[Samba] Restricting file server access by group
alex at chem.umass.edu
Tue May 18 13:12:14 MDT 2010
-----BEGIN PGP SIGNED MESSAGE-----
Thanks -- the first two were useful, but only blocked samba. Which, to
be fair, is all I asked about.
Here's a third option, which will also block PAM:
In ldap.conf (on my system, running Ubuntu 8.04 LTS Server), modify the
following two lines:
1) pam_groupdn (group)
In my case, this becomes:
pam_groupdn cn=schnell,ou=Biochemistry groups,ou=Biochemistry,dc=cns
2) pam_member_attribute (attribute)
In my case, it becomes:
At that point attempts to log in with an LDAP user who isn't part of the
You must be a memberUid of cn=schnell,ou=Biochemistry
groups,ou=Biochemistry,dc=cns to login.
Connection closed by 172.30.35.146
Samba returns that it cannot mount the share, or that the uid/password
combination is wrong.
In any case, I'm putting this up in case anyone else has seen the same
problem... I'd still like a way to restrict to multiple groups, but this
works for what I need now.
Thanks for all the help!
tms3 at tms3.com wrote:
> On Tuesday 18/05/2010 at 8:46 am, Alex McKenzie wrote:
> This is for the same file server I wrote about earlier.
> I would like to restrict access by group, as defined in LDAP.
>> Two ways.
>> 1) First is at the share level, which is controlled by smb.conf and is
>> fairly similar to permissions on a share in Window$.
>> man smb.conf
>> "To restrict a service to a particular set of users you can use the
>> valid users parameter.
>> If any of the usernames begin with a '@' then the name will be
>> looked up first in the NIS netgroups list (if Samba is compiled
>> with netgroup support), followed by a lookup in the UNIX groups
>> database and will expand to a list of all users in the group of
>> that name."
>> Works with groups in ldap, if your posix box is setup correctly.
>> 2a) The second is to enable acls on your posix file system. If so, you
>> can use a Window$ workstation and the Administrator account to write M$
>> file permissions to the directories in the share.
>> 2b) Or if it is a very simple set up, merely use standard posix file
>> and directory permissions. For instance, say the samba share is
>> \\servername\chemlab and the posix path is /usr/home/samba/chemlab,
>> you could then simply do
>> chgrp -R CHEMLABGROUP /usr/home/samba/chemlab and chmod it to your
>> liking. (Where CHEMLABGROUP is a samba ldap group).
> obvious solution is to add a filter to the login LDAP search that
> restricts to gidNumber=10038 or 10001, since those are the groups I
> need. From what I'm seeing, I need to add that to /etc/ldap.conf in the
> nss_base_ section, but how to do it isn't clear.
> Do I just enter it as a standard LDAP filter? In this case, I think I'd
> want (|(gidNumber=10038)(gidNumber=10001)), but it's really not clear
> the syntax really isn't clear from the file. Would it just be
> nss_base_passwd (|(gidNumber=10038)(gidNumber=10001))?one
> That's what it looks like, anyway... if anyone can give me an answer,
> or at least point me towards a good source of documentation on this, I'd
> appreciate it.
> Alex McKenzie
To unsubscribe from this list go to the following URL and read the
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the samba