Windows User Home Folders: Difference between revisions
Mmuehlfeld (talk | contribs) m (Mmuehlfeld moved page User Home Drives to User Home Folders without leaving a redirect) |
Mmuehlfeld (talk | contribs) (Rewrote documentation. It has now a clearer structure and a lot of new procedures (e. g. setting up home folders using POSIX ACLs, how to set the home folder in an AD and NT4 domain), additionally it can be used to configure it in an AD and NT4 domain.) |
||
Line 1: | Line 1: | ||
= Introduction = |
= Introduction = |
||
Home folders contain files of an individual account. Using Samba, you can share the directories to enable network users to store own files on their home folder on the file server. |
|||
In a professional environment, you setup the permissions on the share containing the user homes, in a way that allows the automatic creation for new accounts without setting ACL's manually. |
|||
This documentation does not use the Samba |
This documentation does not use the Samba built-in <code>[homes]</code> section that dynamically shares the user's home directory using the <code>\\server\''user_name''\</code> path. While this can be helpful in certain scenarios, it has some disadvantages: |
||
* Windows does not support this feature, and certain settings, such as folder redirection in an Active Directory (AD), require a workaround instead and you cannot use the official solution. |
|||
* It does not enable auto-creation of home directories when the user logs in the first time |
|||
* You must create each new user's home directory manually. |
|||
* Some Windows features do not support per-user home directories, such as folder redirection. |
|||
* The [homes] |
* The <code>[homes]</code> feature is not supported running on a Samba Active Directory (AD) domain controller (DC). |
||
In the following, the directory containing the home folders are shared using the <code>users</code> share name. Each user's home directory is created as a subdirectory on the <code>\\server\users\</code> share, such as, <code>\\server\users\''user_name''</code>. This is the same format used in a Microsoft Windows environment and requires no additional work to set up. |
|||
= Preparatory work = |
|||
= Setting up the Share on the Samba File Server = |
|||
Before continuing, make sure that you have read the [[Setting_up_a_Share_Using_Windows_ACLs|Setting up a Share Using Windows ACLs]] HowTo and have complied with the [[Setting_up_a_Share_Using_Windows_ACLs#Preparatory_work|preconditions]]. |
|||
== Using Windows ACLs == |
|||
Setting extended access control lists (ACL) on the share that hosts home directories enables you to create new users in the <code>Active Directory Users and Computers</code> application without manually creating the user's home folder and setting permissions. |
|||
To create the <code>users</code> share on the Samba file server: |
|||
* Set up the <code>users</code> share. For details, see [[Setting up a Share Using Windows ACLs]]. Set the following permissions: |
|||
:* Share permissions: |
|||
= Adding the share = |
|||
::{| class="wikitable" |
|||
!Principal |
|||
!Access |
|||
|- |
|||
|Authenticated Users |
|||
|Read & execute |
|||
|- |
|||
|Domain Admins |
|||
|Full control |
|||
|} |
|||
:* File system permissions on the root of the <code>users</code> share: |
|||
* Add the new share to your <tt>smb.conf</tt> |
|||
:* Share permissions: |
|||
[home] |
|||
::{| class="wikitable" |
|||
path = /srv/samba/home/ |
|||
!Principal |
|||
read only = No |
|||
!Access |
|||
!Applies to |
|||
|- |
|||
|Authenticated Users |
|||
|Read & execute |
|||
|This folder only |
|||
|- |
|||
|CREATOR OWNER |
|||
|Full control |
|||
|Subfolders and files only |
|||
|- |
|||
|Domain Admins |
|||
|Full control |
|||
|This folder, subfolders and files |
|||
|} |
|||
:: Additionally, disable the inheritance of permissions from the parent folder by clicking the <code>Disable inheritance</code> button. |
|||
:Do not name the share "[homes]". For details, see [[#Introduction|Introduction]]. |
|||
::[[Image:Home_Folder_File_System_ACLs.png]] |
|||
* Create the folder that will contain the home directories. The permissions will be set later. |
|||
These settings enable members of the <code>Domain Admins</code> group to set the user home folder in the <code>Active Directory Users and Computers</code> application, that automatically creates the home folder and sets the correct permissions. |
|||
# mkdir /srv/samba/home/ |
|||
* Reload Samba, to make the changes effective |
|||
# smbcontrol all reload-config |
|||
== Using POSIX ACLs == |
|||
When using POSIX access control lists (ACL) to set permissions, you must create the home directory for each new user manually and set permissions. |
