samba - Oct 2021 - Unable to see home dir

> What creates the homedir ? SSH by itself will not do this, you need to
use pam-mkhomedir.
I used a script I found online and that works.  It creates the directory
owned by the user and group domain users.  I wasn't sure if this is still
the preferred way of doing it since it first appeared years ago but it does
create the dir with the ad user uid and gid.

# stat username/
  File: username/
  Size: 64         Blocks: 0          IO Block: 4096   directory
Device: 28h/40d Inode: 1274        Links: 1
Access: (0700/drwx------)  Uid: (111123/username)   Gid: (110513/domain
users)
Access: 2021-10-13 03:31:06.005020902 -0400
Modify: 2021-10-13 03:31:06.006020881 -0400
Change: 2021-10-13 03:31:06.006020881 -0400
 Birth: 2021-10-13 03:31:06.005020902 -0400


[home]
    comment = Home Directories
    browseable = no
    writable = yes
read only = no # newly added
create mask = 0700 # newly added
directory mask = 0700 # newly added
path = /home/INTERNAL/%S
    valid users = %S
; valid users = %S %D%w%S
root preexec = /usr/local/sbin/mkhomedir.sh %U

/usr/local/sbin/mkhomedir.sh:
#!/bin/bash

useradd $1
if [ ! -e /home/INTERNAL/$1 ]; then
echo "Creating /home/INTERNAL/$1" >> /etc/samba/create_user.txt
useradd $1 -m -b /home/INTERNAL
#mkdir /home/INTERNAL/$1
#chown $1:"Domain Users" /home/INTERNAL/$1
fi
exit 0

ssh username at localhost
username at localhost's password:
Last failed login: Tue Oct 12 22:17:59 EDT 2021 on tty1
There was 1 failed login attempt since the last successful login.
Could not chdir to home directory /home/INTERNAL/username: Permission denied
Connection to localhost closed.

If I comment out the permissions undf [home]:
sh username at localhost
username at localhost's password:
Last login: Wed Oct 13 18:13:22 2021 from ::1
Connection to localhost closed.

Both times, the directory is created with the same permissions:
la
total 0
drwx--x--x. 1 root      root         18 Oct 13 17:55 .
drwxr-xr-x. 1 root      root         34 Oct 12 22:29 ..
drwx------  1 username domain users 64 Oct 13 17:55 username

stat username/
  File: username/
  Size: 64         Blocks: 0          IO Block: 4096   directory
Device: 28h/40d Inode: 1281        Links: 1
Access: (0700/drwx------)  Uid: (111123/username)   Gid: (110513/domain
users)
Access: 2021-10-13 17:55:12.679918668 -0400
Modify: 2021-10-13 17:55:12.680918657 -0400
Change: 2021-10-13 17:55:12.680918657 -0400
 Birth: 2021-10-13 17:55:12.679918668 -0400

la /home/INTERNAL/username/
total 12K
drwx------  1 username domain users  64 Oct 13 18:15 .
drwx--x--x. 1 root      root          18 Oct 13 18:15 ..
-rw-------  1 username domain users  18 Oct 13 18:15 .bash_logout
-rw-------  1 username domain users 141 Oct 13 18:15 .bash_profile
-rw-------  1 username domain users 492 Oct 13 18:15 .bashrc

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In all things, Be Intentional.

I've added session optional pam_mkhomedir.so to /etc/pam.d/system-auth but
that didn't help.

I didn't try on the DC, I've only been trying on the member that I was
able
to join to the domain even though there are still dns issues until now.
ssh username at localhost
username at localhost's password:
Permission denied, please try again.
username at localhost's password:
Permission denied, please try again.
username at localhost's password:
username at localhost: Permission denied (publickey,password).

