Web lists-archives.com

Re: [Samba] Cannot access HOME folder after upgrading to 4.8 from 4.6




On Mon, 17 Sep 2018 20:50:13 +0000
Doug Sampson via samba <samba@xxxxxxxxxxxxxxx> wrote:

> > Hello-
> > 
> > I upgraded Samba from 4.6 to 4.8 on a FreeBSD 11.2 server. After the
> > upgrade, users cannot access the HOME folder share but they can
> > access other shares just fine.
> > 
> > I am using the RID backend on this member server that connects to
> > Windows- based domain controllers. I apologize for the lengthy
> > smb4.conf but here it is:
> > 
> 
> [ ...snip... ]
> 
> > # uncomment the following (and tweak the other settings below to
> > suit) # to enable the default home directory shares. This will
> > share each # user's home directory as \\server\username
> > 
> > [home]
> >    comment = Home directories for AD users
> >    path = /zdata/home
> > #   browseable = no
> > # By default, the home directories are exported read-only. Change
> > the # next parameter to 'no' if you want to be able to write to
> > them. read only = no
> > # File creation mask is set to 0700 for security reasons. If you
> > want to # create files with group=rw permissions, set next
> > parameter to 0775. create mask = 0700
> > # Directory creation mask is set to 0700 for security reasons. If
> > you want to
> > # create dirs. with group=rw permissions, set next parameter to
> > 0775. directory mask = 0700
> > # By default, \\server\username shares can be connected to by anyone
> > # with access to the samba server. Un-comment the following
> > parameter # to make sure that only "username" can connect to
> > \\server\username # This might need tweaking when using external
> > authentication schemes ##   valid users = EXAMPLE-%U
> > @"EXAMPLE-domain admins" valid users = EXAMPLE-%U @"EXAMPLE-domain
> > admins" #   inherit permissions = Yes
> > #   inherit owner = Yes
> >    delete veto files = Yes
> >    veto files = /lost+found/Network Trash
> > Folder/TheFindByContentFolder/TheVolumeSettingsFolder/
> >    hide files =
> > /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary
> > Items/$RECYCLE.BIN/
> > #   map archive = No
> > #   map readonly = no
> >    vfs objects = zfsacl, shadow_copy2, full_audit
> >    full_audit:prefix = %u|%I
> >    full_audit:success = chflags chmod chmod_acl chown mkdir rename
> > rmdir unlink write pwrite pwrite_send pwrite_recv
> >    full_audit:failure = none
> >    full_audit:facility = LOCAL7
> >    full_audit:priority = ALERT
> >    shadow: snapdir = .zfs/snapshot
> >    shadow: format = %Y-%m-%dT%H:%M:%S
> >    shadow: snapdirseverywhere = yes
> >    shadow: sort = desc
> >    shadow: localtime = no
> > 
> > 
> > 
> > I have several other SMB servers there were upgraded to 4.8 and I
> > am able to enumerate users and groups on all of these servers
> > except this one. I cannot enumerate groups and I am mystified as to
> > why I cannot.
> > 
> > Also is the variable DSP-%U still supported? I have tried
> > "EXAMPLE-Domain Users" in place of EXAMPLE-%U. It doesn't work.
> > 
> > Is the vfs object full_audit still supported by 4.8?
> > 
> 
> I substituted EXAMPLE-%U with "EXAMPLE-domain users" and now users
> are able to access their home folders. Since each user's home folders
> have had user security restrictions applied at the file level, I am
> comfortable with the level of security here.
> 
> But why the change??? I looked at both 4.7 and 4.8 release notes and
> did not see anything related to this. Has this been deprecated?
> 
> ~Doug
> 

%U is still valid and if you read 'man smb.conf' you will find this:

 %U
   session username (the username that the client wanted, not
   necessarily the same as the one they got).

You could try '%u':

 %u
   username of the current service, if any.

Rowland



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba