Difference between revisions of "User Home Folders"

m (On *nix)
m (/* minor update)
 
(28 intermediate revisions by 5 users not shown)
Line 1: Line 1:
 
= Introduction =
 
= Introduction =
  
In a professional environment, you setup the permissions on the share containing the user homes, in a way that allows the automatic creation for new accounts without setting ACL's manually.
+
Home folders contain files of an individual account. Using Samba, you can share the directories to enable network users to store own files on their home folder on the file server.
  
= Preparatory work =
+
This documentation does not use the Samba built-in <code>[homes]</code> section that dynamically shares the user's home directory using the <code>\\server\''user_name''\</code> path. While this can be helpful in certain scenarios, it has some disadvantages:
 +
* Windows does not support this feature, and certain settings, such as folder redirection in an Active Directory (AD), require a workaround instead and you cannot use the official solution.
 +
* You must create each new user's home directory manually.
 +
* The <code>[homes]</code> feature is not supported running on a Samba Active Directory (AD) domain controller (DC).
  
Before continuing, make sure that you have read the [[Setup_and_configure_file_shares_with_Windows_ACLs|Setup and configure file shares]] HowTo and have complied with the [[Setup_and_configure_file_shares_with_Windows_ACLs#Preparatory_work|preconditions]].
+
In the following, the directory containing the home folders are shared using the <code>users</code> share name. Each user's home directory is created as a subdirectory on the <code>\\server\users\</code> share, such as, <code>\\server\users\''user_name''</code>. This is the same format used in a Microsoft Windows environment and requires no additional work to set up.
  
= Adding the share =
 
  
* Add the new share to your <tt>smb.conf</tt>
 
  
  [home]
 
          path = /srv/samba/home/
 
          read only = No
 
  
:Don't name the share „[homes]“, as this is a special section (see the smb.conf manpage)! The „[homes] section can't handle the automatic folder creation we will setup below!
 
  
* Create the folder that will contain the home directories. The permissions will be set later.
+
= Setting up the Share on the Samba File Server =
  
  # mkdir /srv/samba/home/
+
== Using Windows ACLs ==
  
* Reload Samba, to make the changes effective
+
Setting extended access control lists (ACL) on the share that hosts home directories enables you to create new users in the <code>Active Directory Users and Computers</code> application without manually creating the user's home folder and setting permissions.
  
  # smbcontrol all reload-config
+
To create a share, for example, <code>users</code> for hosting the user home folders on a Samba file server:
  
= Setting up the share and filesystem permissions =
+
* Create a new share. For details, see [[Setting up a Share Using Windows ACLs]]. Set the following permissions:
  
The following steps can be performed on any Windows client.
+
:* Share permissions:
 +
::{| class="wikitable"
 +
!Principal
 +
!Access
 +
|-
 +
|Domain Users
 +
|Change
 +
|-
 +
|Domain Admins
 +
|Full Control
 +
|}
  
Note: If you have the requirement that your users also need to access their home folder locally on the server, you will have to add a group that contains these user accounts. Add this group in all the steps below and set the permissions to exactly the same as „Authenticated users“. Of course this group must be available locally through Winbindd, sssd, nslcd, or other. This is required because if the user logs in locally on the server, there is no „Authenticated User“!
+
:* File system permissions on the root of the <code>users</code> share:
  
* Log on to a Windows machine using an account, or a member of a group, the „SeDiskOperatorPrivilege“ was granted to.
+
::{| class="wikitable"
 +
!Principal
 +
!Access
 +
!Applies to
 +
|-
 +
|Domain Users*
 +
|Read & execute
 +
|This folder only
 +
|-
 +
|CREATOR OWNER
 +
|Full control
 +
|Subfolders and files only
 +
|-
 +
|Domain Admins
 +
|Full control
 +
|This folder, subfolders and files
 +
|}
  
* Open the Start Menu and search for „Computer Management“.  
+
::<nowiki>*</nowiki> You can alternatively set other groups, to enable the group members to store their user profile on the share. When using different groups, apply the permissions as displayed for <code>Domain Users</code> in the previous example.
  
* In the menu bar, go to „Action“ / „Connect to another computer“.  
+
:: Verify that permission inheritance is disabled on the root of the share. If any permission entry in the <code>Advanced Security Settings</code> window displays a path in the <code>Inherited from</code> column, click the <code>Disable inheritance</code> button. On Windows 7, unselect the <code>Include inheritable permissions from this object's parent</code> check box to set the same setting.
  
