[Samba] how to prevent copying programs on local harddisk from samba share

Hubert Choma hubert.ch at wp.pl
Thu Oct 14 00:48:19 MDT 2010 

Hello

Ia have samba PDC 3.3.8-0.52.el5_5.2 on centos 5.5. My clients - win XP 
PRO SP3.

I have noticed that some users copy from sama share whole catalog with 
program and run it from local drive where they got full access.
Write access for This share [geo$] is only for @geo group! Others can't 
write . So they are workaround this !

How can I prevent copying programs from samba shares to a local drives 
and run it from there? It is any possibility to secure programs and run 
it from samba shares only ?

Please help!

[global]
        workgroup = geodezja
        server string = Samba Server %v
        interfaces = 10.10.10.0/255.255.255.0 127.0.0.1
        bind interfaces only = Yes

        update encrypted = Yes
        client ntlmv2 auth = yes
        log level = 2 vfs:3 auth:2 passdb:3
        log file = /var/log/samba/%U.%m.log
        max log size = 500
#PERFORMANCE
        socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192
        read raw = yes
        write raw = yes
        max xmit = 65535
        large readwrite = yes

        add user script = /usr/sbin/useradd "%u" -n -g users
        add group script = /usr/sbin/groupadd "%g"
        add machine script = /usr/sbin/useradd -n -c "komputer (%u)" -M -d 
/nohome -s /bin/false "%u"
#       add machine script = /usr/sbin/useradd -g komputery -d /dev/null 
-s /bin/false -M "%u"


        logon script = %G.CMD

        logon path =
        logon home =
        domain logons = yes
        os level = 128
        preferred master = yes
        domain master = yes
        local master = yes
        remote browse sync = none
        remote announce = none
        dns proxy = No
        wins support = yes
        name resolve order = wins hosts bcast
        hosts allow = 10.10.10.0/255.255.255.0 127.0.0.1
        hosts deny = ALL
        security = user
        null passwords = no
        deadtime = 0
        map to guest = never
        create mask = 0777
        nt acl support = no
        time server = yes
        enable privileges = yes
        passdb backend = tdbsam
        username map = /etc/samba/smbusers
        hide dot files = yes
        guest ok = no
        name cache timeout = 60


[geo$]
        comment = Mapa
#       oplock = yes
#       level2oplocks = yes
#       locking = yes
        invalid users = @geodeta, at ewidencja,
        write list = +geo
        path = /home/samba/geo
        force group = geo
        force create mode = 0777
        vfs object = recycle full_audit
        recycle:repository = .recycle/%U
        recycle:touch = true
        recycle:keeptree = true
        recycle:versions = false
        recycle:exclude = *.TMP *.STP
        recycle:directory_mode = 773
        full_audit:prefix = %u|%m|%I|%S
        full_audit:success = read pwrite write rename unlink rmdir mkdir lock 
pread
        full_audit:failure = read write

More information about the samba mailing list