security = domain

Charles Crawford ccrawford at atsengineers.com
Tue Aug 29 17:22:12 GMT 2000 

well, now that i've got this working, i'd like to know why this is so...

here's how i've got the share set up... 

first, I had the share set up with 'write list = @admin' with no 'valid
users = @admin'...
this gave everyone READ/WRITE/EXECUTE permission for the directory. Then, I
added the 'valid users = @admin' and then everyone except members of the
group 'admin' were denied access to the share (all permissions, could not
even view the share).

Finally, I added the parameter 'read list = @users', and voila, everyone can
read the share, but not write to it. The only people that can now write to
the share are members of the group 'admin'.

So, why is this like this? If 'write list = @admin' is set, why would it
allow anyone to write to the share unless 'read list = @users' is also set?

Thanks,

CC

-----Original Message-----
From: Kevin Colby [mailto:kevinc at grainsystems.com]
Sent: Monday, August 28, 2000 6:33 PM
To: Charles Crawford
Cc: samba-ntdom at samba.org
Subject: Re: security = domain



If these groups (admin & users) exist as Unix groups,
you can use the underlying filesystem permissions
to accomplish this.  Simply set the valid users to
"users" in the smb.conf, the unix group on the
directory to "admin", and then group-write permissions
on the directory at the Unix level will do nicely.

You may need to watch the "inherit permissions",
though.  Will this need to be set or is this the default?

	- Kevin Colby
	  kevinc at grainsystems.com


Charles Crawford wrote:
> 
> Ok,
> 
> after examining the smb.conf file, I found out why everyone had access to
> the share, but not why it is behaving the way it is.
> 
> I want everyone in group 'users' to be able to view the directory
contents,
> but only those in group 'admin' to be able to write to it.
> 
> First, I set up the groups. Next, I put 'write list = @admin' in the
> /etc/smb.conf file. This did not restrict the writers, however, and I have
> therefore had to use 'valid users = @admin' which prevents everyone else
> from being able to view it.
> 
> Any suggestions?
> 
> Thanks in advance...
> 
> CC
> -----Original Message-----
> From: Nick Austin [mailto:nick at digitalpipe.net]
> Sent: Monday, August 28, 2000 2:25 PM
> To: Charles Crawford
> Cc: Samba-Ntdom
> Subject: Re: security = domain
> 
> This is information taken from the FAQ at
> http://us4.samba.org/samba/docs/ntdom_faq/page6.html
> 
> "... to create accounts for all your NT users in /etc/passwd on the unix
> box.
> There are some scripts available to help in the migration. These perl
> scripts
> are available for download from the
> /pub/samba/contributed diretory in one of the Samba ftp mirrors.  The
> tarball
> is named domain_member_scripts.tar.gz. "
> 
> "Accounts created on the unix box are only used to get a valid uid.  They
> are
> not used for validation.  You can therefore set the password field to
> whatever
> lock string for your system is. Under most
> ( if not all ) versions of unix this is the '*' character.  Here is an
> example
> /etc/passwd entry.
> 
>                 jdoe:*:1124:100:NT Dummy account:/dev/null:/bin/False
> 
> Once you get to here, you should now be able to mount shares from the
samba
> server using valid domain accounts."
> 
> The conversion scripts will help you with the groups as well.
> 
> Hope this helps!
> 
> On Mon, 28 Aug 2000 12:06:08 -0400, Charles Crawford said:
> 
> > Hi,
> >
> >  I have Samba set for security = domain, with the domain controller
being
> an
> >  NT server. I need to know
> >  how the groups are handled through Samba. Does the group concept even
> apply
> >  when using security = domain?
> >
> >  How do I restrict which users have access to the resources?
> >
> >  Thanks,
> >
> >  CC
> >
> 
> -----
> Nick Austin              Systems Administrator
> <nick at digitalpipe.net>  Digital Pipe Communications, Inc.
> Phone: 650-627-5100x5224
> Fax: 650-212-2301

More information about the samba-ntdom mailing list