On Sep 22, 2010, at 9:24 AM, Madhusudan Singh <[email protected]> wrote:
> Hello, > > Server: Ubuntu Lucid server version > Role: Samba file server (I administer it) > Authentication: Against a Windows AD (I do not administer it) using winbind. > No other authentication scheme is practicable/possible - I do NOT want to > manage passwords locally on this machine. > LDAP: Not explicitly configured - local policies require a binary *.so file > that does not work with Debian based systems (I don't set this policy). > > Status: Authentication works and shares have been set up. People from > Windows, Mac and Linux can successfully access their shares. The system is > firewall and samba (hosts deny, hosts allow) secured to deny access from > anyone outside of the network. > > Excerpt from /etc/samba/smb.conf: > > security = ads > realm = <AD server name in capital case> > password server = AD server name > workgroup = LOCALGROUP > idmap uid = 500-1000000 idmap gid = 500-1000000 > winbind separator = + > winbind enum users = no > winbind enum groups = no > winbind use default domain = yes > template homedir = /home/%D/%U > template shell = /bin/bash > client use spnego = yes > domain master = no > > [homes] > comment = Home Directories > browseable = no > read only = no > create mask = 0700 > directory mask = 0700 > valid users = %U > invalid users = root bin daemon nobody named sys tty disk users > > I want to make certain things happen with this, but being a slight Samba > newbie (and generally impatient of anything windows related) I do not know > the best way forward (or if what I want is even possible). The situation: > > Consider sets of people > > A = a colossal set of about 10000 people, each of which can authenticate > against the AD referenced above. > B = a set of about 30 people - a subset of A (every member of B is a member > of A) > C, D, E = smaller sets of about 4-5 people each. The intersection of C, D, E > is non-zero. The union of C, D and E is a subset of B. Wish I could draw a > Venn diagram. > > All these sets have a fluid membership (people come and go). But the set > relationships above, and the rough numbers above remain more or less > constant. > > I want: > > 1. No member of A that is not a member of B to ever be able to access any > shares on the server. > 2. No member of B to be able to access the home directories (under > /home/LOCALGROUP/ that are not his / her own or one of C, D, or E (read on) > if he / she is also a member of C. D or E. > 3. Members of C, D and E should be able to access /home/LOCALGROUP/C (or D > or E) but no one else should be able to. > 4. Impose quotas on all members of B (have maximum upper sizes for > /home/LOCALGROUP/<member of B>) and have fixed sizes for C, D and E. > > If this were a simple Unix setup, I would define group memberships (and > impose quota on /home). But this is a little bit different (and the users > are not even listed in /etc/passwd), and I am a bit new to Samba. > > Any suggestions ? > > Thanks. > -- Since you are already doing everything based on AD ... Have the windows folks make AD security groups for your groups b c d e And then filter the shares using smb.conf entries like valid users = @ad\groupB write list = @ad\groupB To make it really convenient for you have the ad team make you an admin for a small area in AD where you set up and administer your groups using active directory users and computers on a windows box -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
