Access Denied in users home folders

[JnPson]

I have installed Ubuntu 12.04.2 Server on a Dell poweredge R710 using LVM. I have installed DNS, DHCP and Samba4, I have created a domain with provisioning and I have created users with roaming profiles and H: as their home folder. I am using Adminpak for Windows server 2003 and administrating it from an XP machine.

To create roaming user profiles I first created a folder named profile and created the profile with \\dc01\profile\%USERNAME%. That works just fine and users can log on to any computer with their profile. I then created a folder named hem for the users home folders and used \\dc01\hem\%USERNAME% and this is where things goes wrong.

This is the error:

Code:

The \\dc01\hemkatalog\clark home folder was not created because you do not have create access on the server. The user account has been updated with the new home folder value but you must create the directory manually after obtaining the required access rights.

Here is my smb.conf

Code:

root@DC01:~# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Unknown parameter encountered: "server role"
Ignoring unknown parameter "server role"
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[profile]"
Processing section "[profiles]"
Processing section "[hemkatalog]"
Processing section "[Hem]"
Loaded services file OK.
ERROR: cache directory /var/cache/samba does not exist
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions

[global]
    workgroup = MYDOMAIN
    realm = MYDOMAIN.LAN
    passdb backend = samba4
    idmap config * : backend = tdb

[netlogon]
    path = /var/lib/samba/sysvol/mydomain.lan/scripts
    read only = No

[sysvol]
    path = /var/lib/samba/sysvol
    read only = No

[profile]
    path = /home/profile
    read only = No
    browseable = No

[profiles]
    path = /home/profiles
    read only = No
    browseable = No

[hemkatalog]
    comment = Hemkataloger for alla deltagare.
    path = /home/hemkatalog
    read only = No
    browseable = No

[Hem]
    path = /home/hem

This is the permissions and rights from ls -l:

Code:

drwxrwxrwx 3 root    root    4096 Apr  5 11:53 hem
drwxrwxrwx 3 root    root    4096 Apr  2 11:00 hemkatalog
drwxrwxrwx 8 root    root    4096 Apr  2 10:51 profile
drwxrwxrwx 5 root    root    4096 Apr  2 10:52 profiles

I have done several attempts to create home folders for the users. The first time I created hemkatalog but only Administrator could create files and folders. Now only root can create files and folders within hem/hemkatalog

Can any of you see what's wrong here or have you had the same problem created users with home folders?

[darkod]

I didn't understand, how are you actually creating the users on the ubuntu server?

[JnPson]

Througn adminpak from an xp machine.

[darkod]

Are you sure that can create them on a linux filesystem? Only root has those permissions, are you sure it's working?

It seems to me like that is the part that's failing, the creation of a new user. And not samba user, the linux user. Creating the user will make the corresponding home folder too, and set that user as owner of its home folder.

I have no idea what adminpak is about but you can try adding few users on the command line and see if they work as expected. Then you know where the problem lies.

I always mix up the command to add users, was it useradd or adduser. I think they both have something to do with it.

If you want users to belong to specific group, etc, you can add options to the command. I guess the man page can give you more details about that. This is what a quick google search says:
http://www.howtogeek.com/howto/ubunt...ubuntu-server/

[Toxic64]

hi,

I have had the same problem. Here is what I did to create my /User folder:

Code:

sudo mkdir -m 770 /Users

sudo chmod g+s /Users

but that didn't work quite immediately though...

Code:

sudo chown root:users /Users

made it work.

you also have to add this to your smb.conf

Code:

[Users]
directory_mode: parameter = 0700
read only = no
path = /Users
csc policy = documents

Editing again but after further inspection on your testparm command result, your server is not a DC, it only has a standalone server role which could also explain your problem.
I m not sure ADS authentication is possible against a standalone server and I think what you need is a functionnal ADS domain controller.

Are you sure that can create them on a linux filesystem? Only root has those permissions, are you sure it's working?

Yes it can, thes "Users" folder is a container and has to have the rights for each newly logged user to the active directory to create his homefolder inside it.
each user can only see or edit what's in his own homefolder.

[JnPson]

Toxic64, I will try this tomorrow when I'm back to work and I will post here how things turn out.

[Toxic64]

Ok, no problem.
As I said, it seems you have a problem with your server. from what I can read from the testparm result your server is not a Domain controller.

Code:

Server role: ROLE_STANDALONE

which means your users haven't got anything to authenticate against, unless you have another Domain controller somewhere else.

