Windows User Home Folders: Difference between revisions
No edit summary |
m (/* minor update) |
||
(13 intermediate revisions by one other user not shown) | |||
Line 20: | Line 20: | ||
Setting extended access control lists (ACL) on the share that hosts home directories enables you to create new users in the <code>Active Directory Users and Computers</code> application without manually creating the user's home folder and setting permissions. |
Setting extended access control lists (ACL) on the share that hosts home directories enables you to create new users in the <code>Active Directory Users and Computers</code> application without manually creating the user's home folder and setting permissions. |
||
To create |
To create a share, for example, <code>users</code> for hosting the user home folders on a Samba file server: |
||
* |
* Create a new share. For details, see [[Setting up a Share Using Windows ACLs]]. Set the following permissions: |
||
:* Share permissions: |
:* Share permissions: |
||
Line 29: | Line 29: | ||
!Access |
!Access |
||
|- |
|- |
||
| |
|Domain Users |
||
|Change |
|||
|Read & execute |
|||
|- |
|- |
||
|Domain Admins |
|Domain Admins |
||
|Full |
|Full Control |
||
|} |
|} |
||
:* File system permissions on the root of the <code>users</code> share: |
:* File system permissions on the root of the <code>users</code> share: |
||
:* Share permissions: |
|||
::{| class="wikitable" |
::{| class="wikitable" |
||
!Principal |
!Principal |
||
Line 44: | Line 43: | ||
!Applies to |
!Applies to |
||
|- |
|- |
||
| |
|Domain Users* |
||
|Read & execute |
|Read & execute |
||
|This folder only |
|This folder only |
||
Line 57: | Line 56: | ||
|} |
|} |
||
::<nowiki>*</nowiki> You can alternatively set other groups, to enable the group members to store their user profile on the share. When using different groups, apply the permissions as displayed for <code>Domain Users</code> in the previous example. |
|||
:: Additionally, disable the inheritance of permissions from the parent folder by clicking the <code>Disable inheritance</code> button. |
|||
:: Verify that permission inheritance is disabled on the root of the share. If any permission entry in the <code>Advanced Security Settings</code> window displays a path in the <code>Inherited from</code> column, click the <code>Disable inheritance</code> button. On Windows 7, unselect the <code>Include inheritable permissions from this object's parent</code> check box to set the same setting. |
|||
::[[Image:Home_Folder_File_System_ACLs.png]] |
::[[Image:Home_Folder_File_System_ACLs.png]] |
||
:: On a Samba share, you can omit the <code>SYSTEM</code> account in the file system ACLs. For details, see [[The SYSTEM Account]]. |
|||
These settings enable members of the <code>Domain Admins</code> group to set the user home folder in the <code>Active Directory Users and Computers</code> application, that automatically creates the home folder and sets the correct permissions. |
These settings enable members of the <code>Domain Admins</code> group to set the user home folder in the <code>Active Directory Users and Computers</code> application, that automatically creates the home folder and sets the correct permissions. |
||
Line 67: | Line 70: | ||
== Using POSIX ACLs == |
== Using POSIX ACLs == |
||
Instead of using Windows access control lists (ACL), you can set up a share using POSIX ACLs on your Samba server. However, when using POSIX ACL to set permissions, you must create the home directory for each new user manually and set permissions. |
|||
{{Imbox |
{{Imbox |
||
Line 74: | Line 77: | ||
}} |
}} |
||
For example, to create the <code>users</code> share: |
|||
* Add the following share configuration section to your <code>smb.conf</code> file: |
* Add the following share configuration section to your <code>smb.conf</code> file: |
||
Line 83: | Line 86: | ||
force create mode = 0600 |
force create mode = 0600 |
||
force directory mode = 0700 |
force directory mode = 0700 |
||
: For details about the parameters used, see the descriptions in the smb.conf(5) man page. |
|||
: Do not use <code>homes</code> as name of the share. For further details, see [[#Introduction|Introduction]]. |
: Do not use <code>homes</code> as name of the share. For further details, see [[#Introduction|Introduction]]. |
||
Line 89: | Line 94: | ||
# mkdir -p /srv/samba/users/ |
# mkdir -p /srv/samba/users/ |
||
# chgrp -R "Domain Users" /srv/samba/users/ |
# chgrp -R "''Domain Users''" /srv/samba/users/ |
||
# chmod 2750 /srv/samba/users/ |
# chmod 2750 /srv/samba/users/ |
||