* Enter the name of your Samba server you have created the new share on.  
+
::[[Image:Home_Folder_File_System_ACLs.png]]
  
* Navigate to „System Tools“ / „Shared Folders“ / „Shares“ and select the newly added share.  
+
:: On a Samba share, you can omit the <code>SYSTEM</code> account in the file system ACLs. For details, see [[The SYSTEM Account]].
  
:[[Image:Computer_Management_Shares_home.png]]
+
These settings enable members of the <code>Domain Admins</code> group to set the user home folder in the <code>Active Directory Users and Computers</code> application, that automatically creates the home folder and sets the correct permissions.
  
* Right-click to the share name and choose „Properties“ .
 
  
* Go to the „Share Permissions“ tab.
 
  
* Change the share permissions to:
+
== Using POSIX ACLs ==
  Authenticated Users: Full Control
 
  Domain Admins:      Full Control
 
  System:              Full Control
 
  
:If you have the requirement that your users also need access their home folder locally on the server, additionally add a group that contains these user accounts. Because if the user logs in locally on the server, there is no „Authenticated User“! The permissions for this additional group have to be the same as „Authenticated users“
+
Instead of using Windows access control lists (ACL), you can set up a share using POSIX ACLs on your Samba server. However, when using POSIX ACL to set permissions, you must create the home directory for each new user manually and set permissions.
  
:[[Image:home_share_permissions.png]]
+
{{Imbox
 +
| type = note
 +
| text = When setting up the share on a Samba Active Directory (AD) domain controller (DC), you cannot use POSIX ACLs. On an Samba DC, only shares using extended ACLs are supported. For further details, see [[Setting_up_a_Share_Using_Windows_ACLs#Enable_Extended_ACL_Support_in_the_smb.conf_File|Enable Extended ACL Support in the smb.conf File]]. To set up the share on a Samba AD DC, see [[#Using_Windows_ACLs|Setting up the Home Folder Share on the Samba File Server - Using Windows ACLs]].
 +
}}
  
:If this fails with a „permission denied“ error, recheck if you are using an account with [[Setup_and_configure_file_shares_with_Windows_ACLs#SeDiskOperatorPrivilege|SeDiskOperatorPrivilege privileges]]!
+
For example, to create the <code>users</code> share:  
  
* Next go to the „Security“ tab.
+
* Add the following share configuration section to your <code>smb.conf</code> file:
  
:* '''Note:''' File and folder security descriptors are affected by Samba's [https://bugzilla.samba.org/show_bug.cgi?id=10560#c8 ACL mapping behaviour].
+
  [users]
 +
          path = /srv/samba/users/
 +
          read only = no
 +
          force create mode = 0600
 +
          force directory mode = 0700
  
:* Click the „Advanced“ button and in the window that appears, the „Change permissions“ button. In the next Window, uncheck the „Include inheritable permissions from the object's parent“ option. Close the windows with „OK“ until you are back to the „Security“ tab.
+
: For details about the parameters used, see the descriptions in the smb.conf(5) man page.
  
::[[Image:Include_inheritable_permissions_from_this_objects_parent.png]]
+
: Do not use <code>homes</code> as name of the share. For further details, see [[#Introduction|Introduction]].
  
:* Click the „Edit“ button to modify the filesystem ACLs according to the following:
+
* Create the directory and set the correct permissions:
  
      Administrator:      Full Control
+
# mkdir -p /srv/samba/users/
      Authenticated Users: Read & Execute, List Folder Contents, Read
+
# chgrp -R "''Domain Users''" /srv/samba/users/
      Creator Owner:      Full Control
+
# chmod 2750 /srv/samba/users/
      Domain Admins:      Full Control
 
      System:              Full Control
 
  
::The „Creator Owner“ permissions are automatically limited to „Subfolder and files only“. This is correct.
+
: In a domain, the <code>Domain Users</code> group is a group, all domain user accounts are member of. Alternatively, or if you are running a non-domain environment, you can set it to any group that exists locally. However, user accounts must be member of this group to access the share.
  
::[[Image:FS_ACLs_home_share.png]]
+
* Reload Samba:
  
::Close the „Edit“ window with „OK“ and return to the „Security“ tab.
+
# smbcontrol all reload-config
  
:* To prevent „Authenticated Users“ accessing other users home folder, click the „Advanced“ button again and in the appearing sub-window the „Change permissions“ button. Select „Authenticated Users“ from the list, click „Edit“ and change the „Apply to“ value to „This folder only“.
 
