Member Server Configuration

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Member Server Configuration

Samba - General mailing list
Hi,
I have a Debian Stretch machine with Louis' samba 4.7.1 package installed.  I have configured it as a member server and joined it to
my test domain.   I tried the idmap rid back end and all worked ok, but am now trying the idmap ad back end.   I have users' home
folders saved to a users share on the member server, configured to allow auto-creation of home folders when the windows user logs in
for the first time.    That's working OK after some adjustments to the ntfs and share permissions which vary from the samba WiKi
page (https://wiki.samba.org/index.php/User_Home_Folders ) after reading this https://support.microsoft.com/en-gb/help/555046.
Also if users are allowed to log in locally as a unix user to the member server, I found that the unix permissions had to include
rwx for the domain users group otherwise they are unable to access their home folder.        Does the WiKi need updating?

Am I right in assuming from the WiKI that all users in the domain have to have at least the UID and GID set in AD (when using the
idmap ad back end)?  

My problem is that if I want to log on as administrator, I either allocate a UID/GID in AD - in which case I can log in OK.
However, if I use the username map parameter in smb.conf along with the appropriate file user.map to map administrator to root, the
WiKi says do not allocate a UID and GID in AD.   So I took these off  but I cannot log in now to the member server as administrator.
Neither does administrator show up in the output of getent passwd.  

However, wbinfo -u produces:
root@debian-m1:/home/linuxadmin# wbinfo -u
test1
test2
test3
administrator
roy
krbtgt
guest

But wbinfo -i administrator produces:
root@debian-m1:/home/linuxadmin# wbinfo -i administrator
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user administrator

I have tried also with wbinfo -i MICROLYNX\administrator but the same result as above.

My smb.conf from the member server:
=============================
[global]
        netbios name = debian-m1
        security = ADS
        workgroup = MICROLYNX
        realm = MICROLYNX.CO.UK

        log file = /var/log/samba/%m.log
        log level = 1

        dedicated keytab file = /etc/krb5.keytab
        kerberos method = secrets and keytab
        winbind refresh tickets = yes

        winbind trusted domains only = no
        winbind use default domain = yes

        # Default idmap config used for BUILTIN and local accounts/groups
        idmap config *:backend = tdb
        idmap config *:range = 2000-9999

        # idmap config for domain MICROLYNX
        idmap config MICROLYNX:backend = ad
        idmap config MICROLYNX:schema_mode = rfc2307
        idmap config MICROLYNX:range = 10000-99999

        # Use settings from AD for login shell and home directory and primary group
        idmap config MICROLYNX:unix_nss_info=yes
        idmap config MICROLYNX:unix_primary_group=yes
       
        # enable getent passwd & getent group to display domain users & groups
        winbind enum users = yes
        winbind enum groups = yes
       
        # use default settings for users w/o home dir & shell in AD Unix Attributes
        template homedir = /srv/users/%U
        template shell = /bin/bash

        # Map domain users to unix users - eg administrator to root
        username map = /etc/samba/user.map
       
        # enable Extended ACL support
        vfs objects = acl_xattr
        map acl inherit = yes
        store dos attributes = yes

[users]
        path = /srv/users
        read only = No

=======================================
/etc/samba/user.map:
!root = MICROLYNX\Administrator MICROLYNX\administrator Administrator administrator

What am I doing wrong?   Any help or pointers appreciated.

TIA,

Roy


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Member Server Configuration

Samba - General mailing list

See inline Comments:

On Thu, 9 Nov 2017 16:11:49 -0000
Roy Eastwood via samba <[hidden email]> wrote:

> Hi,
> I have a Debian Stretch machine with Louis' samba 4.7.1 package
> installed.  I have configured it as a member server and joined it to
> my test domain.   I tried the idmap rid back end and all worked ok,
> but am now trying the idmap ad back end.   I have users' home folders
> saved to a users share on the member server, configured to allow
> auto-creation of home folders when the windows user logs in for the
> first time.    That's working OK after some adjustments to the ntfs
> and share permissions which vary from the samba WiKi page
> (https://wiki.samba.org/index.php/User_Home_Folders ) after reading
> this https://support.microsoft.com/en-gb/help/555046. Also if users
> are allowed to log in locally as a unix user to the member server, I
> found that the unix permissions had to include rwx for the domain
> users group otherwise they are unable to access their home
> folder.        Does the WiKi need updating?