: In a domain, the <code>Domain Users</code> group is a group, all domain user accounts are member of. Alternatively, or if you are running a non-domain environment, you can set it to any group that exists locally. However, user accounts must be member of this group to access the share. |
|||
* Reload Samba: |
* Reload Samba: |
||
Line 104: | Line 111: | ||
== Using Windows ACLs == |
== Using Windows ACLs == |
||
If you are using the <code>Active Directory Users and Computers</code> application, the user's home directory is automatically created and the correct permissions applied when you set the path to the user folder in the application. |
If you are using the <code>Active Directory Users and Computers</code> application, the user's home directory is automatically created and the correct permissions applied when you set the path to the user folder in the application. |
||
{{Imbox |
|||
| type = note |
|||
| text = The above only applies to user home directories stored on a a Windows machine, <code>Active Directory Users and Computers</code> cannot create user home directories stored on a Unix machine. |
|||
}} |
|||
If you are not using <code>Active Directory Users and Computers</code>, you must create the folder manually and set the correct permissions. For example: |
|||
* Log in to a Windows machine using an account that has permissions to create new folders on the <code>\\server\users\</code> share. |
* Log in to a Windows machine using an account that has permissions to create new folders on the <code>\\server\users\</code> share. |
||
Line 139: | Line 154: | ||
=== Using <code>Active Directory Users and Computers</code> === |
=== Using <code>Active Directory Users and Computers</code> === |
||
In an Active Directory, you can use the <code>Active Directory Users and Computers</code> Windows application to set the path to the user home folder and the assigned drive letter. If you |
In an Active Directory, you can use the <code>Active Directory Users and Computers</code> Windows application to set the path to the user home folder and the assigned drive letter. If you do not have the Remote Server Administration Tools (RSAT) installed, see [[Installing RSAT|Installing RSAT]]. |
||
To assign the <code>\\server\users\demo\</code> path as home folder to the <code>demo</code> account: |
To assign the <code>\\server\users\demo\</code> path as home folder to the <code>demo</code> account: |
||
* Log in to a computer using an account that is |
* Log in to a computer using an account that is able to edit user accounts. |
||
* Open the <code>Active Directory Users and Computers</code> application. |
* Open the <code>Active Directory Users and Computers</code> application. |
||
Line 167: | Line 182: | ||
=== Using a Group Policy Preference === |
=== Using a Group Policy Preference === |
||
Using group policy preferences, you can assign settings to organizational units (OU) or |
Using group policy preferences, you can assign settings to organizational units (OU) or to a domain. This enables you, for example, to automatically assign home folder paths to all users in the OU or domain. If you move the account to a different OU or domain, the setting is removed or updated. Using this way, you do not have to assign manually the setting to each user account. |
||
To create a group policy object (GPO) for the domain that automatically assigns the <code>\\server\users\''user_name''</code> path to each user: |
To create a group policy object (GPO) for the domain that automatically assigns the <code>\\server\users\''user_name''</code> path as home folder to each user: |
||
* Log in to a computer using an account that is allowed you to edit group policies, such as the AD domain <code>Administrator</code> account. |
* Log in to a computer using an account that is allowed you to edit group policies, such as the AD domain <code>Administrator</code> account. |
||
Line 200: | Line 215: | ||
:[[Image:GPME_Home_Drive_Properties.png]] |
:[[Image:GPME_Home_Drive_Properties.png]] |
||
* Click <code>OK</code>. |
:* Click <code>OK</code>. |
||
* Close the <code>Group Policy Management Editor</code>. The GPOs are automatically saved on the <code>Sysvol</code> share on the domain controller (DC). |
* Close the <code>Group Policy Management Editor</code>. The GPOs are automatically saved on the <code>Sysvol</code> share on the domain controller (DC). |
||
Line 210: | Line 225: | ||
=== Using <code>ldbedit</code> on |
=== Using <code>ldbedit</code> on a Domain Controller === |
||
On a domain controller (DC), for example, to assign the <code>\\server\users\demo</code> path as home folder to the <code>demo</code> account and set the assigned drive letter to <code>H:</code> |
