[Samba] security with normal profiles
Felipe Augusto van de Wiel
felipe at paranacidade.org.br
Fri Sep 15 14:39:06 GMT 2006
-----BEGIN PGP SIGNED MESSAGE-----
On 09/13/2006 08:28 AM, Thierry Lacoste escreveu:
> Following TOSHARG and "Samba 3 by examples" I implemented
> Folder redirection plus some security restrictions by building
> a custom NTUSER.DAT which is the default profile of my users.
> The problem is that each user has read/write access to its profile
> share therefore he can replace its NTUSER.DAT.
> This is why I chose mandatory profiles.
> Is there another solution?
From the beloved smb.conf manpage:
The share and the path must be readable by the user for the
preferences and directories to be loaded onto the Windows NT
client. The share must be writeable when the user logs in for
the first time, in order that the Windows NT client can create
the NTuser.dat and other directories. Thereafter, the directo‐
ries and any of the contents can, if required, be made
read-only. It is not advisable that the NTuser.dat file be made
read-only - rename it to NTuser.man to achieve the desired
effect (aMANdatory profile).
> The problem with mandatory profiles is that some settings are not
> saved: for instance the Favorites folder; I did not redirect it because
> I read in several books that only the Desktop, My documents,
> Application Data and Start Menu can be redirected.
> Is there a way to save Favorites with mandatory profiles?
Hmmm, not sure... probably no, because it is a mandatory
profile, but you can save it on alternative paths, I don't why
to do that. :(
Felipe Augusto van de Wiel <felipe at paranacidade.org.br>
Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/ Phone: (+55 41 3350 3300)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the samba