samba - Apr 2020 - how to use root preexec on user share with %U not as root user

On 2020-04-30 10:12, Rowland penny via samba wrote:
> On 30/04/2020 00:25, Jelle de Jong via samba wrote:
>> Hello everybody,
>>
>> I am trying to get samba 4 to make a user dir without the use of ADUC 
>> to set the homeDirectory, but with samba-tool user create only.
>>
>> I created a root preexec but the %U is filled with root and not the 
>> username of the user.
>>
>> I need to user [users] and not the old [homes] because I got a GPO for 
>> redirection to the //server/users/%USERNAME% and I need this folder to 
>> be created before the first logon of the user otherwise it seems to go 
>> bad.
>>
>> [users]
>> ??? path = /srv/storage/users/
>> ??? read only = No
>> ??? root preexec = /usr/local/bin/samba-mkdir-home %U
>>
>> PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin/
>> if [ ! -e /srv/storage/users/$1 ]; then
>> ??? mkdir /srv/storage/users/$1
>> ??? chown "$1":"domain user" /srv/storage/users/$1
>> fi
>>
>> Kind regards,
>>
>> Jelle de Jong
>>
> Define 'first logon'.
> 
> If it is logging on via ssh or direct to the computer (via lightdm etc), 
> then you need you would use pam_mkhomedir instead
> 
> That doesn't work if just connecting to a Samba share, so you have two 
> options here:
> 
> Create a share:
> 
> [users]
> 
>  ??? path = /path/to/users
> 
>  ?? read only = no
> 
> Restart Samba
> 
> The first option is:
> 
> Go to ADUC, select a user, right click, select 'Options' and then
the
> 'Profiles' tab. At the bottom of the 'Profiles' tab select
a letter e.g.
> 'H:' then the shares UNC e.g.
//Samba_servers_hostname/users/username,
> now click 'Apply', this should create the users homedir on the
Samba
> server.
> 
> The second option relies on adding a line to the share:
> 
>  ??? root preexec = /path/to/a/script %H %U
> 
> This will cause the script to be run whenever a user connects to the 
> share and pass the users homedir path and username to the script. With 
> this option, you do not need to touch the users profile tab in ADUC.
First logon is I use samba-tool to add the user then I go to an Windows 
10 Pro domain member system and logon to the machine. The 
\\SAMBA01\users\lgaga folder will not be there.....

amba-tool user create lgaga passwd --login-shell /bin/bash --given-name 
"Lady Gaga" --home-drive=H
--home-directory="\\\SAMBA01\users\lgaga"

Could you or others share (sent) the /path/to/a/script you use because 
when I try to use mine above script the user always is root, and I need 
a smarter script that sets the setfacl correct with Windows ACL instead 
of posix acl.

Kind regards,

Jelle de Jong

On 30/04/2020 21:40, Jelle de Jong via samba wrote:
>
> First logon is I use samba-tool to add the user then I go to an 
> Windows 10 Pro domain member system and logon to the machine. The 
> \\SAMBA01\users\lgaga folder will not be there.....
It will not be there, samba-tool doesn't have the code to create the 
users folder, but when created on Windows, Windows does.
>
> amba-tool user create lgaga passwd --login-shell /bin/bash 
> --given-name "Lady Gaga" --home-drive=H 
> --home-directory="\\\SAMBA01\users\lgaga"
>
> Could you or others share (sent) the /path/to/a/script you use because 
> when I try to use mine above script the user always is root, and I 
> need a smarter script that sets the setfacl correct with Windows ACL 
> instead of posix acl.
The problem is, to get it to work correctly, you need to ensure that you 
do not change the users homeDirectory attribute (this is what 
'--home-directory' sets). Also a 'root preexec' script is
obviously run
as 'root', so of course any directories will be created with root 
ownership. This means the script needs to change ownership etc.

I have a script that will give you pointers, it isn't really tested, but 
you are welcome to a copy.

Rowland

On 2020-04-30 23:14, Rowland penny via samba wrote:
> On 30/04/2020 21:40, Jelle de Jong via samba wrote:
>>
>> First logon is I use samba-tool to add the user then I go to an 
>> Windows 10 Pro domain member system and logon to the machine. The 
>> \\SAMBA01\users\lgaga folder will not be there.....
> It will not be there, samba-tool doesn't have the code to create the 
> users folder, but when created on Windows, Windows does.
>>
>> samba-tool user create lgaga passwd --login-shell /bin/bash 
>> --given-name "Lady Gaga" --home-drive=H 
>> --home-directory="\\\SAMBA01\users\lgaga"
>>
>> Could you or others share (sent) the /path/to/a/script you use because 
>> when I try to use mine above script the user always is root, and I 
>> need a smarter script that sets the setfacl correct with Windows ACL 
>> instead of posix acl.
> 
> The problem is, to get it to work correctly, you need to ensure that you 
> do not change the users homeDirectory attribute (this is what 
> '--home-directory' sets). Also a 'root preexec' script is
obviously run
> as 'root', so of course any directories will be created with root 
> ownership. This means the script needs to change ownership etc.
> 
> I have a script that will give you pointers, it isn't really tested,
but
> you are welcome to a copy.
> 
> Rowland

I did some debugging and found I had a bug in my original script I 
shared "domain user" instead of "domain users" and therefor
the owner
never got changed...

[users]
     path = /srv/storage/users/
     read only = No
     root preexec = /usr/local/bin/samba-mkdir-home %U %H

id $1
if [ $? -eq 0 ] && [ ! -e /srv/storage/users/$1 ]; then
     mkdir /srv/storage/users/$1
     chown "$1":"domain users" /srv/storage/users/$1
fi
exit 0

The %H is indeed not very userful as it it set to /home/SAMDOM/lgaga if 
I do not use template homedir = /home/%U

The --home-drive=H and --home-directory="\\\SAMBA01\users\lgaga" are
not
actually doing anything?? for me, it does set the options in the profile 
and they are visible with ADUC but there is never an network mount H: 
when logon with the user on Windows 10 Pro... I have to use a GPO or 
--script-path=netlogon.bat with net use...

What is the homeDirectory and homeDrive doing in Windows 10 Pro?

Kind regards,

Jelle de Jong