[Samba] SAMBA PDC permissions quandry

A Cline acline27 at hotmail.com
Tue Feb 4 16:39:44 GMT 2003 

Hello all:

I have a Samba PDC (Samba 2.2.3) on RedHat 7.3 currently serving about 40 to 
50 clients with the intent of adding another 60 to 70 in the coming weeks.  
Everything is working decently well.  I do have one problem that I am 
concerned about though.

I have had to make many users Admin users so that a certain application can 
run.  This does not concern me so much except for where data is concerned.  
I have several high priority users putting data in their Home directory so 
that it can be backed up on the server.  I have discovered that even though 
these directories are not browsable, anyone who is in the smbadmins group 
can type //crhpdc/username in Start>Run and have full access to the person's 
home directory.  I am stuck here as to how to fix this.

[homes]
        comment = Home Directories
        browseable = no
        writable = yes
        admin users = @smbadmins

[profiles]
        path = /home/samba/profiles
        guest ok = yes
        browseable = no
        read only = no
        create mask = 0600
        directory mask = 0700
        share modes = no

So really I am looking for the answer to two questions.
1.  How can I have Administrators that have all the power on the local 
machine, but normal user power on the server?

2.  How can I setup "Power Users" so that people might be able to run this 
piece of software that is giving me problems but won't be Administrators?

Any help will be most appreciated.

Full SMB.CONF follows.

A Cline

[global]
;basic server settings
workgroup = CRHDOM
netbios name = CRHPDC
server string = Cushing PDC
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192
guest account = nobody


;Standard printing settings
printing = BSD
print command = /usr/bin/lpr -P%p -r %s
lpq command = /usr/bin/lpq -P%p
lprm command = /usr/bin/lprm -P%p %j
min print space = 2000

;PDC and master browser settings
os level = 64
preferred master = yes
local master = yes
domain master = yes

;Security and Logging Settings
security = user
encrypt passwords = yes
#update encrypted = yes
passwd chat debug = yes
domain logons = yes
log file = /var/log/samba/log.%m
log level = 2
max log size = 50
hosts allow = 127.0.0.1 172.29.56.0/255.255.252.0

;User profiles and home directory
#logon home = \\%L\%U\.profile
logon drive = R:
logon path = \\%L\profiles\%U

logon script = %U.bat
add user script = /usr/sbin/useradd -d /dev/null -g smbmachines -s 
/bin/false -M
%u
domain admin group = @smbadmins cpatter sharriso

;Password Syncronization
unix password sync = yes
passwd program = /usr/local/bin/smbpasswd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n 
*passwd:*all*authen
tication*tokens*updated*successfully*
pam password change = Yes

#domain group map = /etc/samba/group.mapping

#==Shares==

[homes]
        comment = Home Directories
        browseable = no
        writable = yes
        admin users = @smbadmins

[profiles]
        path = /home/samba/profiles
        guest ok = yes
        browseable = no
        read only = no
        create mask = 0600
        directory mask = 0700
        share modes = no
        ;nt acl support = no

[netlogon]
        browseable = no
        path = /home/netlogon
        root preexec = perl /root/mklogonscript.pl %u %m %a

[etime]
        path = /home/samba/etime
        browseable = no
        read only = yes
        create mask = 0660
        directory mask = 0770
        write list = @etime @smbadmins
        force group = etime
        admin users = acline bob bmyers

[financials]
        path = /home/samba/financials
        create mask = 0660
        directory mask = 0770
        browseable = no
        read only = yes
        write list = @financials @smbadmins
        admin users = acline bob bmyers
        force group = financials

[123work]
        path = /home/samba/lotus
        create mask = 0660
        directory mask = 0770
        browseable = no
        read only = yes
        write list = @lotus @smbadmins
        admin users = @smbadmins
        force group = lotus
[vp10]
        path = /home/samba/vp10
        create mask = 0660
        directory mask = 0770
        browseable = no
        read only = yes
        write list = @vp10 @smbadmins
        admin users = @smbadmins
        force group = vp10

[mrms]
        path = /home/samba/mrms
        create mask = 0660
        directory mask = 0770
        browseable = no
        read only = yes
        write list = @mrms @smbadmins
        admin users = @smbadmins
        force group = mrms

[product]
        path = /home/samba/product
        create mask = 0660
        directory mask = 0770
        browseable = no
        read only = yes
        write list = @product @smbadmins
        admin users = @smbadmins
        force group = product

[software]
        path = /home/samba/software
        create mask = 0660
        directory mask = 0770
        browseable = no
        read only = yes
        write list = @smbadmins
        admin users = @smbadmins
        force group = smbadmins

[backup]
        path = /home/samba/backup
        create mask = 0660
        directory mask = 0770
        browseable = no
        read only = yes
        write list = @smbadmins
        admin users = @smbadmins
        force group = smbadmins

[printers]
        guest ok = yes
        printable = yes
        guest account = ftp
        use client driver = yes

_________________________________________________________________
MSN 8 with e-mail virus protection service: 2 months FREE*  
http://join.msn.com/?page=features/virus

More information about the samba mailing list