[Samba] Share-based security

Jorell JorellF at fastmail.net
Sat Feb 4 10:22:11 MST 2012


On 2/4/2012 3:22 AM, Bruno Martins wrote:
> Hello guys,
>
> I am using Samba version 3.5.6~dfsg-3squeeze6 and it is running very well with winbind authentication on our internal network.
> Now I want to expose one share and one printer to another network (192.168.2.0/24), so now this server is configured with two NICs.
>
> My smb.conf is as follows:
>
> [global]
>          workgroup = GALILEU-F
>          realm = GALILEU-F.GALILEU.PT
>          server string = Samba Server Version %v
>          security = ADS
>          auth methods = winbind
>          password server = 192.168.0.2
>          username map = /etc/samba/smbusers
>          log file = /var/log/samba/log.%m
>          max log size = 50
>          printcap name = cups
>          local master = No
>          dns proxy = No
>          ldap ssl = no
>          idmap backend = tdb
>          idmap alloc backend = tdb
>          idmap uid = 5000-6000
>          idmap gid = 5000-6000
>          winbind enum users = Yes
>          winbind enum groups = Yes
>          winbind use default domain = Yes
>          guest ok = Yes
>          hosts allow = 127., 192.168.0., 10.150.21., 192.168.2.
>          cups options = raw
>          guest account = nobody
>
> [printers]
>          comment = All Printers
>          path = /var/spool/samba
>          printable = Yes
>          browseable = No
>
> [dropbox]
>          comment = Partilha das Galileus
>          path = /home/joe/Dropbox
>          admin users = ghelpdesk, a230w
>          write list = ghelpdesk, a230w
>          read only = No
>          acl group control = Yes
>          create mask = 0777
>          directory mask = 0777
>          inherit permissions = Yes
>          inherit acls = Yes
>          inherit owner = Yes
>          guest ok = No
>          map acl inherit = Yes
>
> [print$]
>          comment = Printer Drivers
>          guest only = yes
>          path = /var/lib/samba/drivers
>          write list = ghelpdesk, a230w
>
> [sharpdesk]
>          comment = Sharpdesk
>          path = /home/fotocopiadora/sharpdesk
>          write list = "@domain users"
>          read only = No
>
> [formacao]
>          comment = Partilha Formacao
>          path = /home/joe/Formacao
>          guest ok = yes
>          browseable = yes
>          read only = no
>          write list = bmartins, amoreira
>
> Share to expose is 'formacao' but I want it to be only writable by two AD users and read-only for everyone else. Also, users on 192.168.2.0 network should not be able to even list other shares/printers.
> With the smb.conf above mentioned, Windows keeps asking me for authentication.
>
> Can you please help me on this? Is this possible to do with Samba/CUPS?
>
> Also if you could give me some security tips or documentation to read on this, it would be helpful.
>
> Best regards,
>
> Bruno Martins

Do those users have write access to that directory in Linux?



More information about the samba mailing list