Creating Home Directories and other shares for AD users in samba

Wed Jul 20 20:50:51 UTC 2005

On Wed, 2005-07-20 at 14:12 -0400, Tim Holmes wrote:
> Thanks to the great help here and on the SAMBA List, I have gotten samba
> to work correctly to do what I need it to, allowing my windows AD users
> to access shares on the samba box without having to either create a
> local (samba / linux) user or manually authenticate on the share.
> This is GREAT NEWS
> 
> Now, 
> 
> I have hit what I am sure is a linux permissions problem:
> 
> When my user (timholmes) clicks on the samba server in the My Network
> Places window, I see the shares, In this case webroot, homes and
> timholmes
> 
> If I enter the timholmes share, it routes me to the directory where the
> home folders are supposed to be located, and showes me the one that is
> there, in this case it is a local linux user,  but I cannot create a new
> folder for myself or anything -- is that a process that must be done
> manually, and if so, to what values do I set the owner, group and
> permissions?

The /home directory is writable only by root.  If you want a unique home
directory for users, create the user under linux.  Can have shared space
that is open to guest users, but [homes] shouldn't be expected to work
that way.

> 
> If it is supposed to be automatic, how do I make it happen?
> 
> Here is my smb.conf file
... snip ...
> 
> [webroot]
>          path = /var/www/html/
>          read only = No

May want to add a list of users with write access.

        write list = [list of users allowed to write]

> 
> [homes]
>         browseable = no
>         writeable = yes
>         path = /home

The path line should not be there.  [homes] should automatically map to
the Linux user's home directory.  My entry looks like:

[homes]
        comment = Home Directories
        browseable = no
        writeable = yes
#       valid users = %S
#       create mode = 0664
#       directory mode = 0775
# If you want users samba doesn't recognize to be mapped to a guest user
; map to guest = bad user
#       hide unreadable = yes

The comments give some hints about access tuning.

Here's an example of setting up something similar on another filesystem:

[lynx_user]
   comment = /md/[user] on lynx
   path = /md/%U
   valid users = %U
   public = no
   writable = yes
   printable = no

> Also, there are some shares --- like the webroot one that multiple users
> should have rights to do anything in (for example, the webroot, all of
> the teachers in the school should have read, write and execute rights
> to, but none of the students should, as well, apache should have read
> write and execute rights so that it can serve it etc)
> 
> My gut instinct is that it should be owned by apache, and that the group
> should be the active directory group teachers (which contains all the
> right people) and I am guessing the permissions would look like 775
> giving the owner, apache, read, write and execute permissions, the
> group, the active directory teachers group, read write and execute -- so
> they can edit web pages, and the rest of the world read and execute
> permissions so that they can see the pages and execute any scripts etc
> in them.  Is this right or am I totally confused?

Can handle this with appropriate group permissions and memberships, and
possibly with additional restrictions as shown above if necessary (may
find you don't really want ALL teachers to have free access, depending
on proficiency).   All users you want to access things that are not
wide-open will need Linux user accounts with appropriate group
memberships.

Phil