zbot
1 Nickel

Computer accounts provisioning home directories

Hi all,

I have a SMB share for our users home directories.  These get created on the Isilon automatically with Home Directory Provisioning.  The problem is computer accounts (*not* user accounts) are randomly creating home folders like computer-01$.  Is there a way to prevent this?

Thanks!

Labels (2)
Tags (1)
0 Kudos
10 Replies
mjzraz
2 Iron

Re: Computer accounts provisioning home directories

This is a giant pain. I would like to see a solution for this as well. We have seen it on VNX and Unity as well. We have to run a cleanup script every week to delete them.

0 Kudos

Re: Computer accounts provisioning home directories

Hi guys,

What's your OneFS version?

Also I'm assuming Active Directory?

How is the SMB share configured?  Could you share a screenshot for the expansion parameters and such?

Thanks.

0 Kudos
zbot
1 Nickel

Re: Computer accounts provisioning home directories

OneFS Version: 7.2.1.2 (will be updated to OneFS Version: 7.2.1.5 later this week)

Yes we're using Active Directory.

SMB share configured in AD:

Screen Shot 2017-05-16 at 7.33.58 AM.jpg

SMB share config:

Screen Shot 2017-05-16 at 7.25.34 AM.jpg

0 Kudos
sluetze
3 Silver

Re: Computer accounts provisioning home directories

I don't like working with deny-rules, but:

if the computer accounts don't have to connect to the Share, i would Setup a deny rule for Domain\computers on the home-share.

furthermore i would not configure "Everyone" but "Authenticated Users" (if you are in an active Directory integrated Environment)

Please be Aware, that deny-rules (and acls on the share) are against best practices which define to use whitelisting and NTFS-ACLs on the Folders rather than on the share

zbot
1 Nickel

Re: Computer accounts provisioning home directories

Thanks for the ideas!!  Just curious why you recommend using "authenticated users" over "everyone" for the share.  Aren't the permissions all controlled by the ACLs anyways?  Just curious...

0 Kudos
sluetze
3 Silver

Re: Computer accounts provisioning home directories

you are right.

to be honest i never thought that far , I always putted authenticated users as being the "more secure" configuration which still doesn't create any Problems no matter which authenticated account tries to connect. I don't have any reasons why share everyone / ACL authenticated users could be less secure as share authenticated users / acl authenticated users

Reasons to Chose authenticated users over everyone could be:

* i never have to think about the context where i am. I can configure authenticated users at share Level and at top-Folder Level (i.e. Share "Homes" and "/ifs/cluster-a/homes/" can have same permissions)

* i am sure, if someone cracks the ACL that there is a "Minimum protection" on the share-Level and it is not open to "everyone"

after doing some research they removed the unauthenticated users from everyone in Windows Server 2003 so even this Group should be okay in AD-Environment.

so i still would prefer authenticated users over everyone, but just because i'm used to it and it would be work to do it in another way.

0 Kudos

Re: Computer accounts provisioning home directories

Hi zbot & mjzraz,

Please do let us know if these configuration changes help resolving your issues with computer home folders.

Thanks.

0 Kudos
zbot
1 Nickel

Re: Re: Computer accounts provisioning home directories

Unfortunately the deny did not work.  Another home directory for a computer account was created yesterday.  Here is the details of the directory and the share permissions I setup:

LBOX-1# id klionsky-popelk$

uid=1000087(klionsky-popelk$) gid=1000050(domain computers) groups=1000050(domain computers)


LBOX-1# ls -ld /ifs/lsi/adenosine/Homes/klionsky-popelk$

drwx------    2 klionsky-popelk$  domain computers    0B May 22 15:21 /ifs/lsi/adenosine/Homes/klionsky-popelk$


LBOX-1# isi smb shares permission view --share=Home --zone=lbox-zone --group="Domain Computers"

        Trustee

            Account: domain computers

      Account Type: group

    Run as Root: False

Permission Type: deny

    Permission: full

0 Kudos
mjzraz
2 Iron

Re: Computer accounts provisioning home directories

This didn't work. We are also trying this with a new isilon and NTFS deny or read only on the share permissions doesn't seem to matter it keeps creating the computername$ folders.

0 Kudos