[Samba] Restrict access to [homes] share

Buchan Milne bgmilne at cae.co.za
Mon Feb 24 11:29:24 GMT 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Date: 22 Feb 2003 09:14:57 -0800
> From: Michael Noble <mnoble at rfmagic.com>
> To: "Chew, Darren" <darren.chew at vicscouts.asn.au>
> Cc: samba at lists.samba.org
> Subject: Re: [Samba] Restrict access to [homes] share
>
> Try setting your home shares as follows:
>
> [home]
>        comment = Home Directories
>        path = /home/%u
>        read only = No
>        veto files = /.*/
>
> This will always mount the users home directory.

Not necessarily with winbind, you should not need to use a path
directive, it defeats the feature of the homes share (which is to use
the users home directory).

>>> I'd like to know how to restrict access to the [homes] share.
Currently, each
>>> user is able to read/write to his/her own share, and by typing
>>> \\machine\anotheruser can open another user's share and read/write
there too.
>>> I would like to restrict access so that a user can only read/write
to their
>>> own share only.
>>>
>>> Here is some of the relevant config:
>>>
>>> [global]
>>> 	workgroup = ASDF
>>> 	server string = Samba Server %v
>>> 	security = DOMAIN
>>> 	encrypt passwords = Yes
>>> 	password server = *
>>> 	log file = /var/log/samba/log.%m
>>> 	max log size = 10240
>>> 	time server = Yes
>>> 	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>>> 	os level = 64
>>> 	preferred master = No
>>> 	domain master = No
>>> 	dns proxy = No
>>> 	wins support = Yes
>>> 	winbind uid = 10000-20000
>>> 	winbind gid = 10000-20000
>>> 	template homedir = /dev/null
>>> 	winbind separator = +
>>> 	winbind use default domain = Yes
>>> 	admin users = wicked
>>> 	printer admin = @"Domain Admins"
>>>
>>> [homes]
>>> 	comment = Home Directories
>>> 	path = /home/samba/%S

This line should not be necessary, you should rather set your template
homedir to /home/samba/%U or /home/%D/%U.

>>> 	force group = nobody

The line above is your problem, you should not need this if winbind is
working right!

>>> 	read only = No
>>> 	browseable = No
>>>

The best option (as with Windows) is to have the permissions correct on
the filesystem, and not to enforce everything via share definitions.
Then if people access to the filesystem via other means, the permissions
are still enforced correctly. The easiest solution is to:

# cd /home/samba
# chmod 700 *

Buchan

- --
|--------------Another happy Mandrake Club member--------------|
Buchan Milne                Mechanical Engineer, Network Manager
Cellphone * Work            +27 82 472 2231 * +27 21 8828820x121
Stellenbosch Automotive Engineering         http://www.cae.co.za
GPG Key                   http://ranger.dnsalias.com/bgmilne.asc
1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE+WgITrJK6UGDSBKcRAmiqAJwP+XooMp4IrQJffIU35z+DIvUJ0QCfTEB8
WEacOcjkCNrxqUPJFMD7Lqo=
=7lrq
-----END PGP SIGNATURE-----

More information about the samba mailing list