how to set default POSIX permissions on user homes?

[Luke Jaeger]

I have FreeNAS 9.3 serving Samba shares, with AD authentication.

when users log in for the first time, their home directory is created with "domain users" as the group, and POSIX permissions = 755. This a server where students upload completed assignments, so we definitely don't want o+rx enabled!

"domain users" is an AD group which contains all students.

I would rather have a different group show up as the default and set permissions to 770. Or, if not possible to change the default group, keep "domain users" but set default permissions on homes to 700.

There's a script that runs several times a day to fine-tune the permissions, but the way it is right now, between the time someUser first logs in and the next time the permissions script runs, other users can see into someUser's home directory.

I tried changing the umask in /usr/share/skel/dot.cshrc but that didn't make a difference.

 

[anodos]

Assuming you are not using ACLs, then you probably should look at the "directory mask" share-level auxiliary parameter.
See the smb.conf manpage for more info.

With ACLs you just set the appropriate permissions / inheritance bits. There shouldn't be a need to run a script to fine-tune permissions.

 

[Luke Jaeger]

After I added a "directory mask" parameter to my smb4.conf, FreeNAS rejected all user logins either thru SMB or SSH, regardless of what permissions I set. I not only reverted the smb4.conf back to how it was before, I also had to disable and re-enable AD binding before logins started working again. Is that expected?

I figured I'd have to restart the samba service for changes to take effect, but do I also need to unbind from AD before editing the samba conf?

 

[anodos]

I was a bit tired when I was posting that previous message and didn't read your question carefully. You don't want to use directory mask in this case. Please continue discussion here: https://forums.freenas.org/index.ph...ectories-in-ad-environment.27132/#post-282002