[Samba] some samba security questions

Marc Balcells mb at btasl.com
Mon Mar 10 19:28:56 GMT 2003 

Hello, I'm running samba on a redhat linux 7.3 server in order to share
files to a mixed linux/windows local network without a domain controler,
all clients are configured to do local authentication and this
usernames/passwords are the same as on the linux server.

I'd like to restrict access to some directories inside samba shares for
specific users, but changing unix file permissions won't do it.

For example, 
I have a share named "stuff" which is permited to all members of the
"staff" group, but inside this share I wan't to restrict access to a
directory called "internal", only one specific user has to be able to
read/write inside it.
As I said I've tried to change unix permissions to 700 but still group
members can read/write inside this directory.

Once I solve this, I would like to do something like the "veto files"
directive does. I'd like to restrict access to one user to all
directories named "internal" in whichever share they're in.

Another issue is client code-pages. All my clients use spanish
characters set, but when windows clients create a file with special
characters, linux clients get (invalid unicode) warnings on this
filenames, any clue?

Anyone can help me in this three issues?

My smb.conf [GLOBAL] looks like:
        smb passwd file = /etc/samba/smbpasswd
        hosts deny = ALL
        passwd program = /usr/bin/passwd %u
        browseable = no
        pam password change = yes
        force directory mode = 770
        printing = lprng
        create mode = 770
        dns proxy = no
        force create mode = 770
        encrypt passwords = yes
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        character set = ISO8859-15
        printcap name = /etc/printcap
        max log size = 0
        hosts allow = 192.168.0.0/255.255.255.0 127.0.0.1
        writable = yes
        obey pam restrictions = yes
        passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
        directory mode = 770
        security = user
        unix password sync = Yes
        hide unreadable = yes
        server string = XXXXXXXXXXXXXXX
        workgroup = XXXXXXXXXXXXXXX
        client code page = cp850
        log file = /var/log/samba/%m.log
        netbios name = XXXXXXXXXX
        load printers = yes
        os level = 20

My share looks like:
[stuff]
        path = /home/stuff
        force group = staff
        valid users = @staff
        comment = Some Stuff
        wide links = no
        revalidate = yes
        force user = fred
        hide unreadable = yes
-- 
Marc Balcells 
Dept. Técnic 
  
Be There Always s.l. 
Trav. De Gràcia 54-56 1ª Pl. 
08006 - Barcelona 
Tel:    (+34) 932 412 909 
Fax:    (+34) 933 941 831 
Email:    mb at btasl.com
Pàgina web:  www.btasl.com

More information about the samba mailing list