[Samba] some samba security questions
mb at btasl.com
Mon Mar 10 19:28:56 GMT 2003
Hello, I'm running samba on a redhat linux 7.3 server in order to share
files to a mixed linux/windows local network without a domain controler,
all clients are configured to do local authentication and this
usernames/passwords are the same as on the linux server.
I'd like to restrict access to some directories inside samba shares for
specific users, but changing unix file permissions won't do it.
I have a share named "stuff" which is permited to all members of the
"staff" group, but inside this share I wan't to restrict access to a
directory called "internal", only one specific user has to be able to
read/write inside it.
As I said I've tried to change unix permissions to 700 but still group
members can read/write inside this directory.
Once I solve this, I would like to do something like the "veto files"
directive does. I'd like to restrict access to one user to all
directories named "internal" in whichever share they're in.
Another issue is client code-pages. All my clients use spanish
characters set, but when windows clients create a file with special
characters, linux clients get (invalid unicode) warnings on this
filenames, any clue?
Anyone can help me in this three issues?
My smb.conf [GLOBAL] looks like:
smb passwd file = /etc/samba/smbpasswd
hosts deny = ALL
passwd program = /usr/bin/passwd %u
browseable = no
pam password change = yes
force directory mode = 770
printing = lprng
create mode = 770
dns proxy = no
force create mode = 770
encrypt passwords = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
character set = ISO8859-15
printcap name = /etc/printcap
max log size = 0
hosts allow = 192.168.0.0/255.255.255.0 127.0.0.1
writable = yes
obey pam restrictions = yes
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
directory mode = 770
security = user
unix password sync = Yes
hide unreadable = yes
server string = XXXXXXXXXXXXXXX
workgroup = XXXXXXXXXXXXXXX
client code page = cp850
log file = /var/log/samba/%m.log
netbios name = XXXXXXXXXX
load printers = yes
os level = 20
My share looks like:
path = /home/stuff
force group = staff
valid users = @staff
comment = Some Stuff
wide links = no
revalidate = yes
force user = fred
hide unreadable = yes
Be There Always s.l.
Trav. De Gràcia 54-56 1ª Pl.
08006 - Barcelona
Tel: (+34) 932 412 909
Fax: (+34) 933 941 831
Email: mb at btasl.com
Pàgina web: www.btasl.com
More information about the samba