[Samba] Securing home shares

Mon Feb 12 20:37:05 GMT 2007

On Mon, 12 Feb 2007, Neil Jolly wrote:

> On 12-Feb-07, at 12:38 PM, Charles Marcus wrote:
>
>> On 2/12/2007 Neil Jolly (neil at jollycom.ca) wrote:
>>> [homes]
>>>    browseable = No
>>>    read only = No
>>>    guest ok = No
>> 
>> Don't need this?
>>
>>>    path = /home/%U
> I've tried with, and without this one
>
>>>    users = %S
>> 
>> Typo? Shouldn't this be 'valid users = %S'
>
> Not according to : 
> http://samba.org/samba/docs/man/Samba-HOWTO-Collection/securing-samba.html
>
> An excerpt:
> The only user works in conjunction with the users = list, so to get the 
> behavior you require, add the line:
> users = %S
>
> This is equivalent to adding
> valid users = %S
>
> to the definition of the [homes] share, as recommended in the smb.conf man 
> page.

The manpage for smb.conf says:

      users
           This parameter is a synonym for username.

      username (S)
           Multiple users may be specified  in  a  comma-delimited
           list,  in  which  case  the  supplied  password will be
           tested against each username in turn (left to right).

This is very different from the "valid users" parameter.  I think the 
securing-samba.html file is wrong in saying they are equivalent.  If I'm 
reading it right, you want "valid users = %S".

> Also unix permissions are rwx on all home dirs.

Why not just fix the unix permissions?  We set home dirs to 700 and 
public_html to 755 here.

 	Andy