  
::[[Image:Apply_to_This_folder_only.png]]
 
  
* Close all Windows with „OK“ to save the changes.
 
  
= Define the users home folder in the account settings =
 
  
For these steps, you must have the [[Installing_RSAT_on_Windows_for_AD_Management|Microsoft RSAT (Remote Server Administration Tools) installed]].
+
= Creating the Home Folder for a New User =
  
The account that is used for account creation must have the respective permissions in AD and on the home share (e. g. „Domain Administrator“).
+
== Using Windows ACLs ==
  
* Open Active Directory Users and Computer (ADUC).
+
If you are using the <code>Active Directory Users and Computers</code> application, the user's home directory is automatically created and the correct permissions applied when you set the path to the user folder in the application.
  
* Edit an existing user account (or create a new one first), by right-clicking and choosing „Properties“
+
{{Imbox
 +
| type = note
 +
| text = The above only applies to user home directories stored on a a Windows machine, <code>Active Directory Users and Computers</code> cannot create user home directories stored on a Unix machine.
 +
}}
  
* If you plan to assign a UID in the „Unix Attributes“ tab, then do this first and apply the changes. Then the user folders ACLs would include this UID, too.
 
  
* Switch to the „Profile“ tab. Choose a drive letter the home drive should be be connected to, and fill the „To“ field with the path to the users home folder. You can use the variable „%USERNAME%“ instead of the individual username. This is useful, if you modify multiple accounts at once.
+
If you are not using <code>Active Directory Users and Computers</code>, you must create the folder manually and set the correct permissions. For example:
  
:[[Image:User_properties_Profiles_tab_home_drive.png]]
+
* Log in to a Windows machine using an account that has permissions to create new folders on the <code>\\server\users\</code> share.
  
* Close the users properties window with „OK“ to save the modification. The users home directory is created on the fly during the save processes.
+
* Navigate to the <code>\\server\users\</code> share.
  
 +
* Create a new home folder for the user.
  
 +
* Add the user to the access control list (ACL) of the folder and grant <code>Full control</code> to the user. For details, see [[Setting_up_a_Share_Using_Windows_ACLs#Setting_ACLs_on_a_Folder|Setting ACLs on a Folder]].
  
  
  
= Validate the result =
+
== Using POSIX ACLs ==
  
== On Windows ==
+
When you set up the <code>users</code> share using POSIX access control lists (ACL), you must create the home folder for each new user manually. To create the home folder for the <code>demo</code> user:
  
If you check the ACLs on the folder on Windows, you can see that the ACLs are applied as configured:  
+
* Create the directory:
  
[[Image:FS_ACLs_on_users_home_folder.png]]
+
# mkdir /srv/samba/users/demo/
  
Only the defined users have permissions. „Authenticated Users“ are not inclueded and can't access the users home folder.
+
* Set the following permissions to only enable the <code>demo</code> user to access the directory:
  
 +
# chown ''user_name'' /srv/samba/users/demo/
 +
# chmod 700 /srv/samba/users/demo/
  
  
== On *nix ==
 
  
On *nix side, you have to check the entire ACLs with <tt>getfacl</tt>, to see the extended ACLs, too.
 
  
Here is the getfacl output of the folder that is shown above in the Windows example, too.
 
  
# getfacl /srv/samba/home/demo1
+
= Assigning a Home Folder to a User =
 
# file: srv/samba/home/demo1
 
# owner: 3000000
 
# group: Domain\040Users
 
user::rwx
 
user:Administrator:rwx
 
user:demo1:rwx                  <-- This entry only appears, if you had assigned a UID in the „Unix Attributes“ tab before the home was created!
 
group::---
 
group:Domain\040Users:---
 
group:3000000:rwx
 
group:3000002:rwx
 
group:3000008:rwx
 
mask::rwx
 
other::---
 
default:user::rwx
 
default:user:Administrator:rwx
 
default:user:demo1:rwx          <-- This entry only appears, if you had assigned a UID in the „Unix Attributes“ tab before the home was created!
 
default:user:3000000:rwx
 
default:group::---
 
default:group:Domain\040Users:---
 
default:group:3000000:rwx
 
default:group:3000002:rwx
 
default:group:3000008:rwx
 
default:mask::rwx
 
default:other::---
 
  
As some of the xIDs are may not be resolved, you can search for them in the local ID mapping database of Samba for them. Example:
+
== In an Active Directory ==
  
