samba - Jun 2019 - AD home drive

Hi Rowland,

I've added the bit to the pam.d and rebooted the server but still no go

The following is from the log file for the machine (user is testhome2)

adding home's share [VM-WIN7-01$] for user 'LIN\VM-WIN7-01$' at
'/home/%U/samba'

get_auth_event_server: Failed to find 'auth_event' registered on the
message bus to send JSON authentication events to:
NT_STATUS_OBJECT_NAME_NOT_FOUND

Adding homes service for user 'LIN\testhome2' using home directory:
'/home/LIN/testhome2'

canonicalize_connect_path failed for service testhome2, path
/home/testhome2/samba


pam.d/common-session

# here are the per-package modules (the "Primary" block)
session [default=1]                     pam_permit.so
# here's the fallback if no module succeeds
session requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required                        pam_permit.so
session    required   pam_mkhomedir.so skel=/etc/skel/ umask=0022
# The pam_umask module will set the umask according to the system default in
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote sessions etc.
# See "man pam_umask".
session optional                        pam_umask.so
# and here are more per-package modules (the "Additional" block)
session required        pam_unix.so
session optional                        pam_winbind.so
session optional        pam_systemd.so
# end of pam-auth-update config

Permissions of /home

drwxr-xr-x 225 root root 225 Jun 14 05:22 home

smb.conf: Home 

[homes]
        comment = Home Directories

#        create mask = 0700
#        directory mask = 0700
#        browseable = No
        read only = No
        path = /home/%U/samba
        vfs objects = full_audit
#        follow symlinks = yes
#        wide links = yes

Smb.conf: Global

[global]
        workgroup = LIN
        realm = LIN.GROUP
        netbios name = SERVER5
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
        log file = /var/log/samba/log.%m
        log level = 4
        winbind nss info = rfc2307
        winbind enum users = yes
        winbind enum groups = yes




-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland penny
via samba
Sent: Thursday, 13 June 2019 10:00 PM
To: samba at lists.samba.org
Subject: Re: [Samba] AD home drive

On 13/06/2019 12:42, Praveen Ghimire via samba wrote:
> Hi ,
>
> We have an DC (Ubuntu18.04) which also acts as a file server. The server
was recently classic upgraded to AD. Before that all the home drives were in
/home. When we migrated to change we added the following in smb.conf to give
users access to their existing home folders.
>
> The problem now is that when we create a user either using samba-tool
create user username or smbpasswd or even via RSAT, it doesn't auto create
the home drive. The samba-tool create takes the -home-drive directive but
doesn't actually create the drive. Does this mean we need to create the home
drive first(i.e /home/username/samba)? If so do we then need to setup
permissions to those folders manually?
No, you need to add:

session??? required?? pam_mkhomedir.so skel=/etc/skel/ umask=0022

To /etc/pam.d/common-session

Your users will get their homedirs created at first logon.
>
> [homes]
>          comment = Home Directories
>          path = /home/%U/samba
>          read only = No
>          create mask = 0700
>          directory mask = 0700
>          directory mode = 0700
>          browseable = No
>          wide links = Yes
>          vfs objects = full_audit
I would change the above to:

[homes]
 ??????? comment = Home Directories
 ??????? path = /home/%U/samba
 ??????? read only = No
 ??????? vfs objects = full_audit
>
>
> The other question is that the /var/log/samba/log.%m file has become 
> huge, 9 GB. Following the below , we added the max log size = 1000 in 
> smb.conf and did the reload. The log file still hasn't rotated. Are we 
> missing something ? The audit level is at 4
>
>
> https://wiki.samba.org/index.php/Configuring_Logging_on_a_Samba_Server
>
You will need to set up logrotating, see your distros documentation for how to
do this