Probably not.

>
> Am I right in assuming from the WiKI that all users in the domain
> have to have at least the UID and GID set in AD (when using the idmap
> ad back end)?

It depends on what version of Samba you are using and how you set up
smb.conf, more on this later ;-)
   
>
> My problem is that if I want to log on as administrator,

Log on where ?
If you mean to a Unix machine, then no you don't, you might think you
do, but really you don't.

> I either
> allocate a UID/GID in AD - in which case I can log in OK. However, if
> I use the username map parameter in smb.conf along with the
> appropriate file user.map to map administrator to root, the WiKi says
> do not allocate a UID and GID in AD.   So I took these off  but I
> cannot log in now to the member server as administrator. Neither does
> administrator show up in the output of getent passwd.

Ah, but you are using a user.map, which maps 'Administrator' to
'root', so guess who you should log onto the Unix machine as ?
   

>
> However, wbinfo -u produces:
> root@debian-m1:/home/linuxadmin# wbinfo -u
> test1
> test2
> test3
> administrator
> roy
> krbtgt
> guest
>
> But wbinfo -i administrator produces:
> root@debian-m1:/home/linuxadmin# wbinfo -i administrator
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user administrator

Yes, that is correct for a Unix Domain member. All that wbinfo shows
is that winbind can connect to AD, you need to have 'getent passwd
username' produce output to prove that the OS knows your AD users as
Unix users (note that 'getent passwd Administrator' wont work either)

>
> I have tried also with wbinfo -i MICROLYNX\administrator but the same
> result as above.
>
> My smb.conf from the member server:
> =============================
> [global]
> netbios name = debian-m1
> security = ADS
> workgroup = MICROLYNX
> realm = MICROLYNX.CO.UK
>
> log file = /var/log/samba/%m.log
> log level = 1
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> winbind refresh tickets = yes
>
> winbind trusted domains only = no
> winbind use default domain = yes
>
> # Default idmap config used for BUILTIN and local
> accounts/groups idmap config *:backend = tdb
> idmap config *:range = 2000-9999
>
> # idmap config for domain MICROLYNX
> idmap config MICROLYNX:backend = ad
> idmap config MICROLYNX:schema_mode = rfc2307
> idmap config MICROLYNX:range = 10000-99999
>
> # Use settings from AD for login shell and home directory and
> primary group idmap config MICROLYNX:unix_nss_info=yes
> idmap config MICROLYNX:unix_primary_group=yes

Remember when I said 'more on this later', well it is later ;-)

With the above 'idmap config' lines, your users will need a uidNumber
attribute containing a unique number from the '10000-99999' range, they
will also need a gidNumber attribute that contains the gidNumber of a
group, this means that the group MUST have a gidNumber attribute
containing the same number, this must also be in the '10000-99999'
range.
If you do not want this, give Domain Users a gidNumber and remove the
'unix_primary_group' line and restart Samba.

>
> # enable getent passwd & getent group to display domain users
> & groups winbind enum users = yes
> winbind enum groups = yes

You should remove the two 'winbind enum' lines, you do not need them
and they only slow things down.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Member Server Configuration

Samba - General mailing list
In reply to this post by Samba - General mailing list
Thanks Rowland.
See inline comments.

