[Samba] SuSE Winbind "Zen" Question with Samba 3.0.4

L. Mark Stone LMStone at RNoME.com
Fri Jun 11 16:00:23 GMT 2004

OK, I fixed all of my winbind problems (I think), but I'm not sure the 
outcome is optimal, so I'm looking for advice and counsel at more of a 
philosophical level, rather than a pure technical level.

I would be grateful for comments on the following setup:

SuSE 9.0, Samba 3.0.4-5 rpms from ftp.sernet.de (quasi-official SuSE 
rpms, as I understand it).  The machine is configured as a member 
server in a true Windows NT4 domain. (The smb.conf file is at the end 
of this post).  This machine is temporary; it needs to run for two 
months. We followed the instructions in Samba3 By Example as a starting 

All of the folders to be shared are in a directory called /data on the 
machine.  As we are using PAM with winbind for Samba authentication 
only, there are no unix accounts used by Windows workstation users; we 
did not change any of the pam.d files other than /pam.d/samba, and we 
have done no Windows-to-Unix user nor group mapping.  System admins 
that need to log in to the Samba box use Linux accounts at the console.

::File System Permissions::
We chowned the entire /data tree as root.root, and then chmodded the 
entire data tree as 777. 

A few users (about 10) make use of home folders, so we created these 
manually in /data/Users to avoid fussing with the pam module that can 
do this. These folders too were chmodded as 777.

We also put "inherit permissions = yes" in the [global] section to keep 
new files created by Windows users have the same 777 permissions.

::Share-Level Permissions::
We couldn't find how to use NT Domain accounts to control permissions at 
the share level.  Probably this is somewhere in TOSHARG or Samba3 By 
Example (which are both pretty dog-eared now), but we didn't see it.  
Googling got us the answer, and you can see how we did it in the 
smb.conf file below.

We then carefully reviewed on the NT4 PDC in User Manager the 
memberships of each of the Domain Security Groups we used in smb.conf.

With one day of testing, so far so good.  Windows domain users can 
access the shares they should, read, write and create files and folders 
in those shares, etc.  Windows domain users are challenged with a 
username:password dialog box when they try to access a share to which 
their logged in NT user account does not have access (via NT Global 
group membership, or lack thereof), and this seems to work OK.  That 
is, they can access the prohibited share if they use an NT account that 
is a member of an NT Global group authorized to access that share.

I'm not entirely happy with the underlying file system being wide open.  
When I set up Microsoft shares in an AD domain, I like to use the 
share-level access to block viewing of unauthorized shares (less 
clutter, primarily), and then ACLs to control access at the file system 
level.  This allows users to access a share, but not necessarily all of 
the sub-folders within a share, which can be useful.  This Samba setup 
I believe won't have that capability, which is OK for now.

I would be grateful for your comments on this smb.conf setup, and for 
ways to improve it. (There are some comments indicating changes to 
come, BTW).

Thanking you all in advance (note the actual workgroup name has been 
changed in smb.conf below...)


-------begin smb.conf-----

	workgroup = JOEMAMA
	security = domain
	unix charset = LOCALE
	username map = /etc/samba/smbusers
	log level = 1
	syslog = 0
	log file = /var/log/samba/%m
	max log size = 0
	smb ports = 139 445
	name resolve order = wins bcast hosts
	server string = SuSE Linux Samba Server
	time server = yes
	wins server =
	template primary group = "Domain Users"
	template shell = /bin/bash
	idmap uid = 10000-20000
	idmap gid = 10000-20000
	winbind separator = +
	template homedir = /data/Users/%U
	use sendfile = yes
	large readwrite = yes
	oplocks = no
	level2 oplocks = no
	inherit permissions = yes

	comment = %u's Home Directory
	valid users = %D-%S %S
	read only = no
	browseable = no

	comment = Company Financial Reports
	path = /data/Company/Accounting
	valid users = @"%D+Accounting"
	read only = Yes

	comment = Accounting Department Use Only
	path = /data/Company/AcctPrivate
	valid users = @"%D+Accounting-Private"

	comment = Billing Department Working Files
	path = /data/Company/Billing
	valid users = @"%D+Billing"

	comment = Techie Stuff You May Need
	path = /data/Company/IT_Dept
	valid users = @"%D+Domain Users"

	comment = For IT Department Use Only
	path = /data/Company/IT_Private
	valid users = @"%D+IT-Dept"

	comment = For Lab Department Use Only
	path = /data/Company/Lab
	valid users = @"%D+Lab"

	comment = Lab Management Use Only
	path = /data/Company/LabPrivate
	valid users = @"%D+Lab"
# Change valid users to head of lab!

	path = /data/Company/Public
	writeable = yes
	public = yes
	valid users = @"%D+Domain Users"
	comment = Public Documents

	comment = For Research Department Use Only
	path = /data/Company/Research
	valid users = @"%D+Domain Users"
# Correct valid users to members of research local group.

--------end of smb.conf------

A Message From...  L. Mark Stone

Reliable Networks of Maine, LLC
477 Congress Street, 5th Floor
Portland, ME 04101
Tel: (207) 772-5678
Web: http://www.RNoME.com

More information about the samba mailing list