Samba Winbind - Windows Server AD - Users are able to see each other's home directories

nop

11/25/23, 8:52 AM

I'm running AlmaLinux and Samba Winbind joined into Windows Server 2019 AD. The domain users have home directories and a pccommon directory (shared folder).

When I create a new domain user in the active directory, I have to create a new folder on the linux machine in /home and change its owner to that user's name.

mkdir -p /home/newaccount
chown IIT\\newaccount: /home/newaccount

/etc/samba/smb.conf

        idmap config * : rangesize = 1000000
        idmap config * : range = 100000-19999999
        idmap config * : backend = autorid
    
    template homedir = /home/%U
        template shell = /sbin/nologin
;       winbind use default domain = yes
;       winbind enum users = yes
;       winbind enum groups = yes
        winbind max domain connections = 10
        winbind expand groups = 5
        ntlm auth = yes
        # workaround za https://bugzilla.samba.org/show_bug.cgi?id=11081 ?
        #client schannel = no

[homes]
        writable = yes
        create mask = 0711
        directory mask = 0711
        map hidden = yes
        map system = yes
        invalid users = root nobody
        csc policy = disable
        root preexec = /usr/local/bin/netlogonpr %U
        veto files = /autorun.inf/*.zepto/*.ZEPTO/*.scr/*.SCR/*.wsf/*.WSF/*.docm/*.DOCM/
        delete veto files = yes

[pccommon]
        path = /home/pccommon
        read only = no
        acl_xattr:ignore system acls = yes

Issue

The issue is that the domain users are able to see each other's home directories. Even though they are not able to write there, it's still an issue. How do I make each domain user see only their own home directory and not everyone else's too?

471

1 + 0

linux

active-directory

samba

winbind

Score:1

Server

Rowland Penny

11/25/23, 12:10 PM

I would suggest you alter your 'root preexec' script to check if the users home directory exists and create it if not.

Remove the invalid users line and replace it with 'valid users = %S'

This will make the users home directory only visible to the user and will create it for you if it doesn't exist.

+ 3

nop

11/25/23, 12:34 PM

Thank you for your answer! /usr/local/bin/netlogonpr has the following content `mkdir -p /home/$1`. May you show the modifications you mean in the answer?

nop

11/25/23, 12:52 PM

I replaced invalid users with valid users and it is still showing the other users' folders. https://i.imgur.com/WpR8px0.png

nop

11/25/23, 3:09 PM

I just realized `root preexec` was not even running

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Samba Winbind - Windows Server AD - Users are able to see each other's home directories

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.