|||
{{Imbox |
|||
| type = note |
|||
| text = When setting up the share on a Samba Active Directory (AD) domain controller (DC), you cannot use POSIX ACLs. On an Samba DC, only shares using extended ACLs are supported. For further details, see [[Setting_up_a_Share_Using_Windows_ACLs#Enable_Extended_ACL_Support_in_the_smb.conf_File|Enable Extended ACL Support in the smb.conf File]]. To set up the share on a Samba AD DC, see [[#Using_Windows_ACLs|Setting up the Home Folder Share on the Samba File Server - Using Windows ACLs]]. |
|||
}} |
|||
To create the <code>users</code> share on the Samba file server: |
|||
* Add the following share configuration section to your <code>smb.conf</code> file: |
|||
= Setting up the share and filesystem permissions = |
|||
[users] |
|||
The following steps can be performed on any Windows client. |
|||
path = /srv/samba/users/ |
|||
read only = no |
|||
force create mode = 0600 |
|||
force directory mode = 0700 |
|||
: Do not use <code>homes</code> as name of the share. For further details, see [[#Introduction|Introduction]]. |
|||
Note: If you have the requirement that your users also need to access their home folder locally on the server, you will have to add a group that contains these user accounts. Add this group in all the steps below and set the permissions to exactly the same as „Authenticated users“. Of course this group must be available locally through Winbindd. This is required because if the user logs in locally on the server, there is no „Authenticated User“! |
|||
* Create the directory and set the correct permissions: |
|||
* Log on to a Windows machine using an account, or a member of a group, the „SeDiskOperatorPrivilege“ was granted to. |
|||
# mkdir -p /srv/samba/users/ |
|||
* Open the Start Menu and search for „Computer Management“. |
|||
# chgrp -R "Domain Users" /srv/samba/users/ |
|||
# chmod 2750 /srv/samba/users/ |
|||
* Reload Samba: |
|||
* In the menu bar, go to „Action“ / „Connect to another computer“. |
|||
# smbcontrol all reload-config |
|||
* Enter the name of your Samba server you have created the new share on. |
|||
* Navigate to „System Tools“ / „Shared Folders“ / „Shares“ and select the newly added share. |
|||
:[[Image:Computer_Management_Shares_home.png]] |
|||
* Right-click to the share name and choose „Properties“ . |
|||
* Go to the „Share Permissions“ tab. |
|||
= Creating the Home Folder for a New User = |
|||
* Change the share permissions to: |
|||
Authenticated Users: Full Control |
|||
Domain Admins: Full Control |
|||
System: Full Control |
|||
== Using Windows ACLs == |
|||
:If you have the requirement that your users also need access their home folder locally on the server, additionally add a group that contains these user accounts. Because if the user logs in locally on the server, there is no „Authenticated User“! The permissions for this additional group have to be the same as „Authenticated users“ |
|||
If you are using the <code>Active Directory Users and Computers</code> application, the user's home directory is automatically created and the correct permissions applied when you set the path to the user folder in the application. If you are not using <code>Active Directory Users and Computers</code>, you must create the folder manually and set the correct permissions. For example: |
|||
:[[Image:home_share_permissions.png]] |
|||
* Log in to a Windows machine using an account that has permissions to create new folders on the <code>\\server\users\</code> share. |
|||
:If this fails with a „permission denied“ error, recheck if you are using an account with [[Setting_up_a_Share_Using_Windows_ACLs#SeDiskOperatorPrivilege|SeDiskOperatorPrivilege privileges]]! |
|||
* |
* Navigate to the <code>\\server\users\</code> share. |
||
* Create a new home folder for the user. |
|||
:* '''Note:''' File and folder security descriptors are affected by Samba's [https://bugzilla.samba.org/show_bug.cgi?id=10560#c8 ACL mapping behaviour]. |
|||
* Add the user to the access control list (ACL) of the folder and grant <code>Full control</code> to the user. For details, see [[Setting_up_a_Share_Using_Windows_ACLs#Setting_ACLs_on_a_Folder|Setting ACLs on a Folder]]. |
|||
:* Click the „Advanced“ button and in the window that appears, the „Change permissions“ button. In the next Window, uncheck the „Include inheritable permissions from the object's parent“ option. Close the windows with „OK“ until you are back to the „Security“ tab. |
|||
::[[Image:Include_inheritable_permissions_from_this_objects_parent.png]] |
|||
:* Click the „Edit“ button to modify the filesystem ACLs according to the following: |
|||
== Using POSIX ACLs == |
|||
Administrator: Full Control |