>On Thu, 9 Nov 2017 17:08:52 -0000
>Rowland Penny via samba<samba at lists.samba.org> wrote:
> See inline Comments:
>
> On Thu, 9 Nov 2017 16:11:49 -0000
> Roy Eastwood via samba <samba at lists.samba.org> wrote:
>
> > Hi,
> > I have a Debian Stretch machine with Louis' samba 4.7.1 package
> > installed.  I have configured it as a member server and joined it to
> > my test domain.   I tried the idmap rid back end and all worked ok,
> > but am now trying the idmap ad back end.   I have users' home folders
> > saved to a users share on the member server, configured to allow
> > auto-creation of home folders when the windows user logs in for the
> > first time.    That's working OK after some adjustments to the ntfs
> > and share permissions which vary from the samba WiKi page
> > (https://wiki.samba.org/index.php/User_Home_Folders ) after reading
> > this https://support.microsoft.com/en-gb/help/555046. Also if users
> > are allowed to log in locally as a unix user to the member server, I
> > found that the unix permissions had to include rwx for the domain
> > users group otherwise they are unable to access their home
> > folder.        Does the WiKi need updating?
>
> Probably not.

OK, fine, but I couldn't get auto-creation of home folders to work with just the settings in the WiKi.

>
> >
> > Am I right in assuming from the WiKI that all users in the domain
> > have to have at least the UID and GID set in AD (when using the idmap
> > ad back end)?
>
> It depends on what version of Samba you are using and how you set up
> smb.conf, more on this later ;-)
>
> >
> > My problem is that if I want to log on as administrator,
>
> Log on where ?
> If you mean to a Unix machine, then no you don't, you might think you
> do, but really you don't.

Yes, I did mean the unix machine; but you are right don't need to.   I was just following the wiki to see if it works!   And I can
see it doesn't now from what you say below.

>
> > I either
> > allocate a UID/GID in AD - in which case I can log in OK. However, if
> > I use the username map parameter in smb.conf along with the
> > appropriate file user.map to map administrator to root, the WiKi says
> > do not allocate a UID and GID in AD.   So I took these off  but I
> > cannot log in now to the member server as administrator. Neither does
> > administrator show up in the output of getent passwd.
>
> Ah, but you are using a user.map, which maps 'Administrator' to
> 'root', so guess who you should log onto the Unix machine as ?

Yes, indeed.  Actually I use another user and then sudo, but winds up as the same thing.

>
> >
> > However, wbinfo -u produces:
> > root at debian-m1:/home/linuxadmin# wbinfo -u
> > test1
> > test2
> > test3
> > administrator
> > roy
> > krbtgt
> > guest
> >
> > But wbinfo -i administrator produces:
> > root at debian-m1:/home/linuxadmin# wbinfo -i administrator
> > failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> > Could not get info for user administrator
>
> Yes, that is correct for a Unix Domain member. All that wbinfo shows
> is that winbind can connect to AD, you need to have 'getent passwd
> username' produce output to prove that the OS knows your AD users as
> Unix users (note that 'getent passwd Administrator' wont work either)
>
> >
> > I have tried also with wbinfo -i MICROLYNX\administrator but the same
> > result as above.
> >
> > My smb.conf from the member server:
> > =============================
> > [global]
> > netbios name = debian-m1
> > security = ADS
> > workgroup = MICROLYNX
> > realm = MICROLYNX.CO.UK
> >
> > log file = /var/log/samba/%m.log
> > log level = 1
> >
> > dedicated keytab file = /etc/krb5.keytab
> > kerberos method = secrets and keytab
> > winbind refresh tickets = yes
> >
> > winbind trusted domains only = no
> > winbind use default domain = yes
> >
> > # Default idmap config used for BUILTIN and local
> > accounts/groups idmap config *:backend = tdb
> > idmap config *:range = 2000-9999
> >
> > # idmap config for domain MICROLYNX
> > idmap config MICROLYNX:backend = ad
> > idmap config MICROLYNX:schema_mode = rfc2307
> > idmap config MICROLYNX:range = 10000-99999
> >
> > # Use settings from AD for login shell and home directory and
> > primary group idmap config MICROLYNX:unix_nss_info=yes
> > idmap config MICROLYNX:unix_primary_group=yes
>
> Remember when I said 'more on this later', well it is later ;-)
>
> With the above 'idmap config' lines, your users will need a uidNumber
> attribute containing a unique number from the '10000-99999' range, they
> will also need a gidNumber attribute that contains the gidNumber of a
> group, this means that the group MUST have a gidNumber attribute
> containing the same number, this must also be in the '10000-99999'
> range.
> If you do not want this, give Domain Users a gidNumber and remove the
> 'unix_primary_group' line and restart Samba.

