[Samba] Samba and unix permissions mismatch

Gutholm, James GutholmJ at evergreen.edu
Tue Aug 1 15:06:37 GMT 2006 

Our DCs are Win2003 but we dealt with the same problem on Linux member servers.

We use filesystem ACLs to control access. The owner/group of a shared directory is nobody:nobody.

The default ACL is:
default:user::rwx
default:group::---
default:other::---

plus numerous
default:group:<some AD group>:rwx
entries. One for each group

The reason for the group::--- is because the primary group is "Domain Users" and we want to make sure that files don't default to allowing access to this group.

-James

> -----Original Message-----
> On Behalf Of BJörn Lindqvist
> Sent: Tuesday, August 01, 2006 6:30 AM
> To: samba at lists.samba.org
> Subject: [Samba] Samba and unix permissions mismatch
> 
> 
> I have just managed to get my first Samba/LDAP PDC up and running. But
> I have one big security problem -- users logging in to the PDC using
> ssh can access all shares.
> 
> User credentials, both for ssh login and for Samba access, 
> are retrieved
> from the LDAP directory. All shares are stored in the /var/lib/samba
> directory. The directories permissions look like this:
> 
>     drwxrwx---  2 root Domain Users 4096 25 jul 15.11 Common
>     drwxrwx---  2 root Domain Users 4096 13 jun 16.59 Customers
>     drwxrwx---  2 root Domain Users 4096 13 jun 16.32 Sales
>     ... and so on.
> 
> Each share is owned by root in the "Domain Users" group. In the Unix
> world, each directory can only be owned by one user in one group. But
> in the Samba world, directories and shares aren't owned by any
> single group, instead a number of groups have access to the directory
> or share. That is why the shares has to be owned by the Unix group
> "Domain Users," which is a meta group in which all users of the PDC
> belong.
> 
> Obviously, this arrangement isn't very nice. Every user that logs in
> via ssh can access all shares. Yet all shares need to be owned by the
> group "Domain Users" otherwise some groups of users can't access some
> shares. The Sales share, for example, should really be owned by both
> the Managers and the Accountants groups.
> 
> So how do I fix this? There doesn't seem to be any easy way.
> 
> Thanks in advance.
> 
> --
> Mvh Björn Lindqvist
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

More information about the samba mailing list