On a domain controller (DC), for example, to assign the <code>\\server\users\demo</code> path as home folder to the <code>demo</code> account and set the assigned drive letter to <code>H:</code> |
||
Line 224: | Line 239: | ||
* Save the changes. |
* Save the changes. |
||
The setting is applied the next time the user logs in. |
|||
Line 241: | Line 258: | ||
# smbcontrol all reload-config |
# smbcontrol all reload-config |
||
== In a Non-domain Environment == |
|||
=== Using a Windows Professional or Higher Edition === |
|||
If your Samba server and clients are not part of a domain, set the user home folder mapping in the local user account's properties: |
|||
* Log on to the Windows machine using an account that is member of the local <code>Administrators</code> group. |
|||
* Open the <code>lusrmgr.msc</code> (Local User and Groups) application. |
|||
: The <code>lusrmgr.msc</code> application is not available in Windows Home editions. |
|||
* Click <code>Users</code> in the navigation on the left side. |
|||
* Right-click the account you want to assign a home folder to, and select <code>Properties</code> |
|||
* Navigate to the <code>Profile</code> tab. |
|||
* Select <code>Connect</code>, the drive letter Windows assigns the mapped home folder to, and enter the path to the home folder into the <code>To</code> field. |
|||
* Click <code>OK</code>. |
|||
You must set the mapping for each user on every Windows client manually. |
|||
=== Using Windows Home Edition === |
|||
Windows Home editions do not provide the necessary application to set the user home folder mapping in the local account properties. Instead each user must map the drive manually: |
|||
* Log on to the Windows machine as the user that should get the home folder mapped |
|||
* Open a command prompt. |
|||
* For example, to map the <code>\\server\users\demo\</code> folder to the <code>H:</code> drive letter, enter: |
|||
> net use H: \\server\users\demo\ /persistent:yes |
|||
The user home folder is automatically connected when the user logs in. To stop the automatic mapping, disconnect the drive. For example: |
|||
> net use H: /delete |
|||
---- |
|||
[[Category:Active Directory]] |
|||
[[Category:Domain Members]] |
|||
[[Category:File Serving]] |
|||
[[Category:NT4 Domains]] |
|||
[[Category:Standalone Server]] |
Revision as of 15:25, 9 March 2020
Introduction
Home folders contain files of an individual account. Using Samba, you can share the directories to enable network users to store own files on their home folder on the file server.
This documentation does not use the Samba built-in [homes]
section that dynamically shares the user's home directory using the \\server\user_name\
path. While this can be helpful in certain scenarios, it has some disadvantages:
- Windows does not support this feature, and certain settings, such as folder redirection in an Active Directory (AD), require a workaround instead and you cannot use the official solution.
- You must create each new user's home directory manually.
- The
[homes]
feature is not supported running on a Samba Active Directory (AD) domain controller (DC).
In the following, the directory containing the home folders are shared using the users
share name. Each user's home directory is created as a subdirectory on the \\server\users\
share, such as, \\server\users\user_name
. This is the same format used in a Microsoft Windows environment and requires no additional work to set up.
Using Windows ACLs
Setting extended access control lists (ACL) on the share that hosts home directories enables you to create new users in the Active Directory Users and Computers
application without manually creating the user's home folder and setting permissions.
To create a share, for example, users
for hosting the user home folders on a Samba file server:
- Create a new share. For details, see Setting up a Share Using Windows ACLs. Set the following permissions:
- Share permissions:
Principal Access Domain Users Change Domain Admins Full Control
- File system permissions on the root of the
users
share:
- File system permissions on the root of the
Principal Access Applies to Domain Users* Read & execute This folder only CREATOR OWNER Full control Subfolders and files only Domain Admins Full control This folder, subfolders and files
- * You can alternatively set other groups, to enable the group members to store their user profile on the share. When using different groups, apply the permissions as displayed for
Domain Users
in the previous example.
