Re: [Samba] Cannot access HOME folder after upgrading to 4.8 from 4.6
- Date: Mon, 17 Sep 2018 20:50:13 +0000
- From: Doug Sampson via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Cannot access HOME folder after upgrading to 4.8 from 4.6
> I upgraded Samba from 4.6 to 4.8 on a FreeBSD 11.2 server. After the
> upgrade, users cannot access the HOME folder share but they can access
> other shares just fine.
> I am using the RID backend on this member server that connects to Windows-
> based domain controllers. I apologize for the lengthy smb4.conf but here
> it is:
[ ...snip... ]
> # uncomment the following (and tweak the other settings below to suit)
> # to enable the default home directory shares. This will share each
> # user's home directory as \\server\username
> comment = Home directories for AD users
> path = /zdata/home
> # browseable = no
> # By default, the home directories are exported read-only. Change the
> # next parameter to 'no' if you want to be able to write to them.
> read only = no
> # File creation mask is set to 0700 for security reasons. If you want to
> # create files with group=rw permissions, set next parameter to 0775.
> create mask = 0700
> # Directory creation mask is set to 0700 for security reasons. If you want
> # create dirs. with group=rw permissions, set next parameter to 0775.
> directory mask = 0700
> # By default, \\server\username shares can be connected to by anyone
> # with access to the samba server. Un-comment the following parameter
> # to make sure that only "username" can connect to \\server\username
> # This might need tweaking when using external authentication schemes
> ## valid users = EXAMPLE-%U @"EXAMPLE-domain admins"
> valid users = EXAMPLE-%U @"EXAMPLE-domain admins"
> # inherit permissions = Yes
> # inherit owner = Yes
> delete veto files = Yes
> veto files = /lost+found/Network Trash
> hide files =
> # map archive = No
> # map readonly = no
> vfs objects = zfsacl, shadow_copy2, full_audit
> full_audit:prefix = %u|%I
> full_audit:success = chflags chmod chmod_acl chown mkdir rename rmdir
> unlink write pwrite pwrite_send pwrite_recv
> full_audit:failure = none
> full_audit:facility = LOCAL7
> full_audit:priority = ALERT
> shadow: snapdir = .zfs/snapshot
> shadow: format = %Y-%m-%dT%H:%M:%S
> shadow: snapdirseverywhere = yes
> shadow: sort = desc
> shadow: localtime = no
> I have several other SMB servers there were upgraded to 4.8 and I am able
> to enumerate users and groups on all of these servers except this one. I
> cannot enumerate groups and I am mystified as to why I cannot.
> Also is the variable DSP-%U still supported? I have tried "EXAMPLE-Domain
> Users" in place of EXAMPLE-%U. It doesn't work.
> Is the vfs object full_audit still supported by 4.8?
I substituted EXAMPLE-%U with "EXAMPLE-domain users" and now users are able to access their home folders. Since each user's home folders have had user security restrictions applied at the file level, I am comfortable with the level of security here.
But why the change??? I looked at both 4.7 and 4.8 release notes and did not see anything related to this. Has this been deprecated?
To unsubscribe from this list go to the following URL and read the