# ldbsearch -H /usr/local/samba/private/idmap.ldb xidNumber=3000000 dn
+
=== Using <code>Active Directory Users and Computers</code> ===
# record 1
 
dn: CN=S-1-5-32-544
 
 
# returned 1 records
 
# 1 entries
 
# 0 referrals
 
  
As the xidNumber assignment is individual on each machine, there is no general translation table. But the output of the ldbsearcch command shows that the entry with xidNumber 3000000 is assigned to the DN „S-1-5-32-544“. A list of well known security identifiers is provided by Microsoft: [http://support.microsoft.com/kb/243330/en http://support.microsoft.com/kb/243330/en]
+
In an Active Directory, you can use the <code>Active Directory Users and Computers</code> Windows application to set the path to the user home folder and the assigned drive letter. If you do not have the Remote Server Administration Tools (RSAT) installed, see [[Installing RSAT|Installing RSAT]].
 +
 
 +
To assign the <code>\\server\users\demo\</code> path as home folder to the <code>demo</code> account:
 +
 
 +
* Log in to a computer using an account that is able to edit user accounts.
 +
 
 +
* Open the <code>Active Directory Users and Computers</code> application.
 +
 
 +
* Navigate to the directory container that contains the <code>demo</code> account.
 +
 
 +
* Right-click to the <code>demo</code> user account and select <code>Properties</code>.
 +
 
 +
* Select the <code>Profile</code> tab.
 +
 
 +
* Select <code>Connect</code>, the drive letter Windows assigns the mapped home folder to, and enter the path to the home folder into the <code>To</code> field.
 +
 
 +
:[[Image:ADUC_Set_Home_Folder.png]].
 +
 
 +
* Click <code>OK</code>.
 +
 
 +
If a warning is displayed when saving the settings that the home folder was not created:
 +
* the permissions on the <code>users</code> share were incorrectly set when you set up the share using Windows access control lists (ACL). To fix the problem, set the permissions described in [[#Using_Windows_ACLs|Using Windows ACLs]].
 +
* you set up the share using POSIX ACL. To fix the problem, create the directory manually. See [[#Using_POSIX_ACLs_2|Creating the Home Folder for a New User - Using POSIX ACLs]].
 +
 
 +
 
 +
 
 +
=== Using a Group Policy Preference ===
 +
 
 +
Using group policy preferences, you can assign settings to organizational units (OU) or to a domain. This enables you, for example, to automatically assign home folder paths to all users in the OU or domain. If you move the account to a different OU or domain, the setting is removed or updated. Using this way, you do not have to assign manually the setting to each user account.
 +
 
 +
To create a group policy object (GPO) for the domain that automatically assigns the <code>\\server\users\''user_name''</code> path as home folder to each user:
 +
 
 +
* Log in to a computer using an account that is allowed you to edit group policies, such as the AD domain <code>Administrator</code> account.
 +
 
 +
* Open the <code>Group Policy Management Console</code>. If you are not having the Remote Server Administration Tools (RSAT) installed on this computer, see [[Installing RSAT|Installing RSAT]].
 +
 
 +
* Right-click to your AD domain and select <code>Create a GPO in this domain, and Link it here</code>.
 +
 
 +
:[[Image:GPMC_Create_GPO.png]]
 +
 
 +
* Enter a name for the GPO, such as <code>Home folders on ''server''</code>. The new GPO is shown below the domain entry.
 +
 
 +
* Right-click to the newly-created GPO and select <code>Edit</code> to open the <code>Group Policy Management Editor</code>.
 +
 
 +
* Navigate to the <code>User Configuration</code> &rarr; <code>Preferences</code> &rarr; <code>Windows Settings</code> &rarr; <code>Drive Maps</code> entry.
 +
 
 +
* Right-click to the <code>Drive Maps</code> entry and select <code>New</code> &rarr; <code>Mapped Drive</code>.
 +
 
 +
* Set the following:
 +
:* On the <code>General</code> tab:
 +
::* Action: <code>Create</code>
 +
::* Location: <code>\\server\users\%LogonUser%</code>
 +
::: Windows automatically replaces the <code>%LogonUser%</code> variable when a user logs in
 +
::* Select <code>Reconnect</code>
 +
::* Label: Enter a string. For example: <code>Home</code>
 +
::* Use: Select a drive letter the home folder is mapped to.
 +
:* On the <code>Common</code> tab:
 +
::* Select <code>Run in logged-on user's security context (user policy option)</code>
 +
 
