[Samba] Allow access to a share for only one machine account
steve
steve at steve-ss.com
Wed Apr 23 03:55:49 MDT 2014
On Tue, 2014-04-22 at 17:00 +0100, Rowland Penny wrote:
> On 21/04/14 13:15, steve.lcb wrote:
> > On Mon, 2014-04-21 at 04:23 -0700, Danny Fedor wrote:
> >> Thank you for your replies.
> >>
> >> As for hosts allow -- if I'm not wrong this works only in the global section
> >> of smb.conf and limits access to all shares. I need to limit access only to
> >> one of them.
> >>
> >> I have tried to set permissions of the share to allow r/w only for the
> >> "Domain Controllers" group, but it doesn't work; I think it expects the
> >> connecting user to be a member of the group, not the connecting machine. Is
> >> it even possible to limit access to a share based on a computer the user is
> >> connecting from? As far as I know, using NTFS permissions, it isn't.
> >>
> >> But in the link I've posted, they managed to achieve that through "valid
> >> users" directive in smb.conf which for me should look something like this:
> >>
> >> [share]
> >> valid users = UBUNTU1$
> >>
> >> However, when they run klist on their machine (in their case rhls64$), it
> >> shows the machine has ticket with its credentials. When I run klist on my
> >> UBUNTU1 (or even UBUNTU2) it shows nothing.
> >>
> >> If I run "kinit UBUNTU1$" kerberos replies with:
> >> Client 'UBUNTU1$@MY.DOMAIN' not found in Kerberos database while getting
> >> initial credentials.
> > That's odd. The DC can't kinit itself?
> > kinit UBUNTU1$
> > should ask you for a password
> >
> > UBUNTU1$ and UBUNTU2$ are replicating DCs? Is DNS setup OK? What do you
> > have at:
> > /etc/krb5.conf
> > ?
> > Cheers,
> > Steve
> >
> >
> AH, but this Linux and he will be running a bash terminal, in which case
> he should try 'kinit UBUNTU1\$@MY.DOMAIN'
>
> Rowland
>
But kinit seems to have appended the realm correctly:
Client 'UBUNTU1$@MY.DOMAIN' not found
Steve
More information about the samba
mailing list