Re: [Samba] Share-based security

[Jorell]

On 2/4/2012 3:22 AM, Bruno Martins wrote:

Hello guys,

I am using Samba version 3.5.6~dfsg-3squeeze6 and it is running very well with 
winbind authentication on our internal network.
Now I want to expose one share and one printer to another network 
(192.168.2.0/24), so now this server is configured with two NICs.

My smb.conf is as follows:

[global]
         workgroup = GALILEU-F
         realm = GALILEU-F.GALILEU.PT
         server string = Samba Server Version %v
         security = ADS
         auth methods = winbind
         password server = 192.168.0.2
         username map = /etc/samba/smbusers
         log file = /var/log/samba/log.%m
         max log size = 50
         printcap name = cups
         local master = No
         dns proxy = No
         ldap ssl = no
         idmap backend = tdb
         idmap alloc backend = tdb
         idmap uid = 5000-6000
         idmap gid = 5000-6000
         winbind enum users = Yes
         winbind enum groups = Yes
         winbind use default domain = Yes
         guest ok = Yes
         hosts allow = 127., 192.168.0., 10.150.21., 192.168.2.
         cups options = raw
         guest account = nobody

[printers]
         comment = All Printers
         path = /var/spool/samba
         printable = Yes
         browseable = No

[dropbox]
         comment = Partilha das Galileus
         path = /home/joe/Dropbox
         admin users = ghelpdesk, a230w
         write list = ghelpdesk, a230w
         read only = No
         acl group control = Yes
         create mask = 0777
         directory mask = 0777
         inherit permissions = Yes
         inherit acls = Yes
         inherit owner = Yes
         guest ok = No
         map acl inherit = Yes

[print$]
         comment = Printer Drivers
         guest only = yes
         path = /var/lib/samba/drivers
         write list = ghelpdesk, a230w

[sharpdesk]
         comment = Sharpdesk
         path = /home/fotocopiadora/sharpdesk
         write list = "@domain users"
         read only = No

[formacao]
         comment = Partilha Formacao
         path = /home/joe/Formacao
         guest ok = yes
         browseable = yes
         read only = no
         write list = bmartins, amoreira

Share to expose is 'formacao' but I want it to be only writable by two AD users 
and read-only for everyone else. Also, users on 192.168.2.0 network should not 
be able to even list other shares/printers.
With the smb.conf above mentioned, Windows keeps asking me for authentication.

Can you please help me on this? Is this possible to do with Samba/CUPS?

Also if you could give me some security tips or documentation to read on this, 
it would be helpful.

Best regards,

Bruno Martins

Do those users have write access to that directory in Linux?

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba