[Samba] Share-based security

Bruno Martins bmartins at galileu.pt
Sat Feb 4 04:22:59 MST 2012

Hello guys,

I am using Samba version 3.5.6~dfsg-3squeeze6 and it is running very well with winbind authentication on our internal network.
Now I want to expose one share and one printer to another network (, so now this server is configured with two NICs.

My smb.conf is as follows:

        workgroup = GALILEU-F
        realm = GALILEU-F.GALILEU.PT
        server string = Samba Server Version %v
        security = ADS
        auth methods = winbind
        password server =
        username map = /etc/samba/smbusers
        log file = /var/log/samba/log.%m
        max log size = 50
        printcap name = cups
        local master = No
        dns proxy = No
        ldap ssl = no
        idmap backend = tdb
        idmap alloc backend = tdb
        idmap uid = 5000-6000
        idmap gid = 5000-6000
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        guest ok = Yes
        hosts allow = 127., 192.168.0., 10.150.21., 192.168.2.
        cups options = raw
        guest account = nobody

        comment = All Printers
        path = /var/spool/samba
        printable = Yes
        browseable = No

        comment = Partilha das Galileus
        path = /home/joe/Dropbox
        admin users = ghelpdesk, a230w
        write list = ghelpdesk, a230w
        read only = No
        acl group control = Yes
        create mask = 0777
        directory mask = 0777
        inherit permissions = Yes
        inherit acls = Yes
        inherit owner = Yes
        guest ok = No
        map acl inherit = Yes

        comment = Printer Drivers
        guest only = yes
        path = /var/lib/samba/drivers
        write list = ghelpdesk, a230w

        comment = Sharpdesk
        path = /home/fotocopiadora/sharpdesk
        write list = "@domain users"
        read only = No

        comment = Partilha Formacao
        path = /home/joe/Formacao
        guest ok = yes
        browseable = yes
        read only = no
        write list = bmartins, amoreira

Share to expose is 'formacao' but I want it to be only writable by two AD users and read-only for everyone else. Also, users on network should not be able to even list other shares/printers.
With the smb.conf above mentioned, Windows keeps asking me for authentication.

Can you please help me on this? Is this possible to do with Samba/CUPS?

Also if you could give me some security tips or documentation to read on this, it would be helpful.

Best regards,

Bruno Martins

More information about the samba mailing list