|||
Authenticated Users: Read & Execute, List Folder Contents, Read |
|||
Creator Owner: Full Control |
|||
Domain Admins: Full Control |
|||
System: Full Control |
|||
When you set up the <code>users</code> share using POSIX access control lists (ACL), you must create the home folder for each new user manually. To create the home folder for the <code>demo</code> user: |
|||
::The „Creator Owner“ permissions are automatically limited to „Subfolder and files only“. This is correct. |
|||
* Create the directory: |
|||
::[[Image:FS_ACLs_home_share.png]] |
|||
# mkdir /srv/samba/users/demo/ |
|||
::Close the „Edit“ window with „OK“ and return to the „Security“ tab. |
|||
* Set the following permissions to only enable the <code>demo</code> user to access the directory: |
|||
:* To prevent „Authenticated Users“ accessing other users home folder, click the „Advanced“ button again and in the appearing sub-window the „Change permissions“ button. Select „Authenticated Users“ from the list, click „Edit“ and change the „Apply to“ value to „This folder only“. |
|||
# chown ''user_name'' /srv/samba/users/demo/ |
|||
::[[Image:Apply_to_This_folder_only.png]] |
|||
# chmod 700 /srv/samba/users/demo/ |
|||
* Close all Windows with „OK“ to save the changes. |
|||
= Assigning a Home Folder to a User = |
|||
== In an Active Directory == |
|||
= Define the users home folder in the account settings = |
|||
=== Using <code>Active Directory Users and Computers</code> === |
|||
For these steps, you must have the [[Installing RSAT|Microsoft RSAT (Remote Server Administration Tools) installed]]. |
|||
In an Active Directory, you can use the <code>Active Directory Users and Computers</code> Windows application to set the path to the user home folder and the assigned drive letter. If you are not having the Remote Server Administration Tools (RSAT) installed, see [[Installing RSAT|Installing RSAT]]. |
|||
The account that is used for account creation must have the respective permissions in AD and on the home share (e. g. „Domain Administrator“). |
|||
To assign the <code>\\server\users\demo\</code> path as home folder to the <code>demo</code> account: |
|||
* Open Active Directory Users and Computer (ADUC). |
|||
* Log in to a computer using an account that is enabled to edit user permissions. |
|||
* Edit an existing user account (or create a new one first), by right-clicking and choosing „Properties“ |
|||
* Open the <code>Active Directory Users and Computers</code> application. |
|||
* If you plan to assign a UID in the „Unix Attributes“ tab, then do this first and apply the changes. Then the user folders ACLs would include this UID, too. |
|||
* Navigate to the directory container that contains the <code>demo</code> account. |
|||
* Switch to the „Profile“ tab. Choose a drive letter the home drive should be be connected to, and fill the „To“ field with the path to the users home folder. You can use the variable „%USERNAME%“ instead of the individual username. This is useful, if you modify multiple accounts at once. |
|||
* Right-click to the <code>demo</code> user account and select <code>Properties</code>. |
|||
:[[Image:User_properties_Profiles_tab_home_drive.png]] |
|||
* Select the <code>Profile</code> tab. |
|||
* Close the users properties window with „OK“ to save the modification. The users home directory is created on the fly during the save processes. |
|||
* Select <code>Connect</code>, the drive letter Windows assigns the mapped home folder to, and enter the path to the home folder into the <code>To</code> field. |
|||
:[[Image:ADUC_Set_Home_Folder.png]]. |
|||
* Click <code>OK</code>. |
|||
If a warning is displayed when saving the settings that the home folder was not created: |
|||
* the permissions on the <code>users</code> share were incorrectly set when you set up the share using Windows access control lists (ACL). To fix the problem, set the permissions described in [[#Using_Windows_ACLs|Using Windows ACLs]]. |
|||
* you set up the share using POSIX ACL. To fix the problem, create the directory manually. See [[#Using_POSIX_ACLs_2|Creating the Home Folder for a New User - Using POSIX ACLs]]. |
|||
= Validate the result = |
|||
== On Windows == |
|||
=== Using a Group Policy Preference === |
|||
If you check the ACLs on the folder on Windows, you can see that the ACLs are applied as configured: |
|||
Using group policy preferences, you can assign settings to organizational units (OU) or the domain. This enables you, for example, to automatically assign home folder paths to each user in this OU or domain, and to dynamically change the settings by moving the user to different OU or domain. In this case, you do not have to assign the settings to each user account individually. |
