[Samba] Share-based security
Bruno Martins
bmartins at galileu.pt
Sat Feb 4 04:22:59 MST 2012
Hello guys,
I am using Samba version 3.5.6~dfsg-3squeeze6 and it is running very well with winbind authentication on our internal network.
Now I want to expose one share and one printer to another network (192.168.2.0/24), so now this server is configured with two NICs.
My smb.conf is as follows:
[global]
workgroup = GALILEU-F
realm = GALILEU-F.GALILEU.PT
server string = Samba Server Version %v
security = ADS
auth methods = winbind
password server = 192.168.0.2
username map = /etc/samba/smbusers
log file = /var/log/samba/log.%m
max log size = 50
printcap name = cups
local master = No
dns proxy = No
ldap ssl = no
idmap backend = tdb
idmap alloc backend = tdb
idmap uid = 5000-6000
idmap gid = 5000-6000
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
guest ok = Yes
hosts allow = 127., 192.168.0., 10.150.21., 192.168.2.
cups options = raw
guest account = nobody
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
[dropbox]
comment = Partilha das Galileus
path = /home/joe/Dropbox
admin users = ghelpdesk, a230w
write list = ghelpdesk, a230w
read only = No
acl group control = Yes
create mask = 0777
directory mask = 0777
inherit permissions = Yes
inherit acls = Yes
inherit owner = Yes
guest ok = No
map acl inherit = Yes
[print$]
comment = Printer Drivers
guest only = yes
path = /var/lib/samba/drivers
write list = ghelpdesk, a230w
[sharpdesk]
comment = Sharpdesk
path = /home/fotocopiadora/sharpdesk
write list = "@domain users"
read only = No
[formacao]
comment = Partilha Formacao
path = /home/joe/Formacao
guest ok = yes
browseable = yes
read only = no
write list = bmartins, amoreira
Share to expose is 'formacao' but I want it to be only writable by two AD users and read-only for everyone else. Also, users on 192.168.2.0 network should not be able to even list other shares/printers.
With the smb.conf above mentioned, Windows keeps asking me for authentication.
Can you please help me on this? Is this possible to do with Samba/CUPS?
Also if you could give me some security tips or documentation to read on this, it would be helpful.
Best regards,
Bruno Martins
More information about the samba
mailing list