OK, yes have removed this line as I have already given Domain Users a gid number.

>
> >
> > # enable getent passwd & getent group to display domain users
> > & groups winbind enum users = yes
> > winbind enum groups = yes
>
> You should remove the two 'winbind enum' lines, you do not need them
> and they only slow things down.
>

Yes, noted, these were inserted for testing.

> Rowland

So the section on the WiKi page for "Mapping the Domain Administrator Account to the local root user" is never going to work for
logging onto the member server itself?   I assume therefore this will only apply if the administrator on another member client
machine saves files etc, they will be owned by root rather than the Domain Administrator account?   If so I misunderstood the
purpose of that section!

Thanks for your clarifications!

Roy


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Member Server Configuration

Samba - General mailing list
On Thu, 9 Nov 2017 21:47:11 -0000
Roy Eastwood via samba <[hidden email]> wrote:

> Thanks Rowland.
> See inline comments.
>
> >On Thu, 9 Nov 2017 17:08:52 -0000
> >Rowland Penny via samba<samba at lists.samba.org> wrote:
> > See inline Comments:
> >
> > On Thu, 9 Nov 2017 16:11:49 -0000
> > Roy Eastwood via samba <samba at lists.samba.org> wrote:
> >
> > > Hi,
> > > I have a Debian Stretch machine with Louis' samba 4.7.1 package
> > > installed.  I have configured it as a member server and joined it
> > > to my test domain.   I tried the idmap rid back end and all
> > > worked ok, but am now trying the idmap ad back end.   I have
> > > users' home folders saved to a users share on the member server,
> > > configured to allow auto-creation of home folders when the
> > > windows user logs in for the first time.    That's working OK
> > > after some adjustments to the ntfs and share permissions which
> > > vary from the samba WiKi page
> > > (https://wiki.samba.org/index.php/User_Home_Folders ) after
> > > reading this https://support.microsoft.com/en-gb/help/555046.
> > > Also if users are allowed to log in locally as a unix user to the
> > > member server, I found that the unix permissions had to include
> > > rwx for the domain users group otherwise they are unable to
> > > access their home folder.        Does the WiKi need updating?
> >
> > Probably not.
>
> OK, fine, but I couldn't get auto-creation of home folders to work
> with just the settings in the WiKi.

If you are talking about creating auto-creating users home folders on
Unix machines, this is quite easy, when you know how ;-)

Add this line to /etc/pam.d/common-session

session    required   pam_mkhomedir.so skel=/etc/skel/ umask=0022

Then when a user logs in, if the users homedir doesn't exist, it will
be created.

> > > I either
> > > allocate a UID/GID in AD - in which case I can log in OK.
> > > However, if I use the username map parameter in smb.conf along
> > > with the appropriate file user.map to map administrator to root,
> > > the WiKi says do not allocate a UID and GID in AD.   So I took
> > > these off  but I cannot log in now to the member server as
> > > administrator. Neither does administrator show up in the output
> > > of getent passwd.
> >
> > Ah, but you are using a user.map, which maps 'Administrator' to
> > 'root', so guess who you should log onto the Unix machine as ?
>
> Yes, indeed.  Actually I use another user and then sudo, but winds up
> as the same thing.

It also works from windows, you can do things from windows on a Unix
machine, set windows ACLs etc.

> So the section on the WiKi page for "Mapping the Domain Administrator
> Account to the local root user" is never going to work for logging
> onto the member server itself?   I assume therefore this will only
> apply if the administrator on another member client machine saves
> files etc, they will be owned by root rather than the Domain
> Administrator account?   If so I misunderstood the purpose of that
> section!

