Accessing multiple volumes with different rights
Trautenberg Elmar
Elmar.Trautenberg at erls.siemens.de
Wed Jun 2 09:14:51 GMT 1999
For the following problem we did not find a solution in the samba
documentation:
There are two groups of PC users with NT 4, NT_USER_i and HP_USER_i:
NT side UNIX side (HPUX)
smb.conf
----------------------------------------------------------------------------
----------------------------------------------
NT_USER_1 )
... ) X: ==>
//unix_host/basedir_NT/ [NT_USER_DISK]
NT_USER_n )
HP_USER_1 ) X: ==>
//unix_host/basedir_NT/ [NT_USER_DISK]
HP_USER_i ) U: ==>
//unix_host/home/HP_USER_i (i=1..m) [HOMES]
HP_USER_m )
1)
A group of PC users with NT, called 'NT_USER', has to connect -- using samba
-- to a commonly shared directory tree '//unix_host/basedir_NT' on the UNIX
machine with full rights for reading and writing on this directory tree. But
they MUST NOT have any rights anywhere else on the UNIX machine. The
authentification should be done by the NT side, so that these users need not
set or know any password on the samba side. They are pure NT users and do
not have any knowledge about UNIX or samba. They only want to connect e.g.
"X: ---> //unix_host/basedir_NT" on the NT side and access the X:-drive the
same as a conventional NT drive.
For this group of users, samba and UNIX act as a simple NT file server.
There are no problems to configure samba to achieve this goal.
2)
A second group of users, called 'HP_USER', are NT users plus UNIX users with
their individual UNIX accounts. These people want to access samba twice.
On the one hand, they want to access the shared directory tree
'//unix_host/basedir_NT' in exactly the same manner as the first group of NT
users. It is essential that both groups of users can share identical
pathnames on the NT side, e.g. X:\... .
On the other hand, these people have their own individual home directories
on the UNIX side and want to access their UNIX files from the NT side too.
In addition to the general samba connection "X: ---> //unix_host/basedir_NT"
each member <xyz> of this 'HP_USER' group needs a further samba connection
similar to "U: --> //unix_host/home/<xyz>" with his individual rights on his
home directory tree.
It should be emphasized, that the unix host is identical for
'//unix_host/basedir_NT' and for '//unix_host/home/<xyz>'.
And now the problems are beginning.
It seems that the authentification scheme must be identical for all samba
connections. If we have to choose NT based authentification for the first
group, the 'NT_USER' group, we have to choose this scheme for the 'HP_USER'
group too. Let us now consider the user <xyz> from the group 'HP_USER'. His
NT account might be <xyz_NT>. If he requests a samba connection, then he
connects for both X: and U: always to the same UNIX directory
//unix_host/basedir_NT or -- depending on the samba set up in smb.conf --
//unix_host/home/<xyz>, but never simultaneously to both.
As far as we understand the problem, using NT authentification, a single NT
user can be mapped only to a single UNIX user and he is mapped to the first
one samba finds in the file smb.conf. And this single UNIX user determines
the UNIX directory which is connected to NT. If our assumption is right, it
would be a solution for our problem, if we could set -- as it is now --
globally security=domain for the share [NT_USER_DISK] but override this
setting locally in the [HOMES] part of smb.conf to security=user. But this
seems not to work.
Can anybody give us a hint how to solve the problem?
Thanks and best regards,
Elmar Trautenberg
____________________
Dr. Elmar Trautenberg
SIEMENS ZT EN 4
Postfach 3220, D-91050 Erlangen
Telefon +49 9131 7 21779
Telefax +49 9131 7 21339
Mailto: Elmar.Trautenberg at ErlS.Siemens.De
More information about the samba
mailing list