[Samba] Restricting file server access by group

Alex McKenzie alex at chem.umass.edu
Tue May 18 13:12:14 MDT 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks -- the first two were useful, but only blocked samba.  Which, to
be fair, is all I asked about.

Here's a third option, which will also block PAM:

In ldap.conf (on my system, running Ubuntu 8.04 LTS Server), modify the
following two lines:

1) pam_groupdn (group)

  In my case, this becomes:
pam_groupdn cn=schnell,ou=Biochemistry groups,ou=Biochemistry,dc=cns

2)  pam_member_attribute (attribute)

In my case, it becomes:
pam_member_attribute memberUid

At that point attempts to log in with an LDAP user who isn't part of the
group returns:

You must be a memberUid of cn=schnell,ou=Biochemistry
groups,ou=Biochemistry,dc=cns to login.
Connection closed by 172.30.35.146


Samba returns that it cannot mount the share, or that the uid/password
combination is wrong.

In any case, I'm putting this up in case anyone else has seen the same
problem... I'd still like a way to restrict to multiple groups, but this
works for what I need now.

Thanks for all the help!

- -Alex

tms3 at tms3.com wrote:
> 
> 
> 
> On Tuesday 18/05/2010 at 8:46 am, Alex McKenzie wrote:
> This is for the same file server I wrote about earlier.
> 
> I would like to restrict access by group, as defined in LDAP. 
>> Two ways.
> 
>> 1) First is at the share level, which is controlled by smb.conf and is
>> fairly similar to permissions on a share in Window$.
> 
>> man smb.conf
> 
>> "To restrict a service to a particular set of users you can use the
>>            valid users parameter.
> 
>>            If any of the usernames begin with a '@' then the name will be
>>            looked up first in the NIS netgroups list (if Samba is compiled
>>            with netgroup support), followed by a lookup in the UNIX groups
>>            database and will expand to a list of all users in the group of
>>            that name."
> 
>> Works with groups in ldap, if your posix box is setup correctly.
> 
>> 2a)  The second is to enable acls on your posix file system.  If so, you
>> can use a Window$ workstation and the Administrator account to write M$
>> file permissions to the directories in the share. 
> 
>> 2b)  Or if it is a very simple set up, merely use standard posix file
>> and directory permissions.  For instance, say the samba share is
>> \\servername\chemlab  and the posix path is /usr/home/samba/chemlab, 
>> you could then simply do
> 
>> chgrp -R CHEMLABGROUP /usr/home/samba/chemlab  and chmod it to your
>> liking.  (Where CHEMLABGROUP is a samba ldap group).
> The
> obvious solution is to add a filter to the login LDAP search that
> restricts to gidNumber=10038 or 10001, since those are the groups I
> need. From what I'm seeing, I need to add that to /etc/ldap.conf in the
> nss_base_ section, but how to do it isn't clear.
> 
> Do I just enter it as a standard LDAP filter? In this case, I think I'd
> want (|(gidNumber=10038)(gidNumber=10001)), but it's really not clear
> the syntax really isn't clear from the file. Would it just be
> 
> nss_base_passwd (|(gidNumber=10038)(gidNumber=10001))?one
> 
> 
> That's what it looks like, anyway... if anyone can give me an answer,
> or at least point me towards a good source of documentation on this, I'd
> appreciate it.
> 
> Thanks,
> Alex McKenzie
- --
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkvy5o4ACgkQWFYfIucpZ2MkeACfeDGnthp9QkLa1dO/Ili6b/bV
u9EAnR5NgmEFulopWl+QMx01++X1MLnf
=K9la
-----END PGP SIGNATURE-----

More information about the samba mailing list