samba - Apr 2020 - Users' Home Folders - conflicting advice in WiKi

On 10.04.2020 20:22, Rowland penny via samba wrote:
> On 10/04/2020 18:02, Roy Eastwood via samba wrote:
>> Rowland,
>>
>> In the Wiki page "User Home Folders", Section 2.1 "Using
Windows ACLs"
>> correctly describes how to set permissions to allow the Windows program
>> Active Directory Users and Computers to automatically create the 
>> user's home
>> folder.?? But in the next section? "Creating the Home folder for a
>> New User"
>> 3.1 "Using Windows ACLs", the blue box states that ADUC
cannot
>> automatically
>> create home folders on a 'unix' machine.?? Do you literally
mean unix?
>> Certainly on my Linux (Debian) machine it works OK.??? Perhaps this 
>> boxed
>> comment needs amendment?
>>
>> Cheers,
>>
>> Roy
>>
> 'unix' = any version of Unix, Linux is a version of Unix.
>
> Are you sure that ADUC is creating the users home directory on your 
> Linux machines ?
>
> As far as I am aware Samba doesn't have the code to do this and ADUC 
> running on Windows has no ability to do it either.
>
> It could be that you have pam_mkhomedir set in your PAM stack and it 
> is this that is creating your users home directories at login.
>
> Myself and Louis collaborated to write a 'root prexec' script to 
> create the users home directory at Samba connection.
>
> To the best of my knowledge, you have to use one or the other method.
>
> Rowland
>
>
Actually, this is something I noticed myself a (long) while ago.

I am running Samba AD members on Arch Linux and Ubuntu machines, and 
whatever PAM-config comes with the distro, if anything, is there, I 
never changed or added anything - frankly, I don't know much about it, 
yet. I checked just now and yes, there is a file /etc/pam.conf with all 
lines commented out and multiple small files in /etc/pam.d/ which I just 
grepped for 'mkdir', 'mkhomedir' and 'home'. No results.

And yet, ADUC is creating the home directories for me. Not fully 
automatically, though, I still have to provide ADUC the full name of the 
folder. But still, it's a lot simpler than stated in the Wiki.

Just fyi, I'm currently on 4.9 and 4.10, respectively, but if I remember 
correctly, this worked already with 4.7.

Viktor

The way I do it, I create the home folder share on the server and set 
the required ACLs as in the wiki. Then I fill in the field in the ADUC 
Pane, Profile Path. Then I click ok. At that point, ADUC should open a 
connection to the share, create the new folder, set the acl correctly 
and then change the ownership.

pam_mkhomedir is for when you're logging in say via SSH and unix needs 
somewhere to put your dot files. It's not automatically mounted from the 
user home share. These are two separate concepts. pam_mkhomedir, as far 
as I know, never automatically creates home directories on the server in 
the user profile share.

On 10/04/2020 21:17, Viktor Trojanovic via samba wrote:
>
> On 10.04.2020 20:22, Rowland penny via samba wrote:
>> On 10/04/2020 18:02, Roy Eastwood via samba wrote:
>>> Rowland,
>>>
>>> In the Wiki page "User Home Folders", Section 2.1
"Using Windows ACLs"
>>> correctly describes how to set permissions to allow the Windows
program
>>> Active Directory Users and Computers to automatically create the 
>>> user's home
>>> folder.?? But in the next section? "Creating the Home folder
for a
>>> New User"
>>> 3.1 "Using Windows ACLs", the blue box states that ADUC
cannot
>>> automatically
>>> create home folders on a 'unix' machine.?? Do you literally
mean unix?
>>> Certainly on my Linux (Debian) machine it works OK.??? Perhaps this
>>> boxed
>>> comment needs amendment?
>>>
>>> Cheers,
>>>
>>> Roy
>>>
>> 'unix' = any version of Unix, Linux is a version of Unix.
>>
>> Are you sure that ADUC is creating the users home directory on your 
>> Linux machines ?
>>
>> As far as I am aware Samba doesn't have the code to do this and
ADUC
>> running on Windows has no ability to do it either.
>>
>> It could be that you have pam_mkhomedir set in your PAM stack and it 
>> is this that is creating your users home directories at login.
>>
>> Myself and Louis collaborated to write a 'root prexec' script
to
>> create the users home directory at Samba connection.
>>
>> To the best of my knowledge, you have to use one or the other method.
>>
>> Rowland
>>
>>
> Actually, this is something I noticed myself a (long) while ago.
>
> I am running Samba AD members on Arch Linux and Ubuntu machines, and 
> whatever PAM-config comes with the distro, if anything, is there, I 
> never changed or added anything - frankly, I don't know much about it, 
> yet. I checked just now and yes, there is a file /etc/pam.conf with 
> all lines commented out and multiple small files in /etc/pam.d/ which 
> I just grepped for 'mkdir', 'mkhomedir' and 'home'.
No results.
>
> And yet, ADUC is creating the home directories for me. Not fully 
> automatically, though, I still have to provide ADUC the full name of 
> the folder. But still, it's a lot simpler than stated in the Wiki.
>
> Just fyi, I'm currently on 4.9 and 4.10, respectively, but if I 
> remember correctly, this worked already with 4.7.
>
> Viktor
>
>
>

On 10/04/2020 21:25, Alex MacCuish via samba wrote:
> The way I do it, I create the home folder share on the server and set 
> the required ACLs as in the wiki. Then I fill in the field in the ADUC 
> Pane, Profile Path. Then I click ok. At that point, ADUC should open a 
> connection to the share, create the new folder, set the acl correctly 
> and then change the ownership.
Hang on, that isn't the users home directory, it is the users Windows 
profile.

There are a couple of other attributes possibly in play here:

homeDirectory

unixHomeDirectory

The first is for the path to the Windows home directory, e.g. 
'\\computername\users\username'

The second is for the path to the Unix home directory, e.g.
'/home/username'
>
> pam_mkhomedir is for when you're logging in say via SSH and unix needs 
> somewhere to put your dot files. It's not automatically mounted from 
> the user home share. These are two separate concepts. pam_mkhomedir, 
> as far as I know, never automatically creates home directories on the 
> server in the user profile share.
If you log in using ssh or directly to the computer, then Samba isn't 
used and either you must create the users home directory, or use 
pam_mkhomedir to create it for you.

If you connect to a users home directory via Samba, then the users home 
directory must exist or you need to create it via a 'root prexec' 
script, pam_mkhomedir will not be used.

Rowland

On Fri, Apr 10, 2020 at 4:25 PM Alex MacCuish via samba <
samba at lists.samba.org> wrote:
> The way I do it, I create the home folder share on the server and set
> the required ACLs as in the wiki. Then I fill in the field in the ADUC
> Pane, Profile Path. Then I click ok. At that point, ADUC should open a
> connection to the share, create the new folder, set the acl correctly
> and then change the ownership.
>
> pam_mkhomedir is for when you're logging in say via SSH and unix needs
> somewhere to put your dot files. It's not automatically mounted from
the
> user home share. These are two separate concepts. pam_mkhomedir, as far
> as I know, never automatically creates home directories on the server in
> the user profile share.
>
In some situations pam_mkhomedir can be used to auto-create home
directories over SMB if you have "obey pam restrictions = yes" under
[global].