Subject: smb.conf information request

Jim Mulholland jim.mulholland at peri.com
Fri Jan 8 17:04:27 GMT 1999 

l.arzeni at pride.it wrote:

> Date: Thu, 7 Jan 1999 18:52:44 +0100
> From: "Luca Arzeni" <l.arzeni at pride.it>
> To: "Multiple recipients of list" <samba at samba.anu.edu.au>
> Subject: smb.conf information request
> Message-ID: <000d01be3a66$87292b50$8e04010a at c97_124.primi.pride.it>
>
> Hi there,
>
> ENVIRONMENT: server: HP-UX11.0, clients: WinNT 4.0 SP3 or SP4
>
> I'm trying to install SAMBA on our HP-UX server. I have many PC acting as
> clients and I would like to share their home dirs on the server. I would
> like to allow to each guy to have Read/Write access in his home dir, and
> Read only in other guys' home dirs. I've tried modifying the default
> smb.conf files, but there are troubles: if I try to share a dir, all guys
> can write on all dirs, otherwise no one is able to write in no dir. Also, it
> seems that if a guy logs into server with a username, he can't connect
> another dir using another username (You know, NT ask the name to be used for
> a connection).
>
> Is there anyone who has a simple file that I can modify for my purposes?
>
> Yours faithfully, Luca Arzeni
>
> Ing. Luca Arzeni
> Pride S.P.A.
> Via Cechov 48/50
> 20151 Milano
> Tel. 02 30012526
> Mob. 0347 6161545
> mail to: l.arzeni at pride.it
>

Simple file no - but this will work ;)

ENVIRONMENT: samba servers: Sun 5.4, 5.5.1, 2.6, 2.7, clients: Win95, WinNT 4.0 SP3 or SP4, Sun 5.4, 5.5.1,
2.6, 2.7, Linux Debian or RedHat

What follows describes how to impliment a secure ("deny unless granted")
and very flexable technique called the gatekeeper security model. The lower
directories within a directory tree (ie: /home/*) are used as a padlocked gate to
deny un-wanted users access to the files within. Once a user is allowed past
the 'gate' directory they can read and/or write to the files contained within. With
very few minor modifications this techinque can adapt to meet all individual, team,
workgroup, departmental, and orginazational file storage and sharing requirements.
This technique scales very well and has been used in large multi-national
Fortune 500 companies. I have yet to find a business model that it cannot adapt to.

The only issue that is that we must manually maintain /sync Unix Passwords,
Groups, Netgroups, and NT Passwords. No big deal. Be sure that both the Unix
username and the NT login name are the same. Ex Joe Doe = jdoe.

First we start by setting up three directory types: one for private data (the user
home directory), a directory for groups to share data (controled by /etc/group or
NIS/NIS+ netgroups), and a public access directory. Gently but firmly see if you
can coax your users to using this layout. It is the preferred security model.

Unix file system configuration:

  Permissions on individual users HOME directories should be set to 700 (chmod 700)

  Create the other directories with the following script:

     #!/bin/sh
     PCHOME=/home

     mkdir $PCHOME/groups
     chmod 755 $PCHOME/groups
     # customize as needed to match groups or netgroups
     for i in prog rnd sales tech sysadmin
     do
       mkdir $PCHOME/groups/$i
       chgrp $i $PCHOME/groups/$i
       chmod 770 $PCHOME/groups/$i
     done

     mkdir $PCHOME/public
     chmod 777 $PCHOME/public
     # end script


Samba (1.9.18p10) configuration information:

;=== Global Settings ===
...
; Only allow your selected networks and hosts access
; modify these as needed
allow hosts = 10.10.60., 10.10.61.
...
;Make WinTel NT/95 Passwords NT's problem
security = server
encrypt passwords = yes
password server = name_of_your_PDC_goes_here
...
;=== Share Definitions ===
     [pchome]
        comment = users home directories
        path = /home
        browseable = yes
        public = no
        writable = yes
        printable = no
        directory mask = 755
        create mask = 0644
        force directory mode = 755
        force create mode = 644

     [groups]
        comment = group specific shares
        path = /home/groups
        browseable = yes
        public = no
        writable = yes
        printable = no
        create mask = 660
        force directory mode = 775
        force create mode = 664

     [public]
        comment = Public Stuff
        path = /home/public
        public = yes
        writable = yes
        printable = no
        create mask = 666
        force directory mode = 777
        force create mode = 666

     [homes]
        comment = Home Directory
        path = /home/%u
        browseable = no
        writeable = yes
        valid users = %S


If your users will not adapt then be sure to warn management about the security implications. Specifically:
there will not be any private files on the server. I would do this email to that there was a written
record. Then do the following :(

     Reset the individual users home directories to 'chmod 750'

Note that there are no changes to the smb.conf file. Also; 6 months down the line, when management
discovers exactly what the implications of relaxed security is you will be in good shape to fix it :)


- Jim Mulholland
   Principal Systems Administrator
   Periphonics Corporation
   jim.mulholland at peri.com

More information about the samba mailing list