On Wed, Oct 13, 2021 at 5:01 AM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Wed, 2021-10-13 at 04:27 -0400, Rob Campbell via samba wrote:
> > I am able to ssh user at localhost with the samba user I created from
> > any
> > computer with a working and related smb.conf.  ssh
> > sambauser at localhost  If
> > there is no linux account it creates the home directory but it
> > doesn't
> > allow the user to log in.
>
> What creates the homedir ? SSH by itself will not do this, you need to
> use pam-mkhomedir.
>
> >   I have to create the user on the local machine.
>
> Well stop doing that, you cannot have the user in /etc/passwd and AD,
> the local user will take precedence and have a different ID number.
>
> > I'm not able to have the user local account created when I log in
as
> > that
> > user?  Every computer I have that I want to allow enterprise login
> > via
> > Gnome
>
> I cannot help you with Gnome, I do not use it.
>
> >  (which I haven't gotten to work yet), I will have to create all
the
> > users on those computers before people can log in?
>
> No, you need to set up your distro to create the homedir at login, I
> could tell you how to do this if you were using Debian, but you are
> using fedora and I haven't a clue.
>
> >
> > I am able to smbclient //fs01/Photos -c 'ls' -U sambauser and
it will
> > show
> > me the files and dirs of that share.
>
> I homedir isn't really a share and you need to use 'root
preexec' to
> run a script to create homedirs if you connect via Samba.
>
> >   I have a share named home and it will
> > not allow me to see that.
>
> >
> > [home]
> >     comment = Home Directories
> >     browseable = yes
> >     writable = yes
> >     path = /home/%D/%U
> >     valid users = %U
>
> Change it to this:
>
> [homes]
>   comment = Home Directories
>   browseable = no
>   read only = no
>   create mask = 0700
>   directory mask = 0700
>   valid users = %S
>
> Add a line in [global] similar to this:
>
> template homedir = /home/%U
>
>
> >
> > I've tried setting the path to /home/%U for the user accounts
> > that previously had linux ids and I get the same thing
> > smbclient //fs01/home -U username -c 'ls'
> > Enter INTERNAL\username's password:
> > NT_STATUS_ACCESS_DENIED listing \*
>
> The permissions are probably wrong on the share and the user should be
> connecting to their own share, not the base.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 10/13/21 17:48, Rob Campbell via samba wrote:
>> What creates the homedir ? SSH by itself will not do this, you need to
> use pam-mkhomedir.
> I used a script I found online and that works.  It creates the directory
> owned by the user and group domain users.  I wasn't sure if this is
still
> the preferred way of doing it since it first appeared years ago but it does
> create the dir with the ad user uid and gid.
> 
> # stat username/
>    File: username/
>    Size: 64         Blocks: 0          IO Block: 4096   directory
> Device: 28h/40d Inode: 1274        Links: 1
> Access: (0700/drwx------)  Uid: (111123/username)   Gid: (110513/domain
> users)
> Access: 2021-10-13 03:31:06.005020902 -0400
> Modify: 2021-10-13 03:31:06.006020881 -0400
> Change: 2021-10-13 03:31:06.006020881 -0400
>   Birth: 2021-10-13 03:31:06.005020902 -0400
> 
> 
> [home]
>      comment = Home Directories
>      browseable = no
>      writable = yes
> read only = no # newly added

writable = yes
and
read only = no

do exactly the same thing; you don't need both.


> create mask = 0700 # newly added
> directory mask = 0700 # newly added
> path = /home/INTERNAL/%S
>      valid users = %S
> ; valid users = %S %D%w%S
> root preexec = /usr/local/sbin/mkhomedir.sh %U
> 
> /usr/local/sbin/mkhomedir.sh:
> #!/bin/bash
> 
> useradd $1
> if [ ! -e /home/INTERNAL/$1 ]; then
> echo "Creating /home/INTERNAL/$1" >>
/etc/samba/create_user.txt
> useradd $1 -m -b /home/INTERNAL
> #mkdir /home/INTERNAL/$1
> #chown $1:"Domain Users" /home/INTERNAL/$1
> fi
> exit 0
> 

I'm not following why you're running useradd -- isn't this machine
bound
to a domain?  Then the user should already exist; you don't wan to add 
them locally. Even less explicable is why useradd is run twice.