- * You can alternatively set other groups, to enable the group members to store their user profile on the share. When using different groups, apply the permissions as displayed for
- Verify that permission inheritance is disabled on the root of the share. If any permission entry in the
Advanced Security Settings
window displays a path in theInherited from
column, click theDisable inheritance
button. On Windows 7, unselect theInclude inheritable permissions from this object's parent
check box to set the same setting.
- Verify that permission inheritance is disabled on the root of the share. If any permission entry in the
- On a Samba share, you can omit the
SYSTEM
account in the file system ACLs. For details, see The SYSTEM Account.
- On a Samba share, you can omit the
These settings enable members of the Domain Admins
group to set the user home folder in the Active Directory Users and Computers
application, that automatically creates the home folder and sets the correct permissions.
Using POSIX ACLs
Instead of using Windows access control lists (ACL), you can set up a share using POSIX ACLs on your Samba server. However, when using POSIX ACL to set permissions, you must create the home directory for each new user manually and set permissions.
When setting up the share on a Samba Active Directory (AD) domain controller (DC), you cannot use POSIX ACLs. On an Samba DC, only shares using extended ACLs are supported. For further details, see Enable Extended ACL Support in the smb.conf File. To set up the share on a Samba AD DC, see Setting up the Home Folder Share on the Samba File Server - Using Windows ACLs. |
For example, to create the users
share:
- Add the following share configuration section to your
smb.conf
file:
[users] path = /srv/samba/users/ read only = no force create mode = 0600 force directory mode = 0700
- For details about the parameters used, see the descriptions in the smb.conf(5) man page.
- Do not use
homes
as name of the share. For further details, see Introduction.
- Create the directory and set the correct permissions:
# mkdir -p /srv/samba/users/ # chgrp -R "Domain Users" /srv/samba/users/ # chmod 2750 /srv/samba/users/
- In a domain, the
Domain Users
group is a group, all domain user accounts are member of. Alternatively, or if you are running a non-domain environment, you can set it to any group that exists locally. However, user accounts must be member of this group to access the share.
- Reload Samba:
# smbcontrol all reload-config
Creating the Home Folder for a New User
Using Windows ACLs
If you are using the Active Directory Users and Computers
application, the user's home directory is automatically created and the correct permissions applied when you set the path to the user folder in the application.
The above only applies to user home directories stored on a a Windows machine, Active Directory Users and Computers cannot create user home directories stored on a Unix machine. |
If you are not using Active Directory Users and Computers
, you must create the folder manually and set the correct permissions. For example:
- Log in to a Windows machine using an account that has permissions to create new folders on the
\\server\users\
share.
- Navigate to the
\\server\users\
share.
- Create a new home folder for the user.
- Add the user to the access control list (ACL) of the folder and grant
Full control
to the user. For details, see Setting ACLs on a Folder.
Using POSIX ACLs
When you set up the users
share using POSIX access control lists (ACL), you must create the home folder for each new user manually. To create the home folder for the demo
user:
- Create the directory:
# mkdir /srv/samba/users/demo/
- Set the following permissions to only enable the
demo
user to access the directory:
# chown user_name /srv/samba/users/demo/ # chmod 700 /srv/samba/users/demo/
Assigning a Home Folder to a User
In an Active Directory
Using Active Directory Users and Computers
In an Active Directory, you can use the Active Directory Users and Computers
Windows application to set the path to the user home folder and the assigned drive letter. If you do not have the Remote Server Administration Tools (RSAT) installed, see Installing RSAT.
To assign the \\server\users\demo\
path as home folder to the demo
account:
- Log in to a computer using an account that is able to edit user accounts.
- Open the
Active Directory Users and Computers
application.
- Navigate to the directory container that contains the
demo
account.
- Right-click to the
demo
user account and selectProperties
.
- Select the
Profile
tab.
- Select
Connect
, the drive letter Windows assigns the mapped home folder to, and enter the path to the home folder into theTo
field.
- Click
OK
.
If a warning is displayed when saving the settings that the home folder was not created:
- the permissions on the
users
share were incorrectly set when you set up the share using Windows access control lists (ACL). To fix the problem, set the permissions described in Using Windows ACLs. - you set up the share using POSIX ACL. To fix the problem, create the directory manually. See Creating the Home Folder for a New User - Using POSIX ACLs.
