[Samba] SAMBA PDC permissions quandry
A Cline
acline27 at hotmail.com
Tue Feb 4 16:39:44 GMT 2003
Hello all:
I have a Samba PDC (Samba 2.2.3) on RedHat 7.3 currently serving about 40 to
50 clients with the intent of adding another 60 to 70 in the coming weeks.
Everything is working decently well. I do have one problem that I am
concerned about though.
I have had to make many users Admin users so that a certain application can
run. This does not concern me so much except for where data is concerned.
I have several high priority users putting data in their Home directory so
that it can be backed up on the server. I have discovered that even though
these directories are not browsable, anyone who is in the smbadmins group
can type //crhpdc/username in Start>Run and have full access to the person's
home directory. I am stuck here as to how to fix this.
[homes]
comment = Home Directories
browseable = no
writable = yes
admin users = @smbadmins
[profiles]
path = /home/samba/profiles
guest ok = yes
browseable = no
read only = no
create mask = 0600
directory mask = 0700
share modes = no
So really I am looking for the answer to two questions.
1. How can I have Administrators that have all the power on the local
machine, but normal user power on the server?
2. How can I setup "Power Users" so that people might be able to run this
piece of software that is giving me problems but won't be Administrators?
Any help will be most appreciated.
Full SMB.CONF follows.
A Cline
[global]
;basic server settings
workgroup = CRHDOM
netbios name = CRHPDC
server string = Cushing PDC
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192
guest account = nobody
;Standard printing settings
printing = BSD
print command = /usr/bin/lpr -P%p -r %s
lpq command = /usr/bin/lpq -P%p
lprm command = /usr/bin/lprm -P%p %j
min print space = 2000
;PDC and master browser settings
os level = 64
preferred master = yes
local master = yes
domain master = yes
;Security and Logging Settings
security = user
encrypt passwords = yes
#update encrypted = yes
passwd chat debug = yes
domain logons = yes
log file = /var/log/samba/log.%m
log level = 2
max log size = 50
hosts allow = 127.0.0.1 172.29.56.0/255.255.252.0
;User profiles and home directory
#logon home = \\%L\%U\.profile
logon drive = R:
logon path = \\%L\profiles\%U
logon script = %U.bat
add user script = /usr/sbin/useradd -d /dev/null -g smbmachines -s
/bin/false -M
%u
domain admin group = @smbadmins cpatter sharriso
;Password Syncronization
unix password sync = yes
passwd program = /usr/local/bin/smbpasswd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*passwd:*all*authen
tication*tokens*updated*successfully*
pam password change = Yes
#domain group map = /etc/samba/group.mapping
#==Shares==
[homes]
comment = Home Directories
browseable = no
writable = yes
admin users = @smbadmins
[profiles]
path = /home/samba/profiles
guest ok = yes
browseable = no
read only = no
create mask = 0600
directory mask = 0700
share modes = no
;nt acl support = no
[netlogon]
browseable = no
path = /home/netlogon
root preexec = perl /root/mklogonscript.pl %u %m %a
[etime]
path = /home/samba/etime
browseable = no
read only = yes
create mask = 0660
directory mask = 0770
write list = @etime @smbadmins
force group = etime
admin users = acline bob bmyers
[financials]
path = /home/samba/financials
create mask = 0660
directory mask = 0770
browseable = no
read only = yes
write list = @financials @smbadmins
admin users = acline bob bmyers
force group = financials
[123work]
path = /home/samba/lotus
create mask = 0660
directory mask = 0770
browseable = no
read only = yes
write list = @lotus @smbadmins
admin users = @smbadmins
force group = lotus
[vp10]
path = /home/samba/vp10
create mask = 0660
directory mask = 0770
browseable = no
read only = yes
write list = @vp10 @smbadmins
admin users = @smbadmins
force group = vp10
[mrms]
path = /home/samba/mrms
create mask = 0660
directory mask = 0770
browseable = no
read only = yes
write list = @mrms @smbadmins
admin users = @smbadmins
force group = mrms
[product]
path = /home/samba/product
create mask = 0660
directory mask = 0770
browseable = no
read only = yes
write list = @product @smbadmins
admin users = @smbadmins
force group = product
[software]
path = /home/samba/software
create mask = 0660
directory mask = 0770
browseable = no
read only = yes
write list = @smbadmins
admin users = @smbadmins
force group = smbadmins
[backup]
path = /home/samba/backup
create mask = 0660
directory mask = 0770
browseable = no
read only = yes
write list = @smbadmins
admin users = @smbadmins
force group = smbadmins
[printers]
guest ok = yes
printable = yes
guest account = ftp
use client driver = yes
_________________________________________________________________
MSN 8 with e-mail virus protection service: 2 months FREE*
http://join.msn.com/?page=features/virus
More information about the samba
mailing list