 +
:[[Image:GPME_Home_Drive_Properties.png]]
 +
 
 +
:* Click <code>OK</code>.
 +
 
 +
* Close the <code>Group Policy Management Editor</code>. The GPOs are automatically saved on the <code>Sysvol</code> share on the domain controller (DC).
 +
 
 +
* Close the <code>Group Policy Management Console</code>.
 +
 
 +
The policy is applied to users in the OU or domain, the policy is assigned to, during the next log in.
 +
 
 +
 
 +
 
 +
=== Using <code>ldbedit</code> on a Domain Controller ===
 +
 
 +
On a domain controller (DC), for example, to assign the <code>\\server\users\demo</code> path as home folder to the <code>demo</code> account and set the assigned drive letter to <code>H:</code>
 +
 
 +
* Edit the <code>demo</code>user account:
 +
 
 +
# ldbedit -H /usr/local/samba/private/sam.ldb 'sAMAccountName=demo'
 +
 
 +
* The accounts attributes are displayed in an editor. Append the following attributes and values to the end of the list:
 +
 
 +
homeDrive: H:
 +
homeDirectory: \\server\users\demo\
 +
 
 +
* Save the changes.
 +
 
 +
The setting is applied the next time the user logs in.
 +
 
 +
 
 +
 
 +
== In an NT4 Domain ==
 +
 
 +
In an Samba NT4 domain, to set <code>\\server\users\%U</code> as path to the home folder and to map the drive to the <code>H:</code> drive letter:
 +
 
 +
* Add the following parameters to the <code>[global]</code> section in your <code>smb.conf</code> file:
 +
 
 +
logon drive = H:
 +
logon home = \\server\users\%U
 +
 
 +
: During logging in to the domain member, Samba automatically replaces the <code>%U</code> variable with the session user name. For further details, see the <code>Variable Substitutions</code> section in the <code>smb.conf(5)</code> man page.
 +
 
 +
* Reload Samba:
 +
 
 +
# smbcontrol all reload-config
 +
 
 +
 
 +
 
 +
== In a Non-domain Environment ==
 +
 
 +
=== Using a Windows Professional or Higher Edition ===
 +
 
 +
If your Samba server and clients are not part of a domain, set the user home folder mapping in the local user account's properties:
 +
 
 +
* Log on to the Windows machine using an account that is member of the local <code>Administrators</code> group.
 +
 
 +
* Open the <code>lusrmgr.msc</code> (Local User and Groups) application.
 +
: The <code>lusrmgr.msc</code> application is not available in Windows Home editions.
 +
 
 +
* Click <code>Users</code> in the navigation on the left side.
 +
 
 +
* Right-click the account you want to assign a home folder to, and select <code>Properties</code>
 +
 
 +
* Navigate to the <code>Profile</code> tab.
 +
 
 +
* Select <code>Connect</code>, the drive letter Windows assigns the mapped home folder to, and enter the path to the home folder into the <code>To</code> field.
 +
 
 +
* Click <code>OK</code>.
 +
 
 +
You must set the mapping for each user on every Windows client manually.
 +
 
 +
 
 +
 
 +
=== Using Windows Home Edition ===
 +
 
 +
Windows Home editions do not provide the necessary application to set the user home folder mapping in the local account properties. Instead each user must map the drive manually:
 +
 
 +
* Log on to the Windows machine as the user that should get the home folder mapped
 +
 
 +
* Open a command prompt.
 +
 
 +
* For example, to map the <code>\\server\users\demo\</code> folder to the <code>H:</code> drive letter, enter:
 +
 
 +
> net use H: \\server\users\demo\ /persistent:yes
 +
 
 +
The user home folder is automatically connected when the user logs in. To stop the automatic mapping, disconnect the drive. For example:
 +
 
 +
> net use H: /delete
 +
 
 +
 
 +
 
 +
 
 +
 
 +
----
 +
[[Category:Active Directory]]
 +
[[Category:Domain Members]]
 +
[[Category:File Serving]]
 +
[[Category:NT4 Domains]]
 +
[[Category:Standalone Server]]

Latest revision as of 15:25, 9 March 2020

Introduction

Home folders contain files of an individual account. Using Samba, you can share the directories to enable network users to store own files on their home folder on the file server.

