[Samba] Allow access to a share for only one machine account

Rowland Penny rowlandpenny at googlemail.com
Tue Apr 22 10:00:47 MDT 2014


On 21/04/14 13:15, steve.lcb wrote:
> On Mon, 2014-04-21 at 04:23 -0700, Danny Fedor wrote:
>> Thank you for your replies.
>>
>> As for hosts allow -- if I'm not wrong this works only in the global section
>> of smb.conf and limits access to all shares. I need to limit access only to
>> one of them.
>>
>> I have tried to set  permissions of the share to allow r/w only for the
>> "Domain Controllers" group, but it doesn't work; I think it expects the
>> connecting user to be a member of the group, not the connecting machine. Is
>> it even possible to limit access to a share based on a computer the user is
>> connecting from? As far as I know, using NTFS permissions, it isn't.
>>
>> But in the link I've posted, they managed to achieve that through "valid
>> users" directive in smb.conf which for me should look something like this:
>>
>> [share]
>> valid users = UBUNTU1$
>>
>> However, when they run klist on their machine (in their case rhls64$), it
>> shows the machine has ticket with its credentials. When I run klist on my
>> UBUNTU1 (or even UBUNTU2) it shows nothing.
>>
>> If I run "kinit UBUNTU1$" kerberos replies with:
>> Client 'UBUNTU1$@MY.DOMAIN' not found in Kerberos database while getting
>> initial credentials.
> That's odd. The DC can't kinit itself?
> kinit UBUNTU1$
> should ask you for a password
>
> UBUNTU1$ and UBUNTU2$ are replicating DCs? Is DNS setup OK? What do you
> have at:
> /etc/krb5.conf
> ?
> Cheers,
> Steve
>
>
AH, but this Linux and he will be running a bash terminal, in which case 
he should try 'kinit UBUNTU1\$@MY.DOMAIN'

Rowland



More information about the samba mailing list