Using a Group Policy Preference
Using group policy preferences, you can assign settings to organizational units (OU) or to a domain. This enables you, for example, to automatically assign home folder paths to all users in the OU or domain. If you move the account to a different OU or domain, the setting is removed or updated. Using this way, you do not have to assign manually the setting to each user account.
To create a group policy object (GPO) for the domain that automatically assigns the \\server\users\user_name
path as home folder to each user:
- Log in to a computer using an account that is allowed you to edit group policies, such as the AD domain
Administrator
account.
- Open the
Group Policy Management Console
. If you are not having the Remote Server Administration Tools (RSAT) installed on this computer, see Installing RSAT.
- Right-click to your AD domain and select
Create a GPO in this domain, and Link it here
.
- Enter a name for the GPO, such as
Home folders on server
. The new GPO is shown below the domain entry.
- Right-click to the newly-created GPO and select
Edit
to open theGroup Policy Management Editor
.
- Navigate to the
User Configuration
→Preferences
→Windows Settings
→Drive Maps
entry.
- Right-click to the
Drive Maps
entry and selectNew
→Mapped Drive
.
- Set the following:
- On the
General
tab:
- Action:
Create
- Location:
\\server\users\%LogonUser%
- Windows automatically replaces the
%LogonUser%
variable when a user logs in
- Select
Reconnect
- Label: Enter a string. For example:
Home
- Use: Select a drive letter the home folder is mapped to.
- Action:
- On the
Common
tab:
- Select
Run in logged-on user's security context (user policy option)
- Select
- On the
- Click
OK
.
- Click
- Close the
Group Policy Management Editor
. The GPOs are automatically saved on theSysvol
share on the domain controller (DC).
- Close the
Group Policy Management Console
.
The policy is applied to users in the OU or domain, the policy is assigned to, during the next log in.
Using ldbedit
on a Domain Controller
On a domain controller (DC), for example, to assign the \\server\users\demo
path as home folder to the demo
account and set the assigned drive letter to H:
- Edit the
demo
user account:
# ldbedit -H /usr/local/samba/private/sam.ldb 'sAMAccountName=demo'
- The accounts attributes are displayed in an editor. Append the following attributes and values to the end of the list:
homeDrive: H: homeDirectory: \\server\users\demo\
- Save the changes.
The setting is applied the next time the user logs in.
In an NT4 Domain
In an Samba NT4 domain, to set \\server\users\%U
as path to the home folder and to map the drive to the H:
drive letter:
- Add the following parameters to the
[global]
section in yoursmb.conf
file:
logon drive = H: logon home = \\server\users\%U
- During logging in to the domain member, Samba automatically replaces the
%U
variable with the session user name. For further details, see theVariable Substitutions
section in thesmb.conf(5)
man page.
- Reload Samba:
# smbcontrol all reload-config
In a Non-domain Environment
Using a Windows Professional or Higher Edition
If your Samba server and clients are not part of a domain, set the user home folder mapping in the local user account's properties:
- Log on to the Windows machine using an account that is member of the local
Administrators
group.
- Open the
lusrmgr.msc
(Local User and Groups) application.
- The
lusrmgr.msc
application is not available in Windows Home editions.
- Click
Users
in the navigation on the left side.
- Right-click the account you want to assign a home folder to, and select
Properties
- Navigate to the
Profile
tab.
- Select
Connect
, the drive letter Windows assigns the mapped home folder to, and enter the path to the home folder into theTo
field.
- Click
OK
.
You must set the mapping for each user on every Windows client manually.
Using Windows Home Edition
Windows Home editions do not provide the necessary application to set the user home folder mapping in the local account properties. Instead each user must map the drive manually:
- Log on to the Windows machine as the user that should get the home folder mapped
- Open a command prompt.
- For example, to map the
\\server\users\demo\
folder to theH:
drive letter, enter:
> net use H: \\server\users\demo\ /persistent:yes
The user home folder is automatically connected when the user logs in. To stop the automatic mapping, disconnect the drive. For example:
> net use H: /delete