|||
[[Image:FS_ACLs_on_users_home_folder.png]] |
|||
To create a group policy object (GPO) for the domain that automatically assigns the <code>\\server\users\''user_name''</code> path to each user: |
|||
Only the defined users have permissions. „Authenticated Users“ are not inclueded and can't access the users home folder. |
|||
* Log in to a computer using an account that is allowed you to edit group policies, such as the AD domain <code>Administrator</code> account. |
|||
* Open the <code>Group Policy Management Console</code>. If you are not having the Remote Server Administration Tools (RSAT) installed on this computer, see [[Installing RSAT|Installing RSAT]]. |
|||
* Right-click to your AD domain and select <code>Create a GPO in this domain, and Link it here</code>. |
|||
== On *nix == |
|||
:[[Image:GPMC_Create_GPO.png]] |
|||
On *nix side, you have to check the entire ACLs with <tt>getfacl</tt>, to see the extended ACLs, too. |
|||
* Enter a name for the GPO, such as <code>Home folders on ''server''</code>. The new GPO is shown below the domain entry. |
|||
Here is the getfacl output of the folder that is shown above in the Windows example, too. |
|||
* Right-click to the newly-created GPO and select <code>Edit</code> to open the <code>Group Policy Management Editor</code>. |
|||
# getfacl /srv/samba/home/demo1 |
|||
# file: srv/samba/home/demo1 |
|||
# owner: 3000000 |
|||
# group: Domain\040Users |
|||
user::rwx |
|||
user:Administrator:rwx |
|||
user:demo1:rwx <-- This entry only appears, if you had assigned an UID in the „Unix Attributes“ tab before the home was created! |
|||
group::--- |
|||
group:Domain\040Users:--- |
|||
group:3000000:rwx |
|||
group:3000002:rwx |
|||
group:3000008:rwx |
|||
mask::rwx |
|||
other::--- |
|||
default:user::rwx |
|||
default:user:Administrator:rwx |
|||
default:user:demo1:rwx <-- This entry only appears, if you had assigned an UID in the „Unix Attributes“ tab before the home was created! |
|||
default:user:3000000:rwx |
|||
default:group::--- |
|||
default:group:Domain\040Users:--- |
|||
default:group:3000000:rwx |
|||
default:group:3000002:rwx |
|||
default:group:3000008:rwx |
|||
default:mask::rwx |
|||
default:other::--- |
|||
* Navigate to the <code>User Configuration</code> → <code>Preferences</code> → <code>Windows Settings</code> → <code>Drive Maps</code> entry. |
|||
As some of the xIDs are may not be resolved, you can search for them in the local ID mapping database of Samba for them. Example: |
|||
* Right-click to the <code>Drive Maps</code> entry and select <code>New</code> → <code>Mapped Drive</code>. |
|||
# ldbsearch -H /usr/local/samba/private/idmap.ldb xidNumber=3000000 dn |
|||
# record 1 |
|||
dn: CN=S-1-5-32-544 |
|||
# returned 1 records |
|||
# 1 entries |
|||
# 0 referrals |
|||
* Set the following: |
|||
As the xidNumber assignment is individual on each machine, there is no general translation table. But the output of the ldbsearcch command shows that the entry with xidNumber 3000000 is assigned to the DN „S-1-5-32-544“. A list of well known security identifiers is provided by Microsoft: [http://support.microsoft.com/kb/243330/en http://support.microsoft.com/kb/243330/en] |
|||
:* On the <code>General</code> tab: |
|||
::* Action: <code>Create</code> |
|||
::* Location: <code>\\server\users\%LogonUser%</code> |
|||
::: Windows automatically replaces the <code>%LogonUser%</code> variable when a user logs in |
|||
::* Select <code>Reconnect</code> |
|||
::* Label: Enter a string. For example: <code>Home</code> |
|||
::* Use: Select a drive letter the home folder is mapped to. |
|||
:* On the <code>Common</code> tab: |
|||
::* Select <code>Run in logged-on user's security context (user policy option)</code> |
|||
:[[Image:GPME_Home_Drive_Properties.png]] |
|||
* Click <code>OK</code>. |
|||
* Close the <code>Group Policy Management Editor</code>. The GPOs are automatically saved on the <code>Sysvol</code> share on the domain controller (DC). |
|||
* Close the <code>Group Policy Management Console</code>. |
|||
The policy is applied to users in the OU or domain, the policy is assigned to, during the next log in. |
|||
=== Using <code>ldbedit</code> on the Domain Controller === |
|||
On a domain controller (DC), for example, to assign the <code>\\server\users\demo</code> path as home folder to the <code>demo</code> account and set the assigned drive letter to <code>H:</code> |
|||
* Edit the <code>demo</code>user account: |
|||
# ldbedit -H /usr/local/samba/private/sam.ldb 'sAMAccountName=demo' |
|||
* The accounts attributes are displayed in an editor. Append the following attributes and values to the end of the list: |
|||
homeDrive: H: |
|||
