[Samba] Samba and unix permissions mismatch

BJörn Lindqvist bjourne at gmail.com
Tue Aug 1 13:29:50 GMT 2006


I have just managed to get my first Samba/LDAP PDC up and running. But
I have one big security problem -- users logging in to the PDC using
ssh can access all shares.

User credentials, both for ssh login and for Samba access, are retrieved
from the LDAP directory. All shares are stored in the /var/lib/samba
directory. The directories permissions look like this:

    drwxrwx---  2 root Domain Users 4096 25 jul 15.11 Common
    drwxrwx---  2 root Domain Users 4096 13 jun 16.59 Customers
    drwxrwx---  2 root Domain Users 4096 13 jun 16.32 Sales
    ... and so on.

Each share is owned by root in the "Domain Users" group. In the Unix
world, each directory can only be owned by one user in one group. But
in the Samba world, directories and shares aren't owned by any
single group, instead a number of groups have access to the directory
or share. That is why the shares has to be owned by the Unix group
"Domain Users," which is a meta group in which all users of the PDC
belong.

Obviously, this arrangement isn't very nice. Every user that logs in
via ssh can access all shares. Yet all shares need to be owned by the
group "Domain Users" otherwise some groups of users can't access some
shares. The Sales share, for example, should really be owned by both
the Managers and the Accountants groups.

So how do I fix this? There doesn't seem to be any easy way.

Thanks in advance.

--
Mvh Björn Lindqvist


More information about the samba mailing list