Windows file server page

There are a few feature requests that could lead us to resume the “Windows network” page in server manager

The new page (I’d like “Windows file server” as title) should contain:

  • “Workgroup name” field, modifiable only with LDAP providers, read-only if joined to AD.

  • A radio button to switch between legacy NTLM-auth access and domain Kerberos-auth. See this bug.

  • A checkbox to enable the home$ share, that enables the domain administrator to access users’ home directories.

As requested by some of you, the domain administrator account will be mapped to root.


Good choice!! :thumbsup:

This 2013 discussion on RHEL bug tracker seems an interesting lecture:

It explains the upstream choices and why sssd prefers Kerberos.


If I understand correctly they said: “Who cares if there are a plenty of applications that use only NTLM autentication out there. Isn’t our business…”

1 Like

Also a checkbox to enable “admin$” share, mapped to /var/lib/nethserver/ibay, available to members of “Domain Admins” to perform privileged operations on all shared folders (ibays). As alternative the same checkbox could set admin users option to “Domain Admins” on each shared folder to get the same effect (:thinking: still wondering…)

Update: since CentOS 7.4 the sssd implementation supports also NTLM authentication!

It has been a long journey for sssd 1.15 to be ported to CentOS

This means we can now switch to sssd module, and have a fully working ACL management from Windows clients!

With such enhancement from upstream, I think this workaround is not necessary any more; anyway thank you again @planet_jeroen for pointing me to the right direction.

To make the things work we need a couple of adjustments:

  • Set admin users = "@domain admins" on shared folders, in smb.conf
  • Revert the alternatives configuration to the default sssd library

BTW I found the last sssd update left a dangling link. I think this is a bug to fix :thinking:


Thank YOU for taking notice of my struggles and taking a deeper look! <3

1 Like

Development started:


Version #1

This is an UI mockup:

Represented values are the defaults that retain the current system behavior.

What do you think? Is it clear enough? :trophy: Is it shit? :poop: How can we enhance it?

Please provide feedback! :pray: /cc @gg_jr @flatspin @planet_jeroen @robb @Chewi @nrauso @dev_team @quality_team


There is a distinct difference between a homefolder and a profilefolder. Both are essential for proper configuration of AD accounts and working roaming profiles.

A home folder, should be accessible but the user doesnt have to have full controll
A profile folder either should be owned by Domain Admins, or by the user and the user should have full controll in it.

I’m not sure what the use of the Grant Special permissions checkboxes are so I can not comment on them. I’m also tired, forgive me if I am missing the obvious :stuck_out_tongue:

1 Like

First of all: Thanks for hearing me and others @davidep :smile: :thumbsup:
The workgroup box is clear, for shure.
The control thing i salso clear, I think.
For the special permissions I’m also not shure in which cases I’d need them.
I’ll install a new VM tomorrow to test this and to read the inside help. :smile:
So long friends.

1 Like

…you’ve to wait! It’s only a screenshot :grin:

Hahahaha! U got me. Fake news, all fake news!!! :laughing:


Version #2

Reworded “special privileges” section. Adding more checkboxes could be easier in the future…

@flatspin: this is a mockup too :stuck_out_tongue:

1 Like

What is the difference between option 1 and option 2 for special privileges ? They seem the same ? Is the home$ folder conflated here with profile ?

The profile folder will contain the bare minimum from the profile. (that which can not be redirected to the home folder). Included would be AppData\Roaming and the NTUSER.DAT but not folders like 'My ’

The home folder should be seen as ‘private’ server storage for the user and through folder redirection, the documents and other relevant 'My ’ folders get redirected there.

For the home folder, the user needs full controll IN it, but ownership is irrelevant. For the profile folder, either Domain Admins or the user should be the owner. Notably the last one has been proven difficult for me to setup.

There’s no difference in implementation. The comparison purpose is to evaluate the effectiveness of the text labels: are they comprehensible, self-explaining, clear enough? What option do you prefer? Do you want to suggest an alternative?

Sorry, but roaming profiles are not planned in this feature! We should discuss them in another thread.

For the special permissions I would use: ‘Grant full control on shared folder to Domain Admins group’

There is no special case on a home share that would make it logical to set Domain Admins with full control there, so imho it shouldnt get a special mention as it will confuse people into thinking they need this permission for a home share.

If this permission IS needed due to implementation reasons, then it would need the first message, but we would also need to know why to understand the implications and possible limitations.

This is the rationale provided by @GG_jr that seems reasonable

samba-audit could also plug its configuration to provide audit logs about home$ (ab)use too…

That actually will not pass the GDPR. The sysadmin should be able to GET access at all times. Not HAVE acces at all times. Therefore, ownership is much more interesting then actual userrights assignment.

Yes this scenario you mention can be usefull, but therefore I would not name add the (home$ share) reference to the mentioning of the option.

1 Like

Could you make an example? How should it work?