my question, but each response has inadvertently helped
> me to see my problem from a new angle and thus I have been able to resolve
> my own issue!
>
> As neither the wiki nor any past mailing list messages (that I could find)
> correctly answer this question, I'm going to document the solution for
the
> next person that runs into it.
>
> *Goals:*
>
>    - Auto create home dir when AD domain user logs in
>    - Map home drive using group policy
>    - Use NT ACLs in order to provide maximum compatibility with Windows
>    clients
>
> Note that this does work with selinux enabled, which makes my inner
> security nut, happy :)
>
> *Procedure*
>
> *Setup the Samba Share*
> Follow the instructions at
> https://wiki.samba.org/index.php/User_Home_Folders, *but only* the
> following sections:
>
>    - Setting up the Share on the Samba File Server > Using Windows ACLs
>    - Creating the Home Folder for a New User > Using a Group Policy
>    Preference
>
>
> *Create the smb.conf and PAM configs*
> There are 6 smb.conf entries that are critical to making this work, they
> are:
>
>    - vfs objects = acl_xattr # I'm not certain that the two other
>    acl_xattr entries, in the smb.conf below, are absolutely necessary
>    - map acl inherit = yes
>    - store dos attributes = yes
>    - template homedir = /srv/samba/users/%U  # Note the %U here
>    - obey pam restrictions = yes  # with the corresponding entry in
>    /etc/pam.d/common-session as per the comments in the smb.conf below
>    -  [users]
>            path = /srv/samba/users   # Very important! Don't put the %U
>    here!
>            comment = Share for user home dirs
>            guest ok = no
>            read only = no
>
>
> *The full working smb.conf file*
> [global]
> kerberos method = system keytab
> workgroup = FTLC
> security = ads
> realm = FTLC.FTLCOMPUTING.COM
>
> # Netbios is dead, let's make it explicit
> # There's no need to run nmbd either, so disable it using systemctl
> disable nmbd
> disable netbios = yes
>
> # Encrypting SMB traffic is a good basic defense
> # As soon as Windows 7 goes away, we'll be able to
> # change this to 'required'
> smb encrypt = desired
>
> # Logging
> log file = /var/log/samba/%m.log
> log level = 5
>
> # We're using the RID method of mapping SIDs to UID/GID
> idmap config FTLC : range = 2000000-2999999
> idmap config FTLC : backend = rid
> idmap config * : range = 10000-999999
> idmap config * : backend = tdb
>
> # Samba AD users will not have access to a shell on linux hosts
> template shell = /bin/false
>
> # Winbind
> winbind use default domain = no
> winbind refresh tickets = yes
> winbind offline logon = yes
> winbind enum groups = no
> winbind enum users = no
>
> # Map domain admin account to local root account
> # and resolve other "net rpc" issues
> username map = /etc/samba/user.map
> bind interfaces only = yes
> interfaces = lo eth0
>
> # Enable Windows ACL support and make ACLs maximally compatible with NFTS
> ACLs.
> # The ignore system acls option, will hopefully eliminate the issues we
> have
> # encountered with having to set POSIX and NT ACLs.  This does mean that
> all file
> # access should be done through Samba
> vfs objects = acl_xattr
> acl_xattr:default acl style = windows
> acl_xattr:ignore system acls = yes
> map acl inherit = yes
> store dos attributes = yes
>
> # ---------------------------------------------------------------------
> # Automatic creation of home directories
>
> # In addition to the NT ACL settings above and the [users] share in the
> # the shares section below, the following settings are needed in order for
> # automatic creation of home directories to work
>
> # Home directory path
> template homedir = /srv/samba/users/%U
>
> # To help with automated creation of user home directories,
> # we need the following in this smb.conf file and we need
> # 'session    required   pam_mkhomedir.so skel=/etc/skel/
umask=0022'
> # added to /etc/pam.d/common-session
> obey pam restrictions = yes
>
> # end home dir settings -----------------------------------------------
>
> ##################################
> #           Shares               #
> ##################################
> # All shares will be created within the /srv/samba/shares/ folder,
> # except for home dirs which are in /srv/samba/users/
>
> [users]
>         path = /srv/samba/users
>         comment = Share for user home dirs
>         guest ok = no
>         read only = no
>
>
> Futher work - help needed
> I was surprised to find that once the home drive has been mapped and users
> begin creating their own files and folders, that the POSIX permissions on
> the file server are wide open - ie 777.  Even though AD users will not be
> logging in to the file server and the files won't be shared via NFS, I
> still really don't like seeing files being world rwx.
>
> Why does samba set these permissions?  What can be done to lock them down?
>
> Thanks,
> Mason
>
>>