Yes, that is basically how it works, but it goes further, it allows you
to do the things that Administrator does on Windows, on Unix domain
members.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Member Server Configuration

Samba - General mailing list
A bit cleaner way to mk_homedir, I would try to avoid changing manualy settings in pam.

echo "Name: Create home directory during login
Default: yes
Priority: 900
Session-Type: Additional
Session:
        required        pam_mkhomedir.so umask=0022 skel=/etc/skel
" > /usr/share/pam-configs/mkhomedir

And run :
pam-auth-update


Greetz,

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Rowland Penny via samba
> Verzonden: donderdag 9 november 2017 23:13
> Aan: [hidden email]
> Onderwerp: Re: [Samba] Member Server Configuration
>
> On Thu, 9 Nov 2017 21:47:11 -0000
> Roy Eastwood via samba <[hidden email]> wrote:
>
> > Thanks Rowland.
> > See inline comments.
> >
> > >On Thu, 9 Nov 2017 17:08:52 -0000
> > >Rowland Penny via samba<samba at lists.samba.org> wrote:
> > > See inline Comments:
> > >
> > > On Thu, 9 Nov 2017 16:11:49 -0000
> > > Roy Eastwood via samba <samba at lists.samba.org> wrote:
> > >
> > > > Hi,
> > > > I have a Debian Stretch machine with Louis' samba 4.7.1 package
> > > > installed.  I have configured it as a member server and
> joined it
> > > > to my test domain.   I tried the idmap rid back end and all
> > > > worked ok, but am now trying the idmap ad back end.   I have
> > > > users' home folders saved to a users share on the member server,
> > > > configured to allow auto-creation of home folders when the
> > > > windows user logs in for the first time.    That's working OK
> > > > after some adjustments to the ntfs and share permissions which
> > > > vary from the samba WiKi page
> > > > (https://wiki.samba.org/index.php/User_Home_Folders ) after
> > > > reading this https://support.microsoft.com/en-gb/help/555046.
> > > > Also if users are allowed to log in locally as a unix
> user to the
> > > > member server, I found that the unix permissions had to include
> > > > rwx for the domain users group otherwise they are unable to
> > > > access their home folder.        Does the WiKi need updating?
> > >
> > > Probably not.
> >
> > OK, fine, but I couldn't get auto-creation of home folders to work
> > with just the settings in the WiKi.
>
> If you are talking about creating auto-creating users home folders on
> Unix machines, this is quite easy, when you know how ;-)
>
> Add this line to /etc/pam.d/common-session
>
> session    required   pam_mkhomedir.so skel=/etc/skel/ umask=0022
>
> Then when a user logs in, if the users homedir doesn't exist, it will
> be created.
>
> > > > I either
> > > > allocate a UID/GID in AD - in which case I can log in OK.
> > > > However, if I use the username map parameter in smb.conf along
> > > > with the appropriate file user.map to map administrator to root,
> > > > the WiKi says do not allocate a UID and GID in AD.   So I took
> > > > these off  but I cannot log in now to the member server as
> > > > administrator. Neither does administrator show up in the output
> > > > of getent passwd.
> > >
> > > Ah, but you are using a user.map, which maps 'Administrator' to
> > > 'root', so guess who you should log onto the Unix machine as ?
> >
> > Yes, indeed.  Actually I use another user and then sudo,
> but winds up
> > as the same thing.
>
> It also works from windows, you can do things from windows on a Unix
> machine, set windows ACLs etc.
>
> > So the section on the WiKi page for "Mapping the Domain
> Administrator
> > Account to the local root user" is never going to work for logging
> > onto the member server itself?   I assume therefore this will only
> > apply if the administrator on another member client machine saves
> > files etc, they will be owned by root rather than the Domain
> > Administrator account?   If so I misunderstood the purpose of that
> > section!
>
> Yes, that is basically how it works, but it goes further, it
> allows you
> to do the things that Administrator does on Windows, on Unix domain
> members.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Member Server Configuration

Samba - General mailing list
Thanks Louis.

