AD integrated TN CORE - home directory path

[Patrick M. Hausen]

Hi all,

even though I have "Use Default Domain" set and the users do not need to provide the domain name to authenticate, the home shares are configured like this:

Code:

[global]
    template homedir = /mnt/fusion/share/home/%D/%U
[...]
[homes]
    path = /mnt/fusion/share/home/%D/%U
[...]

How can I have TN change this to just /mnt/fusion/share/home/%U?

Thanks,
Patrick

 

[Redcoat]

Hi all,

I run a current TN CORE installation with AD integration. This is the Samba configuration:

?

 

[Patrick M. Hausen]

Hit the wrong key and sent the half finished post.

 

[Redcoat]

Hit the wrong key and sent the half finished post.

Yep, I've done that too

 

[Patrick M. Hausen]

@anodos I found that I can theoretically override the template homedir as well as the share path via auxiliary parameters. Would that work and if yes, is it a future proof supported configuration?

 

[anodos]

@anodos I found that I can theoretically override the template homedir as well as the share path via auxiliary parameters. Would that work and if yes, is it a future proof supported configuration?

We only blacklist parameters that are known to break SMB configuration. General goal is to be conservative regarding this / sensitive to people who have customized things. Current blacklist in SCALE is:

Code:

        aux_blacklist = [
            'state directory',
            'private directory',
            'lock directory',
            'lock dir',
            'config backend',
            'private dir',
            'log level',
            'cache directory',
            'clustering',
            'ctdb socket',
            'socket options',
            'include',
            'interfaces',
            'wide links',
            'insecure wide links'
        ]

 

[Patrick M. Hausen]

So overrides it is? Or is there some option I missed to remove %D/ from the paths?

 

[anodos]

So overrides it is? Or is there some option I missed to remove %D/ from the paths?

In general, auxiliary parameters will override the generated config.

How configuration is generated is reworked in SCALE so this should work there (we basically just take path for `homes` share and place it as template homedir).

`use default domain` is a rather uncommonly enabled feature, but we must keep it around for legacy compatibility. I'll file a bug ticket regarding the issue. It's generally better to use the names supplied by winbindd because it avoids collision with local users.

Note: this only impacts the domain we're directly joined to and so you'll still have to deal with other names (DOMAIN\\USER or USER@FQDN) if there are trusted domains.

 

[anodos]

Do you have something that's actually breaking on the winbindd-supplied names?

 

[Patrick M. Hausen]

No. I want to provide an ssh jumphost in addition to sharing, so forcing INTERN\<username> as the logon name is clumsy. Specifically when it is just the user name for all other hosts. We have just one single domain so I desire to keep things simple.

Then the automatically created directory with the domain name has got weird access privileges. People can cd into their home and out but cannot for example ls ...

 

[anodos]

No. I want to provide an ssh jumphost in addition to sharing, so forcing INTERN\<username> as the logon name is clumsy. Specifically when it is just the user name for all other hosts. We have just one single domain so I desire to keep things simple.

Then the automatically created directory with the domain name has got weird access privileges. People can cd into their home and out but cannot for example ls ...

Right, the default template grants TRAVERSE, but not READ for the directory. E.g. no read permissions on the directory. You just need to change the ACL. As I mentioned, username can be either bob@BILLY.GOAT or BILLY\\bob with default winbindd configuration.

The ACL entry impacting the intermediate path is the one with INHERIT_ONLY and NO_PROPAGATE_INHERIT. That combination means that the ACL entry applies only one level deep.

One other nuance regarding SSH filtering in AD environments / pam_winbind behavior is that you will want to use AllowGroups / DenyGroups rather than AllowUser / DenyUser. This is because the winbindd-supplied usernames are case-insensitive, but sshd is case-sensitive. sshd performs pam auth check using user-supplied username, but group names are not controllable by end-users.

 

[Patrick M. Hausen]

Thanks for the explanation. I'll keep the default domain for flat user names and adjust the acl for the directory, then.

 

[anodos]

Thanks for the explanation. I'll keep the default domain for flat user names and adjust the acl for the directory, then.

Yup. See freebsd's acl.h:

freebsd-src/sys/sys/acl.h at c898b54affbaa9fc22c1d1b1de4a175dd250f37e · freebsd/freebsd-src

The FreeBSD src tree publish-only repository. Experimenting with 'simple' pull requests.... - freebsd/freebsd-src

github.com

ACL_READ_DATA and ACL_LIST_DIRECTORY share a mask and are mapped to `r` in POSIX mode. You can chdir(2) though a path where you lack `r`, but if you try to list following hardlink back to parent, it will fail with EPERM by design.