I have a SMB share for our users home directories. These get created on the Isilon automatically with Home Directory Provisioning. The problem is computer accounts (*not* user accounts) are randomly creating home folders like computer-01$. Is there a way to prevent this?
This is a giant pain. I would like to see a solution for this as well. We have seen it on VNX and Unity as well. We have to run a cleanup script every week to delete them.
What's your OneFS version?
Also I'm assuming Active Directory?
How is the SMB share configured? Could you share a screenshot for the expansion parameters and such?
OneFS Version: 18.104.22.168 (will be updated to OneFS Version: 22.214.171.124 later this week)
Yes we're using Active Directory.
SMB share configured in AD:
SMB share config:
I don't like working with deny-rules, but:
if the computer accounts don't have to connect to the Share, i would Setup a deny rule for Domain\computers on the home-share.
furthermore i would not configure "Everyone" but "Authenticated Users" (if you are in an active Directory integrated Environment)
Please be Aware, that deny-rules (and acls on the share) are against best practices which define to use whitelisting and NTFS-ACLs on the Folders rather than on the share
Thanks for the ideas!! Just curious why you recommend using "authenticated users" over "everyone" for the share. Aren't the permissions all controlled by the ACLs anyways? Just curious...
you are right.
to be honest i never thought that far , I always putted authenticated users as being the "more secure" configuration which still doesn't create any Problems no matter which authenticated account tries to connect. I don't have any reasons why share everyone / ACL authenticated users could be less secure as share authenticated users / acl authenticated users
Reasons to Chose authenticated users over everyone could be:
* i never have to think about the context where i am. I can configure authenticated users at share Level and at top-Folder Level (i.e. Share "Homes" and "/ifs/cluster-a/homes/" can have same permissions)
* i am sure, if someone cracks the ACL that there is a "Minimum protection" on the share-Level and it is not open to "everyone"
after doing some research they removed the unauthenticated users from everyone in Windows Server 2003 so even this Group should be okay in AD-Environment.
so i still would prefer authenticated users over everyone, but just because i'm used to it and it would be work to do it in another way.
Unfortunately the deny did not work. Another home directory for a computer account was created yesterday. Here is the details of the directory and the share permissions I setup:
LBOX-1# id klionsky-popelk$
uid=1000087(klionsky-popelk$) gid=1000050(domain computers) groups=1000050(domain computers)
LBOX-1# ls -ld /ifs/lsi/adenosine/Homes/klionsky-popelk$
drwx------ 2 klionsky-popelk$ domain computers 0B May 22 15:21 /ifs/lsi/adenosine/Homes/klionsky-popelk$
LBOX-1# isi smb shares permission view --share=Home --zone=lbox-zone --group="Domain Computers"
Account: domain computers
Account Type: group
Run as Root: False
Permission Type: deny
This didn't work. We are also trying this with a new isilon and NTFS deny or read only on the share permissions doesn't seem to matter it keeps creating the computername$ folders.