Greg Sloop <gregs@sloop.net>
2022-Mar-15 20:22 UTC
[Samba] Profile and home-dir permissions
Yeah, I've seen that, but that's not what I'm recalling. It went something like this... On this directory only, Domain users have the rights to create folders. (And nothing else) Inherited permissions on the root give the creator-owner full rights. This allows the user to create their own profile directory or home directory; and since they'll be the creator-owner they'll get inherited "full" permissions. But they can't access other user's directories because they're not the creator-owner of those directories. It may well be that I only used this for profile directories. But it's been a really long time since I last set this up and I can't go back and look at that installation to see how I did it. I thought I'd seen the example either on the list or the Samba Wiki - but perhaps I recall that wrong. If anyone knows what I'm talking about, and has a pointer, I'd be thrilled! :) On Tue, Mar 15, 2022 at 12:10 PM J?rgen Echter via samba < samba at lists.samba.org> wrote:> > Hi, > > https://wiki.samba.org/index.php/Windows_User_Home_Folders > > Hope this helps. > > Am Dienstag, M?rz 15, 2022 19:30 CET, schrieb "Greg Sloop <gregs--- via > samba" <samba at lists.samba.org>: > Can someone refresh my memory? > > I want to create the home and profile base/root directory, and then allow > "regular-users" to be able to create their home and profile directories (as > they login the first time) and then get full permission to those. (But they > wouldn't have permissions to other users home/profile directories.) > > I think it's something like the folder creator gets full permissions, but I > honestly can't recall how to do that. > > Any quick reference page somewhere? (Someone has to have created a Wiki > page, right? If not, remind me how and I'll write it.) > > Assume I'm setting this from the Windows file permissions UI. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Hi, i think this (Windows ACL): ?Domain Users*Read & executeThis folder onlyCREATOR OWNERFull controlSubfolders and files onlyDomain AdminsFull controlThis folder, subfolders and files would achieve this. Domain Users can Read & Execute the profiles dir, there you have user1, user2 and so on. These are the CREATOR OWNER's for their subfolder. So they can access //Profiles/ and enter their user dir, but not the dirs of other users. Your Downloads, Documents etc are accessed like this \\smbfs\homedrives\user1\Downloads\. If i, user1, try to access \\smbfs\homedrives\user2\ i get access denied. I do see all the user dirs if i only list \\smbfs\homedrives\ but i can only enter my own. Am Dienstag, M?rz 15, 2022 21:22 CET, schrieb "Greg Sloop <gregs--- via samba" <samba at lists.samba.org>: ?Yeah, I've seen that, but that's not what I'm recalling. It went something like this... On this directory only, Domain users have the rights to create folders. (And nothing else) Inherited permissions on the root give the creator-owner full rights. This allows the user to create their own profile directory or home directory; and since they'll be the creator-owner they'll get inherited "full" permissions. But they can't access other user's directories because they're not the creator-owner of those directories. It may well be that I only used this for profile directories. But it's been a really long time since I last set this up and I can't go back and look at that installation to see how I did it. I thought I'd seen the example either on the list or the Samba Wiki - but perhaps I recall that wrong. If anyone knows what I'm talking about, and has a pointer, I'd be thrilled! :) On Tue, Mar 15, 2022 at 12:10 PM J?rgen Echter via samba < samba at lists.samba.org> wrote:> > Hi, > > https://wiki.samba.org/index.php/Windows_User_Home_Folders > > Hope this helps. > > Am Dienstag, M?rz 15, 2022 19:30 CET, schrieb "Greg Sloop <gregs--- via > samba" <samba at lists.samba.org>: > Can someone refresh my memory? > > I want to create the home and profile base/root directory, and then allow > "regular-users" to be able to create their home and profile directories (as > they login the first time) and then get full permission to those. (But they > wouldn't have permissions to other users home/profile directories.) > > I think it's something like the folder creator gets full permissions, but I > honestly can't recall how to do that. > > Any quick reference page somewhere? (Someone has to have created a Wiki > page, right? If not, remind me how and I'll write it.) > > Assume I'm setting this from the Windows file permissions UI. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba??
On 15 March 2022 20:22 Greg Sloop wrote:> Yeah, I've seen that, but that's not what I'm recalling. > > It went something like this... > On this directory only, Domain users have the rights to create folders. > (And nothing else) > Inherited permissions on the root give the creator-owner full rights. > > This allows the user to create their own profile directory or home directory; and since > they'll be the creator-owner they'll get inherited "full" permissions. > But they can't access other user's directories because they're not the creator-owner > of those directories. > > It may well be that I only used this for profile directories. > > But it's been a really long time since I last set this up and I can't go back and look at > that installation to see how I did it. I thought I'd seen the example either on the list or > the Samba Wiki - but perhaps I recall that wrong. > > If anyone knows what I'm talking about, and has a pointer, I'd be thrilled! > :)Set the share and NTFS Permissions on the Security Tab as per the WiKi: https://wiki.samba.org/index.php/Windows_User_Home_Folders then use the RSAT (Active Directory Users and Computers) tools from a Windows machine. After the user is created set the Home folder on the Profile Tab to point to the samba share eg Connect H: to \\fileserver\sharename\username - when you do this, the user's folder is also automatically created on the samba file server with the correct permissions. They get full control to their own folder but cannot access anyone else's. You can also set the profile path if you want roaming profiles, and this will also be automatically created. Hope that helps, Roy