> -----Original Message-----
> From: samba [mailto:[hidden email]] On Behalf Of L.P.H. van Belle via samba
> Sent: 10 November 2017 08:15
> To: [hidden email]
> Subject: Re: [Samba] Member Server Configuration
>
> A bit cleaner way to mk_homedir, I would try to avoid changing manualy settings in pam.
>
> echo "Name: Create home directory during login
> Default: yes
> Priority: 900
> Session-Type: Additional
> Session:
>         required        pam_mkhomedir.so umask=0022 skel=/etc/skel
> " > /usr/share/pam-configs/mkhomedir
>
> And run :
> pam-auth-update
>
>
> Greetz,
>
> Louis
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:[hidden email]] Namens
> > Rowland Penny via samba
> > Verzonden: donderdag 9 november 2017 23:13
> > Aan: [hidden email]
> > Onderwerp: Re: [Samba] Member Server Configuration
> >
> > On Thu, 9 Nov 2017 21:47:11 -0000
> > Roy Eastwood via samba <[hidden email]> wrote:
> >
> > > Thanks Rowland.
> > > See inline comments.
> > >
> > > >On Thu, 9 Nov 2017 17:08:52 -0000
> > > >Rowland Penny via samba<samba at lists.samba.org> wrote:
> > > > See inline Comments:
> > > >
> > > > On Thu, 9 Nov 2017 16:11:49 -0000
> > > > Roy Eastwood via samba <samba at lists.samba.org> wrote:
> > > >
> > > > > Hi,
> > > > > I have a Debian Stretch machine with Louis' samba 4.7.1 package
> > > > > installed.  I have configured it as a member server and
> > joined it
> > > > > to my test domain.   I tried the idmap rid back end and all
> > > > > worked ok, but am now trying the idmap ad back end.   I have
> > > > > users' home folders saved to a users share on the member server,
> > > > > configured to allow auto-creation of home folders when the
> > > > > windows user logs in for the first time.    That's working OK
> > > > > after some adjustments to the ntfs and share permissions which
> > > > > vary from the samba WiKi page
> > > > > (https://wiki.samba.org/index.php/User_Home_Folders ) after
> > > > > reading this https://support.microsoft.com/en-gb/help/555046.
> > > > > Also if users are allowed to log in locally as a unix
> > user to the
> > > > > member server, I found that the unix permissions had to include
> > > > > rwx for the domain users group otherwise they are unable to
> > > > > access their home folder.        Does the WiKi need updating?
> > > >
> > > > Probably not.
> > >
> > > OK, fine, but I couldn't get auto-creation of home folders to work
> > > with just the settings in the WiKi.
> >
> > If you are talking about creating auto-creating users home folders on
> > Unix machines, this is quite easy, when you know how ;-)
> >
> > Add this line to /etc/pam.d/common-session
> >
> > session    required   pam_mkhomedir.so skel=/etc/skel/ umask=0022
> >
> > Then when a user logs in, if the users homedir doesn't exist, it will
> > be created.
> >
> > > > > I either
> > > > > allocate a UID/GID in AD - in which case I can log in OK.
> > > > > However, if I use the username map parameter in smb.conf along
> > > > > with the appropriate file user.map to map administrator to root,
> > > > > the WiKi says do not allocate a UID and GID in AD.   So I took
> > > > > these off  but I cannot log in now to the member server as
> > > > > administrator. Neither does administrator show up in the output
> > > > > of getent passwd.
> > > >
> > > > Ah, but you are using a user.map, which maps 'Administrator' to
> > > > 'root', so guess who you should log onto the Unix machine as ?
> > >
> > > Yes, indeed.  Actually I use another user and then sudo,
> > but winds up
> > > as the same thing.
> >
> > It also works from windows, you can do things from windows on a Unix
> > machine, set windows ACLs etc.
> >
> > > So the section on the WiKi page for "Mapping the Domain
> > Administrator
> > > Account to the local root user" is never going to work for logging
> > > onto the member server itself?   I assume therefore this will only
> > > apply if the administrator on another member client machine saves
> > > files etc, they will be owned by root rather than the Domain
> > > Administrator account?   If so I misunderstood the purpose of that
> > > section!
> >
> > Yes, that is basically how it works, but it goes further, it
> > allows you
> > to do the things that Administrator does on Windows, on Unix domain
> > members.
> >
> > Rowland
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Member Server Configuration

