[Samba] Allow access to a share for only one machine account
Rowland Penny
rowlandpenny at googlemail.com
Mon Apr 21 03:04:16 MDT 2014
On 20/04/14 21:14, Danny Fedor wrote:
> I have two domain controllers running ubuntu (12.04 and 13.10) both with
> samba (4.1.6 and 4.1.7) installed and running (and with sssd on both
> machines to retrieve uid/gid from AD). I wish to set a share on ubuntu2 in
> the way so it could be accessible only from ubuntu1 (and by any user from
> ubuntu1, for instance by local root).
>
> I have found this solution though I'm not sure it solves my issue:
> http://community.centrify.com/t5/Centrify-enabled-Samba/How-to-allow-Windows-machine-accounts-to-connect-to-a-share-as/td-p/11834
>
> Anyway, it does not work -- klist doesn't return any ticket for the machine
> account on either ubuntu1 or ubuntu2 (yet both machines are listed in AD in
> the group "Domain Computers") if I'm logged as a local user (if I log in as
> a domain user, than klist correctly shows a ticket for my user account, but
> still none for the machine).
>
> Is there any other, better way to set this up?
>
>
>
> --
> View this message in context: http://samba.2283325.n4.nabble.com/Allow-access-to-a-share-for-only-one-machine-account-tp4664550.html
> Sent from the Samba - General mailing list archive at Nabble.com.
I think that you are misunderstanding how Samba 4 in AD mode works, you
can have local users and you can have domain users, but the two cannot
meet ;-)
You can have a local user on ubuntu1 and a local user with the same name
on ubuntu2, but they would not be the same user! you might think they
are the same user, but as far as ubuntu1 & ubuntu2 are concerned, they
are different.
You need to forget local users, put everybody into AD, use rfc2307
attributes, create an AD group for the users that need to access the
share, then use setfacl to set up the access to the share.
Rowland
More information about the samba
mailing list