Hi Anders,
Mason, can you share your security settings on .../Top/Home? I might
have> an issue with creating folders on the top level.
>
Anders, I have an unusual setup using nested shares, where \\fs1\Top is the
parent share, which corresponds to the POSIX path /srv/samba/Top/ and
multiple nested shares setup similarly to \\fs1\Home at
/srv/samba/Top/Home/. I chose to use nested shares so that I could
optimize my use of Windows ACL inheritance. In the Windows world, it's
generally considered a bad idea to use nested shares, but with Samba, given
that we pretty much have to use RSAT to set inheritable Windows ACLs, this
was the only way I found to do this. However, if you're not trying to
optimize your Windows ACL inheritance, then you can just ignore the Top
share and just look at what I do with the Home share.
It's important to note that what I have shared below is not the full
picture of my permissions system, so for example what you see below will
not enable you to automatically create user home folders when a user is
added to AD. I've just shared the parts that I think are relevant to
getting per user recycle bins working in home folders.
My home folders security settings assume a few things that may not be true
in your environment, so I'll share what I do and you can work out whether
it applies to you or not. Much of this is covered in the Samba wiki, but I
really struggled to put all the pieces together, so hopefully what I share
here will be helpful to you and possibly others. My smb.conf file can be
seen at the end of this email.
*Active Directory Configuration*
Our internal policy requires that we follow these guidelines when
authorizing access to resources:
- Users are grouped together using Domain Global groups
- Permissions applied to resources (shares, files, folders, printers,
etc) must only be applied using Domain Local groups
- Users should only be able to see shares to which they have been
granted access
- Standard built-in groups such as Domain Admins, Domain Users, etc
should not be used for determining access control as they are overly broad
and difficult to audit. Therefore, whenever possible, create new narrowly
scoped groups for applying least privilege access.
- We use Windows ACLs exclusively
Based on the above requirements, we use an *All_Staff* Domain Global group
of which all regular users are members. The *All_Staff* group is a member
of the Domain Local group called *FS1-Home-Users_Special*.
*Windows Shares Permissions*
The *\\fs1\Home* share allows *Change* share permissions to the
*FS1-Home-Users_Special* group.
*Windows ACL Permissions*
The following Windows ACLs are applied to *\\fs1\Home*
- *FS1-Home-Users_Special* group has Read and Execute on 'This folder
only'
- *CREATOR OWNER* has Full Control on 'Subfolders and files only'
######################################################
# Global Config #
######################################################
[global]
kerberos method = system keytab
workgroup = NAME
security = ads
realm = NAME.DOMAIN.TLD
# Logging
log file = /var/log/samba/%m.log
log level = 3
# We're using the RID method of mapping SIDs to UID/GID
idmap config FTLC : range = 2000000-2999999
idmap config FTLC : backend = rid
idmap config * : range = 10000-999999
idmap config * : backend = tdb
# Winbind
winbind use default domain = no
winbind refresh tickets = yes
winbind offline logon = yes
winbind enum groups = no
winbind enum users = no
# Map domain admin account to local root account
# and resolve other "net rpc" issues
username map = /etc/samba/user.map
bind interfaces only = yes
interfaces = lo eth0
# Enable Windows ACL support and make ACLs maximally compatible with NTFS
ACLs.