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________

On 14/06/2019 07:40, Praveen Ghimire wrote:
> Hi Rowland,
>
> I've added the bit to the pam.d and rebooted the server but still no go
>
> The following is from the log file for the machine (user is testhome2)
>
> adding home's share [VM-WIN7-01$] for user 'LIN\VM-WIN7-01$' at
'/home/%U/samba'
>
> get_auth_event_server: Failed to find 'auth_event' registered on
the message bus to send JSON authentication events to:
NT_STATUS_OBJECT_NAME_NOT_FOUND
>
> Adding homes service for user 'LIN\testhome2' using home directory:
'/home/LIN/testhome2'
>
> canonicalize_connect_path failed for service testhome2, path
/home/testhome2/samba
>
>
> pam.d/common-session
>
> # here are the per-package modules (the "Primary" block)
> session [default=1]                     pam_permit.so
> # here's the fallback if no module succeeds
> session requisite                       pam_deny.so
> # prime the stack with a positive return value if there isn't one
already;
> # this avoids us returning an error just because nothing sets a success
code
> # since the modules above will each just jump around
> session required                        pam_permit.so
> session    required   pam_mkhomedir.so skel=/etc/skel/ umask=0022
> # The pam_umask module will set the umask according to the system default
in
> # /etc/login.defs and user settings, solving the problem of different
> # umask settings with different shells, display managers, remote sessions
etc.
> # See "man pam_umask".
> session optional                        pam_umask.so
> # and here are more per-package modules (the "Additional" block)
> session required        pam_unix.so
> session optional                        pam_winbind.so
> session optional        pam_systemd.so
> # end of pam-auth-update config
I said 'add' it, not plonk it into the middle of the file ;-)

Also your path is a bit suspect, I would expect '/home/samba/%U' and 
'/home/samba' would have to exist.

Rowland

Hi Rowland,

Initially I deposited the line towards the bottom but then it didn't work.
The line wasn't getting enough attention so it decided to creep up a bit :)
As suggested in the initial email, the box was a NT4 PDC which had the all the
shares. The home drive pointed to /home/%U/samba.

Looking at the logs, to me it looks like the default smb.conf template (as
suggested by Louis) doesn't match the homes definition

Regards,

Praveen


-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland penny
via samba
Sent: Friday, 14 June 2019 6:19 PM
To: sambalist
Subject: Re: [Samba] AD home drive

On 14/06/2019 07:40, Praveen Ghimire wrote:
> Hi Rowland,
>
> I've added the bit to the pam.d and rebooted the server but still no 
> go
>
> The following is from the log file for the machine (user is testhome2)
>
> adding home's share [VM-WIN7-01$] for user 'LIN\VM-WIN7-01$' at
'/home/%U/samba'
>
> get_auth_event_server: Failed to find 'auth_event' registered on
the
> message bus to send JSON authentication events to: 
> NT_STATUS_OBJECT_NAME_NOT_FOUND
>
> Adding homes service for user 'LIN\testhome2' using home directory:
'/home/LIN/testhome2'
>
> canonicalize_connect_path failed for service testhome2, path 
> /home/testhome2/samba
>
>
> pam.d/common-session
>
> # here are the per-package modules (the "Primary" block)
> session [default=1]                     pam_permit.so
> # here's the fallback if no module succeeds
> session requisite                       pam_deny.so
> # prime the stack with a positive return value if there isn't one 
> already; # this avoids us returning an error just because nothing sets 
> a success code # since the modules above will each just jump around
> session required                        pam_permit.so
> session    required   pam_mkhomedir.so skel=/etc/skel/ umask=0022
> # The pam_umask module will set the umask according to the system 
> default in # /etc/login.defs and user settings, solving the problem of 
> different # umask settings with different shells, display managers, remote
sessions etc.
> # See "man pam_umask".
> session optional                        pam_umask.so
> # and here are more per-package modules (the "Additional" block)
> session required        pam_unix.so
> session optional                        pam_winbind.so
> session optional        pam_systemd.so
> # end of pam-auth-update config
I said 'add' it, not plonk it into the middle of the file ;-)

Also your path is a bit suspect, I would expect '/home/samba/%U' and
'/home/samba' would have to exist.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________