This documentation does not use the Samba built-in [homes] section that dynamically shares the user's home directory using the \\server\user_name\ path. While this can be helpful in certain scenarios, it has some disadvantages:

  • Windows does not support this feature, and certain settings, such as folder redirection in an Active Directory (AD), require a workaround instead and you cannot use the official solution.
  • You must create each new user's home directory manually.
  • The [homes] feature is not supported running on a Samba Active Directory (AD) domain controller (DC).

In the following, the directory containing the home folders are shared using the users share name. Each user's home directory is created as a subdirectory on the \\server\users\ share, such as, \\server\users\user_name. This is the same format used in a Microsoft Windows environment and requires no additional work to set up.



Setting up the Share on the Samba File Server

Using Windows ACLs

Setting extended access control lists (ACL) on the share that hosts home directories enables you to create new users in the Active Directory Users and Computers application without manually creating the user's home folder and setting permissions.

To create a share, for example, users for hosting the user home folders on a Samba file server:

  • Share permissions:
Principal Access
Domain Users Change
Domain Admins Full Control
  • File system permissions on the root of the users share:
Principal Access Applies to
Domain Users* Read & execute This folder only
CREATOR OWNER Full control Subfolders and files only
Domain Admins Full control This folder, subfolders and files
* You can alternatively set other groups, to enable the group members to store their user profile on the share. When using different groups, apply the permissions as displayed for Domain Users in the previous example.
Verify that permission inheritance is disabled on the root of the share. If any permission entry in the Advanced Security Settings window displays a path in the Inherited from column, click the Disable inheritance button. On Windows 7, unselect the Include inheritable permissions from this object's parent check box to set the same setting.
Home Folder File System ACLs.png
On a Samba share, you can omit the SYSTEM account in the file system ACLs. For details, see The SYSTEM Account.

These settings enable members of the Domain Admins group to set the user home folder in the Active Directory Users and Computers application, that automatically creates the home folder and sets the correct permissions.


Using POSIX ACLs

Instead of using Windows access control lists (ACL), you can set up a share using POSIX ACLs on your Samba server. However, when using POSIX ACL to set permissions, you must create the home directory for each new user manually and set permissions.

For example, to create the users share:

  • Add the following share configuration section to your smb.conf file:
 [users]
         path = /srv/samba/users/
         read only = no
         force create mode = 0600
         force directory mode = 0700
For details about the parameters used, see the descriptions in the smb.conf(5) man page.
Do not use homes as name of the share. For further details, see Introduction.
  • Create the directory and set the correct permissions:
# mkdir -p /srv/samba/users/
# chgrp -R "Domain Users" /srv/samba/users/
# chmod 2750 /srv/samba/users/
In a domain, the Domain Users group is a group, all domain user accounts are member of. Alternatively, or if you are running a non-domain environment, you can set it to any group that exists locally. However, user accounts must be member of this group to access the share.
  • Reload Samba:
# smbcontrol all reload-config



Creating the Home Folder for a New User

Using Windows ACLs

If you are using the Active Directory Users and Computers application, the user's home directory is automatically created and the correct permissions applied when you set the path to the user folder in the application.


If you are not using Active Directory Users and Computers, you must create the folder manually and set the correct permissions. For example:

  • Log in to a Windows machine using an account that has permissions to create new folders on the \\server\users\ share.
  • Navigate to the \\server\users\ share.
  • Create a new home folder for the user.
  • Add the user to the access control list (ACL) of the folder and grant Full control to the user. For details, see Setting ACLs on a Folder.


Using POSIX ACLs

When you set up the users share using POSIX access control lists (ACL), you must create the home folder for each new user manually. To create the home folder for the demo user:

  • Create the directory:
# mkdir /srv/samba/users/demo/
  • Set the following permissions to only enable the demo user to access the directory:
# chown user_name /srv/samba/users/demo/
# chmod 700 /srv/samba/users/demo/



Assigning a Home Folder to a User

In an Active Directory

Using Active Directory Users and Computers

In an Active Directory, you can use the Active Directory Users and Computers Windows application to set the path to the user home folder and the assigned drive letter. If you do not have the Remote Server Administration Tools (RSAT) installed, see Installing RSAT.

To assign the \\server\users\demo\ path as home folder to the demo account:

  • Log in to a computer using an account that is able to edit user accounts.
  • Open the Active Directory Users and Computers application.
  • Navigate to the directory container that contains the demo account.
  • Right-click to the demo user account and select Properties.
  • Select the Profile tab.
  • Select Connect, the drive letter Windows assigns the mapped home folder to, and enter the path to the home folder into the To field.
ADUC Set Home Folder.png.
  • Click OK.

If a warning is displayed when saving the settings that the home folder was not created:


Using a Group Policy Preference

Using group policy preferences, you can assign settings to organizational units (OU) or to a domain. This enables you, for example, to automatically assign home folder paths to all users in the OU or domain. If you move the account to a different OU or domain, the setting is removed or updated. Using this way, you do not have to assign manually the setting to each user account.

To create a group policy object (GPO) for the domain that automatically assigns the \\server\users\user_name path as home folder to each user:

  • Log in to a computer using an account that is allowed you to edit group policies, such as the AD domain Administrator account.
  • Open the Group Policy Management Console. If you are not having the Remote Server Administration Tools (RSAT) installed on this computer, see Installing RSAT.
  • Right-click to your AD domain and select Create a GPO in this domain, and Link it here.
GPMC Create GPO.png
  • Enter a name for the GPO, such as Home folders on server. The new GPO is shown below the domain entry.
  • Right-click to the newly-created GPO and select Edit to open the Group Policy Management Editor.
  • Navigate to the User ConfigurationPreferencesWindows SettingsDrive Maps entry.
  • Right-click to the Drive Maps entry and select NewMapped Drive.
  • Set the following:
  • On the General tab:
  • Action: Create
  • Location: \\server\users\%LogonUser%
Windows automatically replaces the %LogonUser% variable when a user logs in
  • Select Reconnect
  • Label: Enter a string. For example: Home
  • Use: Select a drive letter the home folder is mapped to.
  • On the Common tab:
  • Select Run in logged-on user's security context (user policy option)
GPME Home Drive Properties.png
  • Click OK.
  • Close the Group Policy Management Editor. The GPOs are automatically saved on the Sysvol share on the domain controller (DC).
  • Close the Group Policy Management Console.

The policy is applied to users in the OU or domain, the policy is assigned to, during the next log in.


Using ldbedit on a Domain Controller

On a domain controller (DC), for example, to assign the \\server\users\demo path as home folder to the demo account and set the assigned drive letter to H:

  • Edit the demouser account:
# ldbedit -H /usr/local/samba/private/sam.ldb 'sAMAccountName=demo'
  • The accounts attributes are displayed in an editor. Append the following attributes and values to the end of the list:
homeDrive: H:
homeDirectory: \\server\users\demo\
  • Save the changes.

The setting is applied the next time the user logs in.


In an NT4 Domain

In an Samba NT4 domain, to set \\server\users\%U as path to the home folder and to map the drive to the H: drive letter:

  • Add the following parameters to the [global] section in your smb.conf file:
logon drive = H:
logon home = \\server\users\%U
During logging in to the domain member, Samba automatically replaces the %U variable with the session user name. For further details, see the Variable Substitutions section in the smb.conf(5) man page.
  • Reload Samba:
# smbcontrol all reload-config


In a Non-domain Environment

Using a Windows Professional or Higher Edition

If your Samba server and clients are not part of a domain, set the user home folder mapping in the local user account's properties:

  • Log on to the Windows machine using an account that is member of the local Administrators group.
  • Open the lusrmgr.msc (Local User and Groups) application.
The lusrmgr.msc application is not available in Windows Home editions.
  • Click Users in the navigation on the left side.
  • Right-click the account you want to assign a home folder to, and select Properties
  • Navigate to the Profile tab.
  • Select Connect, the drive letter Windows assigns the mapped home folder to, and enter the path to the home folder into the To field.
  • Click OK.

You must set the mapping for each user on every Windows client manually.


Using Windows Home Edition

Windows Home editions do not provide the necessary application to set the user home folder mapping in the local account properties. Instead each user must map the drive manually:

  • Log on to the Windows machine as the user that should get the home folder mapped
  • Open a command prompt.
  • For example, to map the \\server\users\demo\ folder to the H: drive letter, enter:
> net use H: \\server\users\demo\ /persistent:yes

The user home folder is automatically connected when the user logs in. To stop the automatic mapping, disconnect the drive. For example:

> net use H: /delete