[Pkg-samba-maint] home shares enabled by default?

[Steve Langasek]

Hi folks,

One of the few remaining diffs between the Debian and Ubuntu Samba packages
is that Debian is enabling the [homes] shares by default (now with the more
secure "valid users = %S" option), and Ubuntu is not.

In https://launchpad.net/bugs/27608, security is one of the issues
contributing to Ubuntu disabling [homes] by default, but there are others.
First, using the [homes] shares prevents statically defining any shares
which match the name of a user, because the [homes] shares will take
precedence.  Second, user confusion (heh) may result from these being shared
by default, since home directories are *not* shared by default on Windows.

I think the first issue should be regarded as a bug in Samba regardless and
should be fixed; the only sensible precedence order is for
statically-defined shares in smb.conf to take precedence over autoshares.
(net usershares are another matter...)

But what about the second point?  I've always thought it useful to share
homedirs by default, but I can appreciate that some people disagree; among
other things it provides a method for a remote attacker to verify account
names on the system (NT_STATUS_ACCESS_DENIED vs.
NT_STATUS_BAD_NETWORK_NAME), and it may be that users don't really want
their home directory shared by default over CIFS even when successful
password authentication as the user is required.

Would it be appropriate to comment out the [homes] shares to match the
Windows default behavior, or do you guys think that the Samba upstream
behavior is correct?

Thanks,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek at ubuntu.com                                     vorlon at debian.org