homeDirectory: \\server\users\demo\ |
|||
* Save the changes. |
|||
== In an NT4 Domain == |
|||
In an Samba NT4 domain, to set <code>\\server\users\%U</code> as path to the home folder and to map the drive to the <code>H:</code> drive letter: |
|||
* Add the following parameters to the <code>[global]</code> section in your <code>smb.conf</code> file: |
|||
logon drive = H: |
|||
logon home = \\server\users\%U |
|||
: During logging in to the domain member, Samba automatically replaces the <code>%U</code> variable with the session user name. For further details, see the <code>Variable Substitutions</code> section in the <code>smb.conf(5)</code> man page. |
|||
* Reload Samba: |
|||
# smbcontrol all reload-config |
Revision as of 19:03, 31 January 2017
Introduction
Home folders contain files of an individual account. Using Samba, you can share the directories to enable network users to store own files on their home folder on the file server.
This documentation does not use the Samba built-in [homes]
section that dynamically shares the user's home directory using the \\server\user_name\
path. While this can be helpful in certain scenarios, it has some disadvantages:
- Windows does not support this feature, and certain settings, such as folder redirection in an Active Directory (AD), require a workaround instead and you cannot use the official solution.
- You must create each new user's home directory manually.
- The
[homes]
feature is not supported running on a Samba Active Directory (AD) domain controller (DC).
In the following, the directory containing the home folders are shared using the users
share name. Each user's home directory is created as a subdirectory on the \\server\users\
share, such as, \\server\users\user_name
. This is the same format used in a Microsoft Windows environment and requires no additional work to set up.
Using Windows ACLs
Setting extended access control lists (ACL) on the share that hosts home directories enables you to create new users in the Active Directory Users and Computers
application without manually creating the user's home folder and setting permissions.
To create the users
share on the Samba file server:
- Set up the
users
share. For details, see Setting up a Share Using Windows ACLs. Set the following permissions:
- Share permissions:
Principal Access Authenticated Users Read & execute Domain Admins Full control
- File system permissions on the root of the
users
share:
- File system permissions on the root of the
- Share permissions:
Principal Access Applies to Authenticated Users Read & execute This folder only CREATOR OWNER Full control Subfolders and files only Domain Admins Full control This folder, subfolders and files
- Additionally, disable the inheritance of permissions from the parent folder by clicking the
Disable inheritance
button.
- Additionally, disable the inheritance of permissions from the parent folder by clicking the
These settings enable members of the Domain Admins
group to set the user home folder in the Active Directory Users and Computers
application, that automatically creates the home folder and sets the correct permissions.
Using POSIX ACLs
When using POSIX access control lists (ACL) to set permissions, you must create the home directory for each new user manually and set permissions.
When setting up the share on a Samba Active Directory (AD) domain controller (DC), you cannot use POSIX ACLs. On an Samba DC, only shares using extended ACLs are supported. For further details, see Enable Extended ACL Support in the smb.conf File. To set up the share on a Samba AD DC, see Setting up the Home Folder Share on the Samba File Server - Using Windows ACLs. |
To create the users
share on the Samba file server:
- Add the following share configuration section to your
smb.conf
file:
[users] path = /srv/samba/users/ read only = no force create mode = 0600 force directory mode = 0700
- Do not use
homes
as name of the share. For further details, see Introduction.
- Create the directory and set the correct permissions:
# mkdir -p /srv/samba/users/ # chgrp -R "Domain Users" /srv/samba/users/ # chmod 2750 /srv/samba/users/
- Reload Samba:
# smbcontrol all reload-config
Creating the Home Folder for a New User
Using Windows ACLs
If you are using the Active Directory Users and Computers
application, the user's home directory is automatically created and the correct permissions applied when you set the path to the user folder in the application. If you are not using Active Directory Users and Computers
, you must create the folder manually and set the correct permissions. For example:
- Log in to a Windows machine using an account that has permissions to create new folders on the
\\server\users\
share.
