Autocreate home directory per Active Directory logged user

[kalero]

Hi,

I have a FreeNAS box connected to my Active Directory, so if I type getent passwd in the FreeNAS' shell, I get a list with all the users.

Now I want that every user has its own shared home directory, with a specified quota. But there is a problem: there are more than 20000 users. So how could I create the home directory for each user? I mean when a user tries to access the FreeNAS typing, for instance, \\freenas on Windows, it creates its home directory and opens it.

Thanks

 

[kalero]

I'm realizing that checking the box "Use as home share", it creates the share but not the directory, so I have to create it manually with mkdir in order the user is able to get access into it. I don't know why it is having that behavior. Any idea? Thanks.

 

[Johnny Fartpants]

I haven't tried this on a recent version of FreeNAS but in 11.1 to achieve this I would edit the smb4.conf file and add the line:

valid users = @"Domain\somegroup"

replacing the domain with yours and whatever group you wish to target in AD.

 

[anodos]

I haven't tried this on a recent version of FreeNAS but in 11.1 to achieve this I would edit the smb4.conf file and add the line:

valid users = @"Domain\somegroup"

replacing the domain with yours and whatever group you wish to target in AD.

There's a template option for "HOMES" in the ACL editor. Select it, change the group so that it's domain admins, and apply recursively.

 

[Johnny Fartpants]

I can't quite get this to work. I've setup the dataset and applied the "HOME" template ACL and added domain admins to the group. I've also created the SMB share and marked it as a home share and although folders are created when users try to connect their permissions don't allow them to access the share.

 

[kalero]

Excuse my ignorance. Where is that ACL editor? In the pools permissions I can apply user and group, but I don't see any special option for "HOMES".

 

[anodos]

Excuse my ignorance. Where is that ACL editor? In the pools permissions I can apply user and group, but I don't see any special option for "HOMES".

The ACL editor is an 11.3 feature.

 

[thomisus]

I'm realizing that checking the box "Use as home share", it creates the share but not the directory, so I have to create it manually with mkdir in order the user is able to get access into it. I don't know why it is having that behavior. Any idea? Thanks.

Make a pool ( /mnt/tank/users ). Set share type to SMB. Now, go to sharing services-> windows share. Add a share and set "Use as home share". Now, set ACL using HOME template, but change owner and group to DOMAIN\Administrator and group DOMAIN\domain users

 

[Johnny Fartpants]

Make a pool ( /mnt/tank/users ). Set share type to SMB. Now, go to sharing services-> windows share. Add a share and set "Use as home share". Now, set ACL using HOME template, but change owner and group to DOMAIN\Administrator and group DOMAIN\domain users

Thanks, that works. Worth highlighting that you need to add 'DOMAIN\domain users' as an 'ACL ITEM' in addition to setting 'DOMAIN\Administrator' as owner and group.

Now any ideas on how best to quota these users?

 

[thomisus]

Thanks, that works. Worth highlighting that you need to add 'DOMAIN\domain users' as an 'ACL ITEM' in addition to setting 'DOMAIN\Administrator' as owner and group.

If you set HOME acl template instead of DEFAULT freenas set the correct ACL ITEMS. You don't need to add 'DOMAIN\domain users' as an 'ACL ITEM' because it sets 'group@' permissions.

Now any ideas on how best to quota these users?

try ixnas:base_user_quota = 100G auxiliary parameters

A more elegant solutions could be child datasets autocreation. I'm trying to solve this as well using auxiliary parameters

ixnas:zfs_auto_homedir = True
ixnas:chown_homedir = True
ixnas:homedir_quota = 100G

but I'm figuring out what's wrong, becuase child datasets aren't created.

 

[Johnny Fartpants]

If you set HOME acl template instead of DEFAULT freenas set the correct ACL ITEMS. You don't need to add 'DOMAIN\domain users' as an 'ACL ITEM' because it sets 'group@' permissions.

I did that and it didn't work. I had to add 'DOMAIN\domain users' explicitly.

 

[Johnny Fartpants]

try ixnas:base_user_quota = 100G auxiliary parameters

A more elegant solutions could be child datasets autocreation. I'm trying to solve this as well using auxiliary parameters

ixnas:zfs_auto_homedir = True
ixnas:chown_homedir = True
ixnas:homedir_quota = 100G

but I'm figuring out what's wrong, because child datasets aren't created.

