I am the co-administrator of a small private school's domain system. I set the system up using Zentyal 3.4 of which Windows and Ubuntu clients both connect. Students have their own personal logins with their personal "Server Drive" of 500Mb space on the server. These "Server Drives" are the users' home folders (ie, user john.smith server drive is under /home/john.smith).

I have had multiple problems with the permissions before. By mixing ubuntu's drwxrwxrwx permission system and Zentyal's ACLs, I managed to get all administrators access to the users files by creating a symlink to the home folder that only admins have permission to. I used the Zentyal File Sharing (Samba) to add this to Samba, and it worked for a while. (/userfiles is symlink to /home that only admins can access. I do this because Samba will mess up if I create a share with /home since that is what the users are using when they get their Server Drive, duplicate samba entries I guess).

Each user's home folder is owned by them as the user but owned by Administrators as the group. Perms are set to 770 for all of them, including any sub-folders, the typical user's folder will look as follows:

drwsrws--- 4 john.smith Administrators 4096 Aug 15 16:02 john.smith/

The users can access all their files, and the admins can access their files as well. The problem comes when the users create their own personal folders. In /etc/skel, the users start with a Documents and a Pictures folder. Anything in here (not including subfolders) is readable by any admin. If a user creates a personal folder anywhere (ie /home/john.smith/Computer Class), admins can't read it.

I have tried fixing the problem by doing:

for line in `ls -1`
do chown $line:Administrators $line -R
chmod 770 $line -R
done

This basically sets the permissions of all folders and files to that seen above. It still doesn't work. I've also tried doing:

setfacl -b john.smith

Still nothing. There is no difference between ACL and ubuntu's permission system results of the Documents or Pictures folder (readable) and the users' personally created folders (non-readable). What am I doing wrong here? Any suggestions to clean up this mess? How can I get these permission to how I need them to be?

This happens because anything they create is dependent of the umask, which I don't really know how it work on samba and the main group the users are part of... The good news is that you can use default ACLs to fix this.. Default acls just sets defaults for new files or directories... and something like the following should help you resolve this problem for new files (if Samba doesn't actually modify permissions).

Now, about your existing directory problem.. Since you're already bound to use the acl just stick with them for everything:

This is what I did, following your suggestions.

I think for some reason setfacl's recursive mode isn't really recursive. After all of this I am still unable to access the files on a Windows client as admin. I am, however and oddly enough, able to log in as admin on the server and read the files all I want. Any suggestions beyond this? I think Zentyal is getting in the way some how.

EDIT: I should clarify. I CAN read from ReadableFolder from Windows Clients as admin. I CANNOT read from NonreadableFolder from Windows Clients as admin. I can read from both when logging directly onto the server as admin.

Hmm... Is it possible that the user that is in the Administrator group to be part of the normal users (__USERS__) group? Maybe for some reason it doesn't obey the normal group permissions and only the extended ones set on __USERS__.. Somehow I think (can't test this right now) that Windows is actually only listening to that permission in this case..

Try doing to test if it makes any difference..

Yes. User admin is part of the __USERS__ group. That would make sense why Windows only listens to that special group. I don't think I can remove this group from admin without domain logons being interrupted and affected. The integration of the active directory between Windows and this Ubuntu Server is in the dark depths of Zentyal. Their interface for adding special acls on the home directory either isn't allowed or malfunctions. Unfortunately, I don't have access to this server again until next Monday. I will try this out then, doing more research on setfacl and getfacl, and acls in general. I will let you know if this helps on Monday. Thanks for your help so far!

The code you provided did not help. I am still unable to access it on a Windows client. I'm testing some other stuff too now. Any more suggestions?

I'm still at a complete loss. I have made a very nasty work around for now, but I still need to fix these acls or hidden permissions sometime. This is NOT solved, so if you have more suggestions, let me know.

Hi, Derekpock!

This topic is marked as "solved". Can you tell about how you solved a users access permissions problem?

Now, i use Zentyal 4.1 and i have same problem with owners and permissions for users home folders. From Zentyal web-panel i was created users and groups. And at home folder was created users folders with owner of my admin account (which i loged in Zentyal web-panel and created that users). But, as i think, its wrong. Users home folders must have as owner user_name and domain_admin as group. Can you help? Tell me, please, where and how i can set default permissions for users home folders in Zentyal?

Thanks!

The last post states that I made a messy work-around that I really shouldn't suggest to anyone. As of this post, I've moved and am no longer the SysAdmin with this issue. If you have this issue as well, start a new post with newer information from the newer releases.

IF YOU MUST, however, use the messy work-around I was, this is what I did:

In /etc/rc.local, add the following lines (or something similar) before the exit 0;

The code above, every startup, changes the permissions in the home folder so that every user's folder has the permissions USER=[the name of the user's folder, usually the username itself] GROUP=ADMINISTRATOR MOD=user-read,write,execute; group-read,write,execute; everyoneElse=none;

Basically, any ADMINISTRATOR (you can change that to whatever admin group you have) will have access to all user files, and each USER will have full access to their files.


AGAIN, I can't stress this enough....I REALLY DON'T RECOMMEND THIS AS LONG TERM SOLUTION

Only use this short-term and seek more help to fix the problem finally either on this forum, another one, or on Zentyal's own forum pages.

Thanks, Derekpock, for your answer!

Very strange what this problem is actual for this time yet and Zentyal developers dont fix it. I was write the same post on the Zentyal forum, but dont receive any answer yet.

In my situation, the domain server on Zentyal will work in small company (about 20 users) and i can setup needed permissions one's by manual after create all users of domain. And then, if new created sub folders in users home folders will have wrong owners (and/or permissions), i plan to create shell script which will start by cron task every 5-15min and change owners.

Sounds reasonable, but I would, in that shell script, only change the perms if they need to be changed. IE, check whether the perms are set correctly before changing them constantly.