security=server and need to have users at linux too

[Mark Hazen]

> From: Harald Schmidt <harald-s at gmx.net>
> Subject: security=server and need to have users at linux too
> .... 
> The real problem is, that I don´t like the Idea to create 200+ useraccouts
> on the linuxbox. Is there any way to solve this problem ?

Well, you have two options:

Option the Worst:
--
Create a publically accessible share, that has guest or public privileges.
You can restrict this by IP address or domain wildcards (see the man page
on smb.conf, look for the sections on 'public', 'guest', 'allow hosts',
and 'deny hosts'.

This is what is referred to, in technical terms, as "possibly a really bad
idea". It means that a) there's zip accountability for anyone on your
network (other than the fact that you know whoever did something on the
machine was somewhere int eh building), especially since created files and
logged actions will all belong to whatever the guest account on your
machine happens to be, and b) everyone will have access to everything
which everyone else is doing. *EVERYTHING*. 

Nopw, if you're talking about a read-only share, that's a possibly valid
use. We use something similar on our network, for installation images of
patches, fixes, and drivers. But still, in order to get there, someone at
the very least has to be able to authenticate to the machine, even if they
have access to a vast public area.

If you had four users in a tightly controlled workgroup it would be one
thing, and I might be able to justify doing something like that, but I
wouldn't trust a random group of 200 people to park my car, and I sure as
hell wouldn't give 'em filespace on my servers. Remember, that you will be
the one held accountable if someone else does something stupid on your
machine, and you can't pinpoint whodunnit with a high degree of certainty.

I'm all for drop boxes and things like that, but I'm also very cautious
about who I'd be willing to allow 'unquestioned' access to a machine.

Okay, enough harping from me about system security... :-)  Your second
option:
--

Option the Better:

Write a little shell script or Perl script that generates your user
accounts from a file listing the user names and ID's, so that you can have
the box do the dirty work of creating the accounts for you. Set up your
accounts, set up your shares, and go. :-)  I like this better, even if
there is a public space, simply because I can look at a filelist and tell
who owns what, who did what, and each user can be individually logged.... 
so if something suddenly goes awry, I can track the problem. 

Hope this helps. There's an excellent book on Samba written by one of the
team members (John D. Blair, hiya John, where's my $10 for plugging your
book on the list now? ::grin::) caleld SAMBA: Integrating Windows and
Unix. It talks about restricting access in plain English, and I highly
recommend it to anyone maintaining SAMBA. It's a gem, and one of the few
books I will recommend without hesitation that didn't come from O'Reilly
(who, in all fairness, have put a couple of doggish books out in the past
couple of years, but that's another message).

Regards,

 -mh.
----
   . _+m"m+_"+_   Mark Hazen    Network Administrator, Dean's Office
 d' Jp     qh qh             The Franklin College of Arts & Sciences
Jp  O       O  O             The University of Georgia (706)542-1546
Yb  Yb     dY dY
 O   "Y5m2Y"  "     even the mightiest wave starts out as a ripple.
  "Y_           why make waves when it's easier to nurture ripples?