Thanks. Yeah just found @anodos thread about it. https://www.ixsystems.com/community/threads/configuration-options-for-ixnas.75835/#post-568846

 

[anodos]

ixnas:zfs_auto_homedir = True is probably not an appropriate setting for an environment with thousands of users.

 

[Johnny Fartpants]

ixnas:zfs_auto_homedir = True is probably not an appropriate setting for an environment with thousands of users.

Yeah I agree, user quotas better deployed here.

 

[thomisus]

Is it possible to add in the troubleshooting section of the docs the correct permissions? I think it could help many users.

Thank you!

 

[kalero]

Thank you all for your replies. I finally got working the home shares for each domain user.

I just have one question:

How could I achieve that, for instance, the users in the group "DOMAIN\office_supervisors" can see all the home shares? I mean that, at the moment, when a user on Windows goes to, for instance, "\\FREENAS\home", he gets into his home directory, but some specific users, for instance those in the group "DOMAIN\office_supervisors" should be able to see all the home directories, not only the one of that user. How could I achieve that?

 

[Johnny Fartpants]

You could just create another SMB Share to share out the dataset again giving it another name and then you should be able to connect via "DOMAIN\office_supervisors".

 

[Henning Kessler]

My Problem seams to that home folder are not created automatically. If I try to access the share form a macOS system I can see the share named after the user which has authenticated but I get an error message as soon as I try to access it. There is an error message in /var/log/samba4/log.smbd:

[2022/03/01 17:57:40.163121, 1] ../../source3/smbd/service.c:669(make_connection_snum)
make_connection_snum: SMB_VFS_CONNECT for service 'tobias' at '/mnt/tank01/shares/SHARENAME/DOMAIN/USERNAME' failed: No such file or directory

 

[anodos]

My Problem seams to that home folder are not created automatically. If I try to access the share form a macOS system I can see the share named after the user which has authenticated but I get an error message as soon as I try to access it. There is an error message in /var/log/samba4/log.smbd:

Depending on context, this may mean that pam_mkhomedir is failing. What's output of testparm -s?

 

[Henning Kessler]

Hi anodos,

here is the output:

Load smb config files from /usr/local/etc/smb4.conf
Loaded services file OK.
Weak crypto is allowed
Server role: ROLE_DOMAIN_MEMBER

# Global parameters
[global]
aio max threads = 2
allow trusted domains = No
bind interfaces only = Yes
client ldap sasl wrapping = seal
disable spoolss = Yes
dns proxy = No
domain master = No
enable web service discovery = Yes
kerberos method = secrets and keytab
kernel change notify = No
load printers = No
local master = No
logging = file
max log size = 5120
nsupdate command = /usr/local/bin/samba-nsupdate -g
obey pam restrictions = Yes
preferred master = No
realm = INT.DOMAIN.COM
registry shares = Yes
restrict anonymous = 2
security = ADS
server min protocol = NT1
server role = member server
server string = FreeNAS Server
template homedir = /mnt/tank01/shares/Benutzer/%D/%U
template shell = /bin/sh
unix extensions = No
winbind cache time = 7200
winbind enum groups = Yes
winbind enum users = Yes
winbind max domain connections = 10
workgroup = DOMAIN
elasticsearch:port = 9200
elasticsearch:address = 192.168.192.27
idmap config *: range = 90000001-100000000
idmap config domain: range = 100000001-200000000
idmap config domain: backend = rid
fruit:nfs_aces = No
idmap config * : backend = tdb
directory name cache size = 0
dos filemode = Yes
spotlight backend = elasticsearch
strict sync = No
…

…
[Archiv]
access based share enum = Yes
ea support = No
kernel share modes = No
path = /mnt/tank01/shares/Archiv
posix locking = No
read only = No
vfs objects = full_audit zfs_space fruit streams_xattr ixnas zfsacl
full_audit:priority = NOTICE
full_audit:facility = LOCAL5
full_audit:success = renameat unlinkat write pwrite linkat
full_audit:failure = none
full_audit:prefix = %u|%I|%m|%S
fruit:resource = stream
fruit:metadata = stream
nfs4:chown = true

[homes]
ea support = No
kernel share modes = No
path = /mnt/tank01/shares/Benutzer/%D/%U
posix locking = No
read only = No
vfs objects = full_audit zfs_space fruit streams_xattr ixnas zfsacl
fruit:resource = stream
fruit:metadata = stream
nfs4:chown = true