> ssh username at localhost
> username at localhost's password:
> Last failed login: Tue Oct 12 22:17:59 EDT 2021 on tty1
> There was 1 failed login attempt since the last successful login.
> Could not chdir to home directory /home/INTERNAL/username: Permission
denied
> Connection to localhost closed.
> 
> If I comment out the permissions undf [home]:
> sh username at localhost
> username at localhost's password:
> Last login: Wed Oct 13 18:13:22 2021 from ::1
> Connection to localhost closed.
> 
> Both times, the directory is created with the same permissions:
> la
> total 0
> drwx--x--x. 1 root      root         18 Oct 13 17:55 .
> drwxr-xr-x. 1 root      root         34 Oct 12 22:29 ..
> drwx------  1 username domain users 64 Oct 13 17:55 username
> 
> stat username/
>    File: username/
>    Size: 64         Blocks: 0          IO Block: 4096   directory
> Device: 28h/40d Inode: 1281        Links: 1
> Access: (0700/drwx------)  Uid: (111123/username)   Gid: (110513/domain
> users)
> Access: 2021-10-13 17:55:12.679918668 -0400
> Modify: 2021-10-13 17:55:12.680918657 -0400
> Change: 2021-10-13 17:55:12.680918657 -0400
>   Birth: 2021-10-13 17:55:12.679918668 -0400
> 
> la /home/INTERNAL/username/
> total 12K
> drwx------  1 username domain users  64 Oct 13 18:15 .
> drwx--x--x. 1 root      root          18 Oct 13 18:15 ..
> -rw-------  1 username domain users  18 Oct 13 18:15 .bash_logout
> -rw-------  1 username domain users 141 Oct 13 18:15 .bash_profile
> -rw-------  1 username domain users 492 Oct 13 18:15 .bashrc
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> In all things, Be Intentional.
> 
> I've added session optional pam_mkhomedir.so to /etc/pam.d/system-auth
but
> that didn't help.
> 
> I didn't try on the DC, I've only been trying on the member that I
was able
> to join to the domain even though there are still dns issues until now.
> ssh username at localhost
> username at localhost's password:
> Permission denied, please try again.
> username at localhost's password:
> Permission denied, please try again.
> username at localhost's password:
> username at localhost: Permission denied (publickey,password).
> 
> On Wed, Oct 13, 2021 at 5:01 AM Rowland Penny via samba <
> samba at lists.samba.org> wrote:
> 
>> On Wed, 2021-10-13 at 04:27 -0400, Rob Campbell via samba wrote:
>>> I am able to ssh user at localhost with the samba user I created
from
>>> any
>>> computer with a working and related smb.conf.  ssh
>>> sambauser at localhost  If
>>> there is no linux account it creates the home directory but it
>>> doesn't
>>> allow the user to log in.
>>
>> What creates the homedir ? SSH by itself will not do this, you need to
>> use pam-mkhomedir.
>>
>>>    I have to create the user on the local machine.
>>
>> Well stop doing that, you cannot have the user in /etc/passwd and AD,
>> the local user will take precedence and have a different ID number.
>>
>>> I'm not able to have the user local account created when I log
in as
>>> that
>>> user?  Every computer I have that I want to allow enterprise login
>>> via
>>> Gnome
>>
>> I cannot help you with Gnome, I do not use it.
>>
>>>   (which I haven't gotten to work yet), I will have to create
all the
>>> users on those computers before people can log in?
>>
>> No, you need to set up your distro to create the homedir at login, I
>> could tell you how to do this if you were using Debian, but you are
>> using fedora and I haven't a clue.
>>
>>>
>>> I am able to smbclient //fs01/Photos -c 'ls' -U sambauser
and it will
>>> show
>>> me the files and dirs of that share.
>>
>> I homedir isn't really a share and you need to use 'root
preexec' to
>> run a script to create homedirs if you connect via Samba.
>>
>>>    I have a share named home and it will
>>> not allow me to see that.
>>
>>>
>>> [home]
>>>      comment = Home Directories
>>>      browseable = yes
>>>      writable = yes
>>>      path = /home/%D/%U
>>>      valid users = %U
>>
>> Change it to this:
>>
>> [homes]
>>    comment = Home Directories
>>    browseable = no
>>    read only = no
>>    create mask = 0700
>>    directory mask = 0700
>>    valid users = %S
>>
>> Add a line in [global] similar to this:
>>
>> template homedir = /home/%U
>>
>>
>>>
>>> I've tried setting the path to /home/%U for the user accounts
>>> that previously had linux ids and I get the same thing
>>> smbclient //fs01/home -U username -c 'ls'
>>> Enter INTERNAL\username's password:
>>> NT_STATUS_ACCESS_DENIED listing \*
>>
>> The permissions are probably wrong on the share and the user should be
>> connecting to their own share, not the base.
>>
>> Rowland
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>