- Navigate to the
\\server\users\
share.
- Create a new home folder for the user.
- Add the user to the access control list (ACL) of the folder and grant
Full control
to the user. For details, see Setting ACLs on a Folder.
Using POSIX ACLs
When you set up the users
share using POSIX access control lists (ACL), you must create the home folder for each new user manually. To create the home folder for the demo
user:
- Create the directory:
# mkdir /srv/samba/users/demo/
- Set the following permissions to only enable the
demo
user to access the directory:
# chown user_name /srv/samba/users/demo/ # chmod 700 /srv/samba/users/demo/
Assigning a Home Folder to a User
In an Active Directory
Using Active Directory Users and Computers
In an Active Directory, you can use the Active Directory Users and Computers
Windows application to set the path to the user home folder and the assigned drive letter. If you are not having the Remote Server Administration Tools (RSAT) installed, see Installing RSAT.
To assign the \\server\users\demo\
path as home folder to the demo
account:
- Log in to a computer using an account that is enabled to edit user permissions.
- Open the
Active Directory Users and Computers
application.
- Navigate to the directory container that contains the
demo
account.
- Right-click to the
demo
user account and selectProperties
.
- Select the
Profile
tab.
- Select
Connect
, the drive letter Windows assigns the mapped home folder to, and enter the path to the home folder into theTo
field.
- Click
OK
.
If a warning is displayed when saving the settings that the home folder was not created:
- the permissions on the
users
share were incorrectly set when you set up the share using Windows access control lists (ACL). To fix the problem, set the permissions described in Using Windows ACLs. - you set up the share using POSIX ACL. To fix the problem, create the directory manually. See Creating the Home Folder for a New User - Using POSIX ACLs.
Using a Group Policy Preference
Using group policy preferences, you can assign settings to organizational units (OU) or the domain. This enables you, for example, to automatically assign home folder paths to each user in this OU or domain, and to dynamically change the settings by moving the user to different OU or domain. In this case, you do not have to assign the settings to each user account individually.
To create a group policy object (GPO) for the domain that automatically assigns the \\server\users\user_name
path to each user:
- Log in to a computer using an account that is allowed you to edit group policies, such as the AD domain
Administrator
account.
- Open the
Group Policy Management Console
. If you are not having the Remote Server Administration Tools (RSAT) installed on this computer, see Installing RSAT.
- Right-click to your AD domain and select
Create a GPO in this domain, and Link it here
.
- Enter a name for the GPO, such as
Home folders on server
. The new GPO is shown below the domain entry.
- Right-click to the newly-created GPO and select
Edit
to open theGroup Policy Management Editor
.
- Navigate to the
User Configuration
→Preferences
→Windows Settings
→Drive Maps
entry.
- Right-click to the
Drive Maps
entry and selectNew
→Mapped Drive
.
- Set the following:
- On the
General
tab:
- Action:
Create
- Location:
\\server\users\%LogonUser%
- Windows automatically replaces the
%LogonUser%
variable when a user logs in
- Select
Reconnect
- Label: Enter a string. For example:
Home
- Use: Select a drive letter the home folder is mapped to.
- Action:
- On the
Common
tab:
- Select
Run in logged-on user's security context (user policy option)
- Select
- On the
- Click
OK
.
- Close the
Group Policy Management Editor
. The GPOs are automatically saved on theSysvol
share on the domain controller (DC).
- Close the
Group Policy Management Console
.
The policy is applied to users in the OU or domain, the policy is assigned to, during the next log in.
Using ldbedit
on the Domain Controller
On a domain controller (DC), for example, to assign the \\server\users\demo
path as home folder to the demo
account and set the assigned drive letter to H:
- Edit the
demo
user account:
# ldbedit -H /usr/local/samba/private/sam.ldb 'sAMAccountName=demo'
- The accounts attributes are displayed in an editor. Append the following attributes and values to the end of the list:
homeDrive: H: homeDirectory: \\server\users\demo\
- Save the changes.
In an NT4 Domain
In an Samba NT4 domain, to set \\server\users\%U
as path to the home folder and to map the drive to the H:
drive letter:
- Add the following parameters to the
[global]
section in yoursmb.conf
file:
logon drive = H: logon home = \\server\users\%U
- During logging in to the domain member, Samba automatically replaces the
%U
variable with the session user name. For further details, see theVariable Substitutions
section in thesmb.conf(5)
man page.
- Reload Samba:
# smbcontrol all reload-config