Did you install Samba 4 from apt-get or did you compile from source via git?
what version of samba 4 are you running? (samba -V to find out)

[darkod]

So, does that mean we are going back to what I said, it doesn't actually create users on linux filesystem? You seem to say "you need functional Active Directory contoller" and this adminpak program seems only to help with the GUI to manage users which at the end are authenticating against an AD.

But if you have only your samba server, adminpak doesn't do anything for you since it doesn't actually create users on linux for you. There is a big difference again simply authenticating a user against existing AD and creating the user in your linux server. The OP seems to think it can do that, and from what has been said so far it doesn't look like that to me. Again I say, I might be wrong.

I don't know how many users we are talking about, but especially if there is not a huge number of users, I would say consider creating them in linux and that's it. Don't rely too much on GUI tools that are based on windows and AD, especially if you have no AD running.

From what I have seen so far, I doubt this adminpak helps with OpenLDAP too. I mean what's the point if it needs a running AD server?

PS. You can very easily check whether the home folders get created at all, I think they don't. Just open /home and check if you have the home folders off all users that you expect. I think this adminpak can't create anything on linux, but if you create the user on the server yourself, it will work. Try it with one user. Creating a user on linux creates the home folder automatically.

[Toxic64]

So, does that mean we are going back to what I said, it doesn't actually create users on linux filesystem? You seem to say "you need functional Active Directory contoller" and this adminpak program seems only to help with the GUI to manage users which at the end are authenticating against an AD.

Well actually not.
Samba 4 has AD integration. you can create or join an Active directory domain with Samba4 without an actual Windows server. Adminpak helps you with your samba4/AD administration and it works just great.
The AD creates the Users home folder on the linux file system but for it to work you have to have a working DC wether its Samba4 acting as AD or Microsoft AD doesn't matter.

As a matter of fact, it doesn't create the users on your linux, it creates the users in the AD database/ users Organizational Unit. but the AD administrator account with which you create the users and do other tasks has rights on the linux filesystem through Samba4.

For instance I have a full Samba4 Active Directory with 5 Samba4 servers replicating, DNS working etc...none of those 5 servers is a windows server...(which is cool)
I have adminpak installed on windows 7 machine and doing all my administration from there wether it's AD administration or DNS or GPo (Group policy Objects).
Samba4/Ad domains are just great.

[JnPson]

I did a clean install of Ubuntu server 12.04.2 and chose SSH only, during install to be able to admin it. I then installed samba4 with apt-get, then I ran provisioning:

Code:

/usr/share/samba/setup/provision --realm=mydomain.lan --domain=MYDOMAIN --adminpass='Test123' --server-role=dc

I'm pretty sure it is a domain controller, even though the testparm result shows otherwise. I have added several XP machines to the domain, and I've created users with roaming profiles. Both computers and users can authenticate against the server and everything but making home folders works.

I believe there is a new version of testparm I could run but I have forgotten the command, testparm for samba 4. Correct me if I'm wrong.

The version of samba4:

Code:

root@DC01:/# samba -V
Version 4.0.0alpha18

I did what you suggested.

Code:

root@DC01:/# mkdir -m 770 /users
root@DC01:/# chmod g+s /users
root@DC01:/# chown root:users /users

I edited smb.conf and added:

Code:

[Users]
        directory_mode: parameter = 0700
        read only = no
        path = /users
        csc policy = documents

Administrator can now create home folders for the users, but users can't access it.

//Edit
http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
The command is samba-tool testparm

Code:

root@DC01:/# samba-tool testparm
Press enter to see a dump of your service definitions

# Global parameters
[global]
    server role = domain controller
    workgroup = MYDOMAIN
    realm = mydomain.lan
    netbios name = DC01
    passdb backend = samba4

[netlogon]
    path = /var/lib/samba/sysvol/mydomain.lan/scripts
    read only = No

[sysvol]
    path = /var/lib/samba/sysvol
    read only = No

[profile]
    path = /home/profile
    read only = No
    browseable = No

[profiles]
    path = /home/profiles
    read only = No
    browseable = No

[Users]
    path = /users
    read only = No
    csc policy = documents
    directory_mode: parameter = 0700

[hemkatalog]
    comment = Hemkataloger for alla deltagare.
    path = /home/hemkatalog
    read only = No
    browseable = No

[Hem]
    path = /home/hem

//