On Wed, 2021-10-13 at 18:48 -0400, Rob Campbell wrote:
> > What creates the homedir ? SSH by itself will not do this, you need
> to use pam-mkhomedir.
> I used a script I found online and that works.  It creates the
> directory owned by the user and group domain users.  I wasn't sure if
> this is still the preferred way of doing it since it first appeared
> years ago but it does create the dir with the ad user uid and gid.
> 
> # stat username/
>   File: username/
>   Size: 64         Blocks: 0          IO Block: 4096   directory
> Device: 28h/40d Inode: 1274        Links: 1
> Access: (0700/drwx------)  Uid: (111123/username)   Gid:
> (110513/domain users)
> Access: 2021-10-13 03:31:06.005020902 -0400
> Modify: 2021-10-13 03:31:06.006020881 -0400
> Change: 2021-10-13 03:31:06.006020881 -0400
>  Birth: 2021-10-13 03:31:06.005020902 -0400
> 
> 
> [home]
>     comment = Home Directories
>     browseable = no
>     writable = yes
> read only = no # newly added
> create mask = 0700 # newly added
> directory mask = 0700 # newly added
> path = /home/INTERNAL/%S
>     valid users = %S
> ; valid users = %S %D%w%S
> root preexec = /usr/local/sbin/mkhomedir.sh %U
> 
> /usr/local/sbin/mkhomedir.sh:
> #!/bin/bash
> 
> useradd $1
> if [ ! -e /home/INTERNAL/$1 ]; then
> echo "Creating /home/INTERNAL/$1" >>
/etc/samba/create_user.txt
> useradd $1 -m -b /home/INTERNAL
> #mkdir /home/INTERNAL/$1
> #chown $1:"Domain Users" /home/INTERNAL/$1
> fi
> exit 0
> 
> ssh username at localhost
> username at localhost's password: 
> Last failed login: Tue Oct 12 22:17:59 EDT 2021 on tty1
> There was 1 failed login attempt since the last successful login.
> Could not chdir to home directory /home/INTERNAL/username: Permission
> denied
> Connection to localhost closed.
> 
> If I comment out the permissions undf [home]:
> sh username at localhost
> username at localhost's password: 
> Last login: Wed Oct 13 18:13:22 2021 from ::1
> Connection to localhost closed.
> 
> Both times, the directory is created with the same permissions:
> la
> total 0
> drwx--x--x. 1 root      root         18 Oct 13 17:55 .
> drwxr-xr-x. 1 root      root         34 Oct 12 22:29 ..
> drwx------  1 username domain users 64 Oct 13 17:55 username
> 
> stat username/
>   File: username/
>   Size: 64         Blocks: 0          IO Block: 4096   directory
> Device: 28h/40d Inode: 1281        Links: 1
> Access: (0700/drwx------)  Uid: (111123/username)   Gid:
> (110513/domain users)
> Access: 2021-10-13 17:55:12.679918668 -0400
> Modify: 2021-10-13 17:55:12.680918657 -0400
> Change: 2021-10-13 17:55:12.680918657 -0400
>  Birth: 2021-10-13 17:55:12.679918668 -0400
> 
> la /home/INTERNAL/username/
> total 12K
> drwx------  1 username domain users  64 Oct 13 18:15 .
> drwx--x--x. 1 root      root          18 Oct 13 18:15 ..
> -rw-------  1 username domain users  18 Oct 13 18:15 .bash_logout
> -rw-------  1 username domain users 141 Oct 13 18:15 .bash_profile
> -rw-------  1 username domain users 492 Oct 13 18:15 .bashrc
> 
That script will never work with AD and even if it did, it wouldn't
work with SSH, you need to use PAM (oddjob-mkhomedir on fedora, I
think).

Rowland