NT Group auth for limited areas

Daniel Fonseca daniel at med.up.pt
Fri Mar 5 18:29:44 GMT 1999

On Sat, 6 Mar 1999, Brandon Gillespie wrote:

> Hello, we use Samba on our HP servers here at Iomega, and I am trying
> to integrate it with our NT network a little better.  I have it as a
> NT Domain member, and it is doing user authorization just fine.  But
> we have about six different areas used in our production environment
> where people push files onto the HP server from their windows machines
> (through Samba) and oracle picks up the files and does its thing.
> There is already seperate NT Groups for these areas, and I would
> simply like to limit the areas by NT Group, *exactly* like you do a
> unix group.  Is this in the future plans?  I was hoping when I saw
> 'domain groups' that it had to do with this, but a scan of the source
> doesn't seem to say that is what it is for.

I thought I'd share one of my solutions towards this intricate problem
onto this list.

In fact, sharing files (for both reading and writing) amongst some more
than 2/3 users is a complicated task, just out-of-the-box.

The main dificulty resided in the fact that, even if one gave permissions
for a set of users, them writing on the disk would make files owned by
them, and the only solution would be to change the default umask for group
write permissions (and/or having directories with the sgid bit set) and
having one group for each set/pair of users plus dirs, making it rather
large and complicated to maintain (believe me, I tried :-), plus the fact
that when you create a directory, no setgid is maintained, etc.

After some thinking, I came to a set of settings which work in providing
just the sort of thing I needed.

All things show best with an example so, straight away for a smb.conf snip
and some comments:


   comment = Shared map
   path = /path_to_shared_tree
   valid users = user1 user2 ...
   browseable = no
   guest ok = no
   force user = original_user
   force group = group_of_original_user
   writable = yes


So in this way what happens is that user writing problem is solved because
all connections are internaly (Linux side, in this case, I mean) made by
the same fixed user. All auth's still apply because before the "valid
users" you have to effectively authenticate yourself and samba only
permits connections from authorized/valid'ed users - you can even twist
this to a group of users, naturally! (putting @group in valid users - see
man page) or a group less some users with "invalid users" also used.
You can also override any home share - just place it before the global
[HOMES] share.

Okay, that's it! If anyone has at least been amused by this little thingie
I'm already glad or if you've thought of it before, well good for you!

Any suggestions are always, of course, welcomed, no flames, please.

Hope to help,

Daniel Fonseca

More information about the samba-ntdom mailing list