0

I've created a new domain in Zentyal Development 6. To quote their documentation:

By default each LDAP user has a personal /home/ directory on the server. If the File Sharing module is active this directory will be accessible to the specific user (and only to the user) through SMB/CIFS. Furthermore, if a Windows client host is joined to the domain this directory will be automounted as drive H:.

-- Zentyal Documentation

This reads as though disabling this is as simple as disabling the File Share module. However, this is not possible without also disabling the Directory Services module.

Domain Controller and File Sharing in Same Module (image)

This is NOT desirable in my environment. I've searched high and low for a way to turn this off, but I have been unsuccessful. There does not appear to be a way to disable this functionality in the web console and if I modify the configuration in dsa.msc the configuration is re-set after a minute or two.

This does not appear to be connected with any group policies as the policy item for this setting is left Not Configured, which tells me this is something with Zentyal itself.

There are a few forum posts on the Zentyal forums which have users asking about the same thing, but these either have no answer or in the case of the last one, relies on setting a group policy to fight override Zentyal.

It's worth noting that in the documentation linked above, there is a "General Settings" tab in the File Sharing module. This is missing in my configuration.

Imho, Domain Services and File Share should be two separate and disparate components that you would install separately. Following this pattern, disabling the home drive configuration is good, but disabling or removing Samba entirely would be even more ideal. Domain Controllers hosting files seems like a terrible design flaw and security hole in my mind, which is likely why Windows Server best practice says that you should NEVER install Domain Service and File Share roles on the same server.

Edit: I found this Zentyal document and two settings within:

SAMBA (/etc/zentyal/samba.conf)

# Uncomment this if you want to skip setting the home directory of the
# users while saving changes
#unmanaged_home_directory = yes

USERS (/etc/zentyal/users.conf)

# whether to create user homes or not
mk_home = yes

I set both of these items to 'no', but this saw no effect. The file share was created and new users have a home drive set.

Foxtrek_64
  • 9
  • 1
  • 4

3 Answers3

0

You need to modify stub for Samba shares. First make dir for your modified stubs:

mkdir -p /etc/zentyal/stubs/samba

Do not modify stubs in /usr/share/zentyal/stubs/ because when you upgrade Zentyal your changes may be overwritten.

Then copy file

cp /usr/share/zentyal/stubs/samba/shares.conf.mas /etc/zentyal/stubs/samba/

Edit file /etc/zentyal/stubs/samba/shares.conf.mas and add hashes at beginning of all configure line for Samba homes. In Zentyal 6.1.2 it looks like this:

...
</%init>
#[homes]
#    comment = <% __('Home Directories') %>
#    path = /home/%S
#    read only = no
#    browseable = no
#    create mask = 0611
#    directory mask = 0711
% my $rb = ($recycle xor defined($recycle_exceptions->{'users'}));
% my $objects = 'acl_xattr';
% unless ($disableFullAudit) {
%   $objects .= ' full_audit';
% }
% if ($rb) {
%   $objects .= ' recycle';
% }
#    vfs objects = <% $objects %>
#    full_audit:success = connect opendir disconnect unlink mkdir rmdir open rename
#    full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename
% if ($rb) {
%   foreach my $key (keys %{$recycle_config}) {
%       next unless $key;
#    recycle: <% $key %> = <% $recycle_config->{$key} %>
%   }
% }

# <% @shares ? "Shares\n" : "No shares configured" %>
...

Just simply add hash at every line where are not percent sign. Save file and restart Samba module with command:

sudo zs samba restart

This will generate new config for Samba. Now check /etc/samba/shares.conf file. Voilà!

QkiZ
  • 634
  • 2
  • 9
  • 22
0

It would appear that it was Samba doing this. The final answer was found in this Unix StackExchange article.

For those following up/experiencing the same issue

I don't know if the two configuration items from the initial user have any effect. However, in my environment, I have both of those set to no and I've commented out my [homes] configuration. The configuration for this item is held in /etc/samba/shares.conf on Zentyal Development 6.0.1, so if you can't find it in /etc/samba/smb.conf that's why.

I recommend changing all three configuration items if you're wanting to disable this yourself.

Foxtrek_64
  • 9
  • 1
  • 4
  • editing anything in `/etc/samba/` will be overwritten when Samba will be restarted from Zentyal (not by systemctl command) or when you upgrade Samba. – QkiZ Apr 01 '20 at 13:27
0

Create a logon.bat script like this:

rem Disconnect mapped drives...
NET USE H: /delete

Put in \\zentyal\sysvol\domain\scripts and set permission Read and Execute for Domain Users. Use RSAT to set the user profile logon script.

chicks
  • 3,793
  • 10
  • 27
  • 36
Marcio J
  • 101
  • 1
  • This is a decent solution, but feels more like a band-aid than an actual fix. This solution would not prevent Samba from creating the user's share and taking up space on my DC. – Foxtrek_64 May 14 '19 at 03:46