# Beyond setting the POSIX ownership and permissions for the share
directory, all ACLs
# should be managed in Windows.
# https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
# Also enable recyle bin support
vfs objects = acl_xattr recycle
acl_xattr:default acl style = windows
#acl_xattr:ignore system acls = yes # PURE EVIL! If you value your
sanity, don't use this option
map acl inherit = yes
store dos attributes = yes
# Enable extended attributes support
ea support = yes
######################################################
# Global Security Settings #
######################################################
# Disable SMB1, it's too old and too insecure to be used anymore
server min protocol = SMB2
# Samba AD users will not have access to a shell on linux hosts
template shell = /bin/false
# Netbios is dead, let's make it obvious
# (we also disable nmb via systemd, so this setting is redundant)
disable netbios = yes
# Whenever possible, encrypt SMB connections between clients
# and the server
smb encrypt = required
# Hide shares from users that don't have permission to see them
access based share enum = yes
######################################################
# Automatic creation of home directories #
######################################################
# !!! Important SELINUX configuration !!!
# For automatic creation of home directories to work,
# you must set two selinux booleans with the following commands:
# setsebool -P samba_create_home_dirs 1
# setsebool -P samba_enable_home_dirs 1
#
# Check that the selinux booleans were correctly set
# getsebool -a | grep samba | grep home
#
# For samba to serve the home dirs, they must be labeled with the
# selinux type 'samba_share_t'
# During the installation of this server a policy was created for the
# /srv/samba/ directory, which ensures all sub-folders/files are labeled
# with samba_share_t. Therefore, as long as the home folders are located
# under /srv/samba/ this labelling will be taken care of.
# --- End of SELINUX configuration ---
# Home directories will be created at this path with %U being replaced by
# the username
template homedir = /srv/samba/Top/Home/%U
# The user's home folder is created when a home folder path is added
# to a user's AD account
[Home]
path = /srv/samba/Top/Home
comment = Share for user home dirs
guest ok = no
read only = no
# Recyle bin
recycle:repository = %U/Recycle_Bin
recycle:versions = Yes
recycle:keeptree = Yes
recycle:touch = Yes
recycle:exclude = *.tmp,~$*
recycle:exclude_dir = %U/Recycle_Bin
######################################################
# Standard Shares #
######################################################
[Top]
path = /srv/samba/Top
comment = Parent share sets top level Windows file permission
inheritance
guest ok = no
read only = no
[Backup]
path = /srv/samba/Top/Backup
comment = Create separate folders, with locked down permissions, for
each application
guest ok = no
read only = no
[Admin]
path = /srv/samba/Top/Admin
comment = Tools and documents to help with on-site service
guest ok = no
read only = no
[Software]
path = /srv/samba/Top/Software
comment = Software for installation via GPO
guest ok = no
read only = no
[Shared]
path = /srv/samba/Top/Shared
comment = Company shared files and folders
guest ok = no
read only = no
# Recyle bin
recycle:repository = Recycle_Bin/%U
recycle:versions = Yes
recycle:keeptree = Yes
recycle:touch = Yes
recycle:exclude = *.tmp,~$*
recycle:exclude_dir = Recycle_Bin
> Skickat fr?n min iPad
>
> 22 juni 2020 kl. 21:50 skrev Mason Schmitt <mason at
ftlcomputing.com>:
>
> ?
> Hello Anders,
>
> Here's a working example that creates a recycle bin inside the
user's home
> folder.
>
> [Home]
> path = /srv/samba/Top/Home
> comment = Share for user home dirs
> guest ok = no
> read only = no
> # Recyle bin
> recycle:repository = %U/Recycle_Bin
> recycle:versions = Yes
> recycle:keeptree = Yes
> recycle:touch = Yes
> recycle:exclude = *.tmp,~$*
> recycle:exclude_dir = %U/Recycle_Bin
>
> --
>
> Mason
>
> On Mon, 22 Jun 2020 at 12:09, Anders ?stling via samba <
> samba at lists.samba.org> wrote:
>
>> Hi
>> Samba 4.12 on Ubuntu 20.04
>> Windows 10 and 7 clients
>>
>> I have configured recycle on two shares, /Users and /Documents.
>>
>> vfs objects = recycle
>> recycle:versions = yes
>> recycle:keeptree = yes
>>
>> On the Users share I have
>> recycle:repository = /share/data
>>
>> On the Documents share I have
>> recycle:repository = .Papperskorg (recycle bin in Swedish)
>>
>> The Document share recycle works. Folder was created and the test
>> files occured in that folder. However, for the Users share, no folder
>> is created. I guess I have a syntax problem, maybe I should specify
>> something like "= /share/data/%U" to enable per-user bins?
Can't find
>> any good examples to guide me.
>>
>> Grateful for all help, I. now have roaming folders and folder
>> redirection working thanks to the great wiki pages!
>>
>>
>> Anders ?stling
>> +46 768 716 165 (Mobil)
>> +46 431 45 56 01 (Hem)
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>