[Samba] Allow access to a share for only one machine account

Wed Apr 23 06:17:36 MDT 2014

On 23/04/14 10:55, steve wrote:
> On Tue, 2014-04-22 at 17:00 +0100, Rowland Penny wrote:
>> On 21/04/14 13:15, steve.lcb wrote:
>>> On Mon, 2014-04-21 at 04:23 -0700, Danny Fedor wrote:
>>>> Thank you for your replies.
>>>>
>>>> As for hosts allow -- if I'm not wrong this works only in the global section
>>>> of smb.conf and limits access to all shares. I need to limit access only to
>>>> one of them.
>>>>
>>>> I have tried to set  permissions of the share to allow r/w only for the
>>>> "Domain Controllers" group, but it doesn't work; I think it expects the
>>>> connecting user to be a member of the group, not the connecting machine. Is
>>>> it even possible to limit access to a share based on a computer the user is
>>>> connecting from? As far as I know, using NTFS permissions, it isn't.
>>>>
>>>> But in the link I've posted, they managed to achieve that through "valid
>>>> users" directive in smb.conf which for me should look something like this:
>>>>
>>>> [share]
>>>> valid users = UBUNTU1$
>>>>
>>>> However, when they run klist on their machine (in their case rhls64$), it
>>>> shows the machine has ticket with its credentials. When I run klist on my
>>>> UBUNTU1 (or even UBUNTU2) it shows nothing.
>>>>
>>>> If I run "kinit UBUNTU1$" kerberos replies with:
>>>> Client 'UBUNTU1$@MY.DOMAIN' not found in Kerberos database while getting
>>>> initial credentials.
>>> That's odd. The DC can't kinit itself?
>>> kinit UBUNTU1$
>>> should ask you for a password
>>>
>>> UBUNTU1$ and UBUNTU2$ are replicating DCs? Is DNS setup OK? What do you
>>> have at:
>>> /etc/krb5.conf
>>> ?
>>> Cheers,
>>> Steve
>>>
>>>
>> AH, but this Linux and he will be running a bash terminal, in which case
>> he should try 'kinit UBUNTU1\$@MY.DOMAIN'
>>
>> Rowland
>>
> But kinit seems to have appended the realm correctly:
> Client 'UBUNTU1$@MY.DOMAIN' not found
> Steve
>
>
I think that this is just a red-herring (for the non English speaking, 
this means that it is misleading), this guys problems seem to stem from 
an article he found on the web. The article in question (if you read it 
fully) is all about getting a samba3 client to connect to a share on 
another samba3 machine and the cure was to add the machine account as a 
local Unix user to the machine.

With AD, you no longer have local users, they all need to be in AD, so 
this approach will not work. I do not know if the OP is trying to get 
Unix local users to connect to an AD share, but I suspect he is, this 
will not work!

He needs to add all his users to AD, give them uidNumber's & 
gidNumber's, create an AD group to connect to the share on UBUNTU2, add 
the users he wants to connect to the share to the group and then set up 
the ACL's on the share to only allow access to the share from the group.

Rowland