The Wiki page here:
https://wiki.samba.org/index.php/Windows_User_Home_Folders
states: "When you set up the users share using POSIX access control
lists (ACL), you must create the home folder for each new user manually."
That's simply wrong.
This works, but not quite how I expected. Using RSAT, I go to the user's
Profile tab and enter
Connect: H: \\data2\home\mduffy
As soon as I apply this, the home folder is indeed created:
root at data2:/home# ls
mduffy patrickgoetz pgoetz
(mduffy was not there prior to editing the mduffy Profile using RSAT)
and domain user mduffy has full access:
root at data2:/home# su - mduffy
mduffy at data2:~$ pwd
/home/mduffy
mduffy at data2:~$ touch foo
mduffy at data2:~$ ls -l foo
-rw-rw----+ 1 mduffy domain users 0 Nov 5 03:34 foo
mduffy at data2:~$ rm foo
mduffy at data2:~$ ls
mduffy at data2:~$
However, the permissions are not exactly what I was expecting:
root at data2:/home# getfacl mduffy
# file: mduffy
# owner: root
# group: root
user::rwx
user:root:rwx
user:mduffy:rwx
group::---
group:root:---
group:BUILTIN\\administrators:rwx
group:mduffy:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:mduffy:rwx
default:group::---
default:group:root:---
default:group:BUILTIN\\administrators:rwx
default:group:mduffy:rwx
default:mask::rwx
default:other::---
It's a bit weird that root owns the user's home folder, but of course
the accompanying POSIX ACLs makes this transparent to the user. I think
this is an illustration of what Jeremy Allison meant in a recent post to
the list that Samba goes to great lengths to make both Windows and linux
users experience expected behavior when using POSIX ACLs on the file
system, and the preceding illustrates this.
As a long time linux admin, these permissions are a bit unnerving until
you think about how default Windows filesystem permissions are
structured. Then given that, this is pretty ingenious. Kudos to the
Samba team for thinking this through, but the Wiki page on this is
completely misleading and incorrect.
Originally (because of the incorrect Wiki page on User Home Folders), I
thought I needed to do something like this to make this work:
# cd /
# chmod 770 home
# setfacl -m g:"domain admins":rwx
but as soon as you let the DC auto-create a user's home folder you
realize Domain Admins isn't even involved in this process; it's a
BUILTIN admin that's in charge.
Aside: the thing about POSIX ACLs that trips up most people (including
me when I first started using them) is the principle of "least
surprise", or whatever they call it. In the example above, you have to
give the root *group* write permission on /home or the *effective*
permissions of Domain Admins in the above ends up being r-x, and Domain
Admins won't be able to write to the home folder.
Given this, I'm a bit confused why this ACL:
group:root:---
isn't preventing this one from working properly:
group:BUILTIN\\administrators:rwx
given that:
root at data2:/data/home# ls -ld mduffy
drwxrwx---+ 2 root root 4096 Nov 5 03:34 mduffy
i.e. the primary group on the folder is root.
And, a couple of functional follow up questions, since I'm not a Windows
guy:
Isn't it normally the case that the Domain Admins group has "full
access" to the entire filesystem? In that case, one would want to do this:
# setfacl -d -m g:"domain admins":rwx my_share_folder
and if there are already files/folders there:
# setfacl -R -m g:"domain admins":rwX my_share_folder
The question is when Windows users subsequently pull up the Security tab
on a file/folder in the my_share_folder, will it show Domain Admins as
have Full Control?
Finally, I don't recall specifying the use of POSIX ACLs in smb.conf
other than this, which I though applied generically to Windows and POSIX
ACLs:
vfs objects = acl_xattr
For some reason every smb.conf example also shows
map acl inherit = Yes
store dos attributes = Yes
but according to the documentation, these are automatically enforced
when "vfs objects = acl_xattr", so are unnecessary. (That's also
a
question.)
How does Samba know I want to use POSIX ACLs?