[Samba] A question about Samba, authentication, groups, quotas, etc.

Wed Sep 22 10:24:44 MDT 2010

Hello,

Server: Ubuntu Lucid server version
Role: Samba file server (I administer it)
Authentication: Against a Windows AD (I do not administer it) using winbind.
No other authentication scheme is practicable/possible - I do NOT want to
manage passwords locally on this machine.
LDAP: Not explicitly configured - local policies require a binary *.so file
that does not work with Debian based systems (I don't set this policy).

Status: Authentication works and shares have been set up. People from
Windows, Mac and Linux can successfully access their shares. The system is
firewall and samba (hosts deny, hosts allow) secured to deny access from
anyone outside of the network.

Excerpt from /etc/samba/smb.conf:

   security = ads
   realm = <AD server name in capital case>
   password server = AD server name
   workgroup = LOCALGROUP
   idmap uid = 500-1000000   idmap gid = 500-1000000
   winbind separator = +
   winbind enum users = no
   winbind enum groups = no
   winbind use default domain = yes
   template homedir = /home/%D/%U
   template shell = /bin/bash
   client use spnego = yes
   domain master = no

[homes]
   comment = Home Directories
   browseable = no
   read only = no
   create mask = 0700
   directory mask = 0700
   valid users = %U
   invalid users = root bin daemon nobody named sys tty disk users

I want to make certain things happen with this, but being a slight Samba
newbie (and generally impatient of anything windows related) I do not know
the best way forward (or if what I want is even possible). The situation:

Consider sets of people

A = a colossal set of about 10000 people, each of which can authenticate
against the AD referenced above.
B = a set of about 30 people - a subset of A (every member of B is a member
of A)
C, D, E = smaller sets of about 4-5 people each. The intersection of C, D, E
is non-zero. The union of C, D and E is a subset of B. Wish I could draw a
Venn diagram.

All these sets have a fluid membership (people come and go). But the set
relationships above, and the rough numbers above  remain more or less
constant.

I want:

1. No member of A that is not a member of B to ever be able to access any
shares on the server.
2. No member of B to be able to access the home directories (under
/home/LOCALGROUP/ that are not his / her own or one of C, D, or E (read on)
if he / she is also a member of C. D or E.
3. Members of C, D and E should be able to access /home/LOCALGROUP/C (or D
or E) but no one else should be able to.
4. Impose quotas on all members of B (have maximum upper sizes for
/home/LOCALGROUP/<member of B>) and have fixed sizes for C, D and E.

If this were a simple Unix setup, I would define group memberships (and
impose quota on /home). But this is a little bit different (and the users
are not even listed in /etc/passwd), and I am a bit new to Samba.

Any suggestions ?

Thanks.