Nick Rout wrote:
On Wed, Aug 27, 2008 at 10:28 AM, Roger Searle <[EMAIL PROTECTED]> wrote:
Hi, subject line is what I originally thought was going on. I have a hardy
machine sharing a couple of folders via samba. Various users assigned to
various groups, ownership and permissions set up and working well, for
example:
[EMAIL PROTECTED]:~/documents$ ls -l | grep pay
drwxrwx--- 6 roger management 4096 2008-08-20 11:31 payroll
and as expected roger and members of the management group have read/write
access to the payroll folder, and others get "permission denied". Good.
Except, I have found that from 2 XP workstations, 2 different users (1 per
workstation) are able to connect to the entire share appearing to disregard
this, the logged on username is NOT roger, nor is the user in the management
group, yet has full access to that particular folder. Bit of a worry,
definitely not what I was expecting...
Are they in the coordinators group?
valid users = roger, @coordinators, @management
No, they are not in the coordinators group. Anyway, given that "valid
users" is a general share definition, I would expect all members of the
coordinators group (were that the only group they are in) to be denied
access to that folder based on the permissions being 770. And that is
indeed the case for the members of that group.
<snip>
Anyway, back to the problem in hand. After checking the coordinators
group, consider this scenario, bearing in mind that I don't fully
understand windows in that it's results in this area seem to be
inconsistent (and may vary between versions, including between xp home
and pro).
If roger goes and sits at another user's (lets call him ben) xp
machine which is logged in as ben, and wants to access the [data]
share on \\hardy, he might go to "my network drives" and add the
share, intending it to only be a temporary measure while he needs to
test something. As part of this he authorises himself on \\hardy\data
as roger/roger's password. This will work, and so it should.
But how long does this authorisation stick around? Can ben go back
later and still access \\hardy\data ? In some cases these "network
places" seem to stick around a while.
Sorry I am not really answering the question, merely rasing a possibility.
Indeed that is exactly the situation. And I too have been considering
that exact issue but do not have good answers at this point. I
appreciate that really it is an issue with the way Windows is
authenticating and so not strictly relevant on this list. It is though
at least as relevant as other questions posed from time to time, since
it relates to a Hardy box. I could always work around the issue on
those XP workstations by modifying/creating user accounts but am first
examining from the linux side. I am only talking about 2 user accounts
on 2 computers, but it's the principle I'm interested in understanding.
And I may not want them looking in my own private folder, which
currently they would be able to do!
It's clear that while samba is simple to set up and configure it can
also be complex and highly configurable so am looking for input from the
experienced eyes of this list.
Roger