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Fri, 10 Nov 2017 09:14:51 +0100
"L.P.H. van Belle via samba" <[hidden email]> wrote:

> A bit cleaner way to mk_homedir, I would try to avoid changing
> manualy settings in pam.
>
> echo "Name: Create home directory during login
> Default: yes
> Priority: 900
> Session-Type: Additional
> Session:
>         required        pam_mkhomedir.so umask=0022 skel=/etc/skel
> " > /usr/share/pam-configs/mkhomedir
>
> And run :
> pam-auth-update
>
>
> Greetz,
>
> Louis

Fair enough, but the same line ends up in the same place ;-)

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Member Server Configuration

Samba - General mailing list
Yes, but now is ready for this bugfix.
See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=568577

So whenever this one get fixed, you wont notice it.  ;-)


Greetz,

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Rowland Penny via samba
> Verzonden: vrijdag 10 november 2017 9:41
> Aan: [hidden email]
> Onderwerp: Re: [Samba] Member Server Configuration
>
> On Fri, 10 Nov 2017 09:14:51 +0100
> "L.P.H. van Belle via samba" <[hidden email]> wrote:
>
> > A bit cleaner way to mk_homedir, I would try to avoid changing
> > manualy settings in pam.
> >
> > echo "Name: Create home directory during login
> > Default: yes
> > Priority: 900
> > Session-Type: Additional
> > Session:
> >         required        pam_mkhomedir.so umask=0022 skel=/etc/skel
> > " > /usr/share/pam-configs/mkhomedir
> >
> > And run :
> > pam-auth-update
> >
> >
> > Greetz,
> >
> > Louis
>
> Fair enough, but the same line ends up in the same place ;-)
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Member Server Configuration

Samba - General mailing list
On Fri, 10 Nov 2017 09:53:06 +0100
"L.P.H. van Belle via samba" <[hidden email]> wrote:

> Yes, but now is ready for this bugfix.
> See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=568577
>
> So whenever this one get fixed, you wont notice it.  ;-)
>
>
> Greetz,
>
> Louis
>
>

From my reading, it is IF this gets fixed, 3 1/2 years since last
activity on that bug report and the first date on the report was 7 1/2
years ago.

Rowland
 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Member Server Configuration

Samba - General mailing list
In reply to this post by Samba - General mailing list
[snip]
 > > OK, fine, but I couldn't get auto-creation of home folders to work

> > with just the settings in the WiKi.
>
> If you are talking about creating auto-creating users home folders on
> Unix machines, this is quite easy, when you know how ;-)
>
> Add this line to /etc/pam.d/common-session
>
> session    required   pam_mkhomedir.so skel=/etc/skel/ umask=0022
>
> Then when a user logs in, if the users homedir doesn't exist, it will
> be created.
>

Yes, that's fine for unix users.  No, what I was wanting was the users home folders to be auto-created when a user logs in from a windows machine for the first time.   This is normally how it works on Windows DCs.  In addition if a GPO is set to redirect the users folders , eg Documents, Music, Pictures etc, to the home folder (instead of the user's profile folder on the local machine) these should also be auto-created.   I wasn't getting this behaviour with the WiKi's recommended permissions for the home folders on the member server.   Once I set permissions as follows:

Share Permissions:
Authenticated Users: Full Control (WiKi says Read & Execute)
Domain Admins: Full Control

NTFS Permissions:
Domain Admins: Full Control (This folder, subfolder & files)
Domain Users: Modify (This folder, subfolder & files)
CREATOR OWNER: Full Control (Subfolders and files only)
Authenticated Users: Read & Execute, List Folder Contents, Read (This folder only)

Things started working as they would on a Windows DC.

Thanks for your help.

Roy


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba