[Samba] Allow access to a share for only one machine account
steve
steve at steve-ss.com
Wed Apr 23 07:00:46 MDT 2014
On Wed, 2014-04-23 at 13:17 +0100, Rowland Penny wrote:
> On 23/04/14 10:55, steve wrote:
> > On Tue, 2014-04-22 at 17:00 +0100, Rowland Penny wrote:
> >> On 21/04/14 13:15, steve.lcb wrote:
> >>> On Mon, 2014-04-21 at 04:23 -0700, Danny Fedor wrote:
> >>>> Thank you for your replies.
> >>>>
> >>>> As for hosts allow -- if I'm not wrong this works only in the global section
> >>>> of smb.conf and limits access to all shares. I need to limit access only to
> >>>> one of them.
> >>>>
> >>>> I have tried to set permissions of the share to allow r/w only for the
> >>>> "Domain Controllers" group, but it doesn't work; I think it expects the
> >>>> connecting user to be a member of the group, not the connecting machine. Is
> >>>> it even possible to limit access to a share based on a computer the user is
> >>>> connecting from? As far as I know, using NTFS permissions, it isn't.
> >>>>
> >>>> But in the link I've posted, they managed to achieve that through "valid
> >>>> users" directive in smb.conf which for me should look something like this:
> >>>>
> >>>> [share]
> >>>> valid users = UBUNTU1$
> >>>>
> >>>> However, when they run klist on their machine (in their case rhls64$), it
> >>>> shows the machine has ticket with its credentials. When I run klist on my
> >>>> UBUNTU1 (or even UBUNTU2) it shows nothing.
> >>>>
> >>>> If I run "kinit UBUNTU1$" kerberos replies with:
> >>>> Client 'UBUNTU1$@MY.DOMAIN' not found in Kerberos database while getting
> >>>> initial credentials.
> >>> That's odd. The DC can't kinit itself?
> >>> kinit UBUNTU1$
> >>> should ask you for a password
> >>>
> >>> UBUNTU1$ and UBUNTU2$ are replicating DCs? Is DNS setup OK? What do you
> >>> have at:
> >>> /etc/krb5.conf
> >>> ?
> >>> Cheers,
> >>> Steve
> >>>
> >>>
> >> AH, but this Linux and he will be running a bash terminal, in which case
> >> he should try 'kinit UBUNTU1\$@MY.DOMAIN'
> >>
> >> Rowland
> >>
> > But kinit seems to have appended the realm correctly:
> > Client 'UBUNTU1$@MY.DOMAIN' not found
> > Steve
> >
> >
> I think that this is just a red-herring (for the non English speaking,
> this means that it is misleading), this guys problems seem to stem from
> an article he found on the web. The article in question (if you read it
> fully) is all about getting a samba3 client to connect to a share on
> another samba3 machine and the cure was to add the machine account as a
> local Unix user to the machine.
>
> With AD, you no longer have local users, they all need to be in AD, so
> this approach will not work. I do not know if the OP is trying to get
> Unix local users to connect to an AD share, but I suspect he is, this
> will not work!
>
> He needs to add all his users to AD, give them uidNumber's &
> gidNumber's, create an AD group to connect to the share on UBUNTU2, add
> the users he wants to connect to the share to the group and then set up
> the ACL's on the share to only allow access to the share from the group.
>
> Rowland
Hi
We are in total agreement with the local vs domain users slant. But
ubuntu1 is a DC and it can't obtain a tgt for itself? That's the bit we
don't get.
Cheers,
Steve
More information about the samba
mailing list