[Samba] A question about Samba, authentication, groups, quotas, etc.

Grant grantliddle at gmail.com
Wed Sep 22 22:44:57 MDT 2010


On Sep 22, 2010, at 9:24 AM, Madhusudan Singh <singh.madhusudan at gmail.com> wrote:

> Hello,
> 
> Server: Ubuntu Lucid server version
> Role: Samba file server (I administer it)
> Authentication: Against a Windows AD (I do not administer it) using winbind.
> No other authentication scheme is practicable/possible - I do NOT want to
> manage passwords locally on this machine.
> LDAP: Not explicitly configured - local policies require a binary *.so file
> that does not work with Debian based systems (I don't set this policy).
> 
> Status: Authentication works and shares have been set up. People from
> Windows, Mac and Linux can successfully access their shares. The system is
> firewall and samba (hosts deny, hosts allow) secured to deny access from
> anyone outside of the network.
> 
> Excerpt from /etc/samba/smb.conf:
> 
>   security = ads
>   realm = <AD server name in capital case>
>   password server = AD server name
>   workgroup = LOCALGROUP
>   idmap uid = 500-1000000   idmap gid = 500-1000000
>   winbind separator = +
>   winbind enum users = no
>   winbind enum groups = no
>   winbind use default domain = yes
>   template homedir = /home/%D/%U
>   template shell = /bin/bash
>   client use spnego = yes
>   domain master = no
> 
> [homes]
>   comment = Home Directories
>   browseable = no
>   read only = no
>   create mask = 0700
>   directory mask = 0700
>   valid users = %U
>   invalid users = root bin daemon nobody named sys tty disk users
> 
> I want to make certain things happen with this, but being a slight Samba
> newbie (and generally impatient of anything windows related) I do not know
> the best way forward (or if what I want is even possible). The situation:
> 
> Consider sets of people
> 
> A = a colossal set of about 10000 people, each of which can authenticate
> against the AD referenced above.
> B = a set of about 30 people - a subset of A (every member of B is a member
> of A)
> C, D, E = smaller sets of about 4-5 people each. The intersection of C, D, E
> is non-zero. The union of C, D and E is a subset of B. Wish I could draw a
> Venn diagram.
> 
> All these sets have a fluid membership (people come and go). But the set
> relationships above, and the rough numbers above  remain more or less
> constant.
> 
> I want:
> 
> 1. No member of A that is not a member of B to ever be able to access any
> shares on the server.
> 2. No member of B to be able to access the home directories (under
> /home/LOCALGROUP/ that are not his / her own or one of C, D, or E (read on)
> if he / she is also a member of C. D or E.
> 3. Members of C, D and E should be able to access /home/LOCALGROUP/C (or D
> or E) but no one else should be able to.
> 4. Impose quotas on all members of B (have maximum upper sizes for
> /home/LOCALGROUP/<member of B>) and have fixed sizes for C, D and E.
> 
> If this were a simple Unix setup, I would define group memberships (and
> impose quota on /home). But this is a little bit different (and the users
> are not even listed in /etc/passwd), and I am a bit new to Samba.
> 
> Any suggestions ?
> 
> Thanks.
> --

Since you are already doing everything based on AD ...
Have the windows folks make AD security groups for your groups b c d e  And then filter the shares using smb.conf entries like
valid users = @ad\groupB
write list = @ad\groupB

To make it really convenient for you have the ad team make you an admin for a small area in AD where you set up and administer your groups using active directory users and computers on a windows box 


More information about the samba mailing list