Hi Robin,
I've not got a good starting point I'm afraid, but I was forced to deploy Samba
under pressure of failing hardware so an urgent migration was done. We didn't
get the IBM AIX 6.1 supplied one running at all, so we pulled down the
samba.org version 3.4.3. We couldn't get that working as we wished, but it did
at least share. It has been merrily allowing any request to mount (read-only)
the shares. All was well with the function, but obviously it is not appropriate
for the sensitive data was are sharing. The setting I had to put in was
security=SHARE and on each share, we have guest login allowed.
My problem is that our clients are in at least two domains and the server is
standalone, i.e. no LDAP or whatever connection set up on the operating system in
/etc/netsrv.conf or anything. We are an outsourcing company so we have our
servers& users and the client company users all wanting to access the data.
I've tried reading the manual pages, but I have to understand much more about
security and protocols than I do to get my foot in the door, so to speak. The
more I try to find out, the more confused I get. What I have tried has always
prevented any access. Great for security, but useless for actually operating
the business.
It has been parked for quite a while now especially as the failing hardware
also allowed guest connections so I had nothing to compare to. I've now
forgotten what attempts I have made, but now Internal Audit are on my case to
lock it down. Can anyone point me in the right direction? I would prefer to
grant access to an Active Directory group of users if that is possible, but
then it needs to validate the user on more than one domain......um?
My head hurts already.
Full config (slightly sanitised) can be posted if this is useful, but I didn't
want to flood the thread first off.
documentation on the web is fine for configuring kerberos/smb/winbind
for one domain, but I also found it hard to getthe sid/uid mapping right
in a multiple domain environment. Idmap has changed so many times since
smb 3.0 that it is hard to know which doc is fine... I hope the 3.6 way
will be the definitive one :-)
Here is a smb.conf that I is working fine with two domain. servera is
joined to AD kerberos DOMA.LOCAL. There is interdomain trust with
DOMB.LOCAL.
===================
[global]
security = ads
realm = DOMA.LOCAL
password server = 192.168.123.11
workgroup = DOMA
winbind separator = +
idmap backend = tdb
idmap uid = 1000000-1999999
idmap gid = 1000000-1999999
idmap config DOMA : backend = rid
idmap config DOMA : range = 10000 - 49999
idmap config DOMB : backend = rid
idmap config DOMB : range = 50000 - 99999
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
winbind use default domain = yes
restrict anonