4

I need help with Samba configuration.

What I want to achieve is configuration, where windows user on share see only his files. This is simply achived With configuration like this:

Users are authorized by Windows AD Server

[BACKUP]
  comment = BACKUP STORAGE LOCATION
  path = /storage/BACKUP
  read only = no
  browseable = yes
  writable = yes
  create mode = 0600
  directory mode = 0700
  force directory mode = 0700
  force create mode = 0600
  access based share enum = yes
  hide unreadable = yes
  valid users = "@DOMAINNAME+SOMEUSERGROUP"

It works ok but... On the server side, everything in directory /storage/BACKUP keeps files of every user.

So I would like to create directory here for every user (I Can't use [home], because it's already used)

So i Would like to keep it like this:

/storage/BACKUP/username/

So when i change path, and add %U at end, everything is almost ok.

The problem is that i need to manually create directory /storage/BACKUP/username.

So what i need is somehow force Samba to create this directory before user to access this share.

I've tried adding add user script = /path/to/mkdir /storage/BACKUP/%U But this is not working because:

  1. I don't know why ;)
  2. I've already have users logged in before
  3. It should start for new created users, this will be ok for me, but it not works.

I'm not creating users in linux, after they login, so i'm not using add user/machine script anywhere else.

So i want to force Samba to create directory for user, when this user tries to connect. I'm searching google from couple of hours, and didn't find a way to do it that will work for me.

I need to keep /server/BACKUP location for everyone, but on the server side, Need to keep files in separated directories per user, so creating a new share is also not a solution.

krisFR
  • 13,280
  • 4
  • 36
  • 42
Lisek
  • 309
  • 2
  • 7
  • 15
  • If users are authorized via AD, the `add user script` directive will never trigger because Samba isn't notified when a new user is created in AD, so this can't work. – Sven Feb 17 '14 at 11:54

4 Answers4

7

You can use the preexec or root preexec options for this. They specify a script that is run upon connection to a share. In case of preexec the share is run as the connecting user, and as root with root preexec.

In your share: 

[BACKUP]
root preexec = /etc/samba/gendir.sh %u

where /etc/samba/gendir.sh looks somewhat like this: 

#!/bin/bash 
DIRECTORY=/storage/BACKUP/$1
if [ ! -d "$DIRECTORY" ]; then
   mkdir $DIRECTORY
fi

Depending on your requirements, add chown and/or chmod statements to the script.

Sven
  • 98,649
  • 14
  • 180
  • 226
  • This is what i needed. Works like charm. Thank You – Lisek Feb 17 '14 at 12:25
  • You can avoid the need for a separate script. I use `root preexec = bash -c '[[ -d /home/%U ]] || mkdir -m 0700 /home/%U && chown %U:"Domain Users" /home/%U'` – starfry Feb 24 '15 at 12:21
  • You can use -p switch on mkdir and omit the prepending test for existance. –  Apr 05 '16 at 13:19
0

In my case the situation is slightly different - I'm using Samba as my DC with FreeNAS. I'm not sure if this is due to the FreeBSD build or Samba as DC, but either way the username to the script in @Sven's answer above prepends the Domain Name so $1 ends up being DOMAINuser not user, and the directory requested by the home share is DOMAIN\user not just user.

I've adjusted the script like this, and it now works a charm:

#!/bin/bash

USERNAME="${1//DOMAIN/}"

DIRECTORY=/mnt/tank/domain-homes/DOMAIN/$USERNAME

if [ ! -d $DIRECTORY ]; then
    mkdir -p $DIRECTORY
    chown DOMAIN\\$USERNAME:wheel $DIRECTORY
fi

In addition, the machines also try to create their own directories, with a trailing _ character. The username has a $ to designate computer account. I've modified the script like this to support computer directories:

#!/bin/bash

USERNAME="${1//DOMAIN/}"

DIRECTORY=/mnt/tank/domain-homes/DOMAIN/$USERNAME

if [[ "$USERNAME" == *_ ]]
then
    # We have a computer share, so the username has a $ at the end,
    # the folder retains the _
        USERNAME="${USERNAME//_/\$}"
fi

if [ ! -d $DIRECTORY ]; then
    mkdir -p $DIRECTORY
    chown DOMAIN\\$USERNAME:wheel $DIRECTORY
fi

I intend also to create profile directories the same way.

babelmonk
  • 296
  • 1
  • 4
0

This is standalone server. In share auxilary parameter i have added:

root preexec = bash -c '[[ -d /mnt/NAS/SAMBA/scratch/%U ]] || mkdir -m 0700 /mnt/NAS/SAMBA/scratch/%U && chown %U:%G /mnt/NAS/SAMBA/scratch/%U'

All users have acccess to scratch and full control over all files, however every user has his own dir created automatically.

K4c
  • 1
0

If you are using the PAM mechanism, you might want to add the following line to the file
/etc/pam.d/common-session:

session required        pam_mkhomedir.so skel=/etc/skel umask=0077
Norbert Weuster
  • 181
  • 2
  • 8