[Samba] Share-based security
Jorell
JorellF at fastmail.net
Sat Feb 4 10:22:11 MST 2012
On 2/4/2012 3:22 AM, Bruno Martins wrote:
> Hello guys,
>
> I am using Samba version 3.5.6~dfsg-3squeeze6 and it is running very well with winbind authentication on our internal network.
> Now I want to expose one share and one printer to another network (192.168.2.0/24), so now this server is configured with two NICs.
>
> My smb.conf is as follows:
>
> [global]
> workgroup = GALILEU-F
> realm = GALILEU-F.GALILEU.PT
> server string = Samba Server Version %v
> security = ADS
> auth methods = winbind
> password server = 192.168.0.2
> username map = /etc/samba/smbusers
> log file = /var/log/samba/log.%m
> max log size = 50
> printcap name = cups
> local master = No
> dns proxy = No
> ldap ssl = no
> idmap backend = tdb
> idmap alloc backend = tdb
> idmap uid = 5000-6000
> idmap gid = 5000-6000
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = Yes
> guest ok = Yes
> hosts allow = 127., 192.168.0., 10.150.21., 192.168.2.
> cups options = raw
> guest account = nobody
>
> [printers]
> comment = All Printers
> path = /var/spool/samba
> printable = Yes
> browseable = No
>
> [dropbox]
> comment = Partilha das Galileus
> path = /home/joe/Dropbox
> admin users = ghelpdesk, a230w
> write list = ghelpdesk, a230w
> read only = No
> acl group control = Yes
> create mask = 0777
> directory mask = 0777
> inherit permissions = Yes
> inherit acls = Yes
> inherit owner = Yes
> guest ok = No
> map acl inherit = Yes
>
> [print$]
> comment = Printer Drivers
> guest only = yes
> path = /var/lib/samba/drivers
> write list = ghelpdesk, a230w
>
> [sharpdesk]
> comment = Sharpdesk
> path = /home/fotocopiadora/sharpdesk
> write list = "@domain users"
> read only = No
>
> [formacao]
> comment = Partilha Formacao
> path = /home/joe/Formacao
> guest ok = yes
> browseable = yes
> read only = no
> write list = bmartins, amoreira
>
> Share to expose is 'formacao' but I want it to be only writable by two AD users and read-only for everyone else. Also, users on 192.168.2.0 network should not be able to even list other shares/printers.
> With the smb.conf above mentioned, Windows keeps asking me for authentication.
>
> Can you please help me on this? Is this possible to do with Samba/CUPS?
>
> Also if you could give me some security tips or documentation to read on this, it would be helpful.
>
> Best regards,
>
> Bruno Martins
Do those users have write access to that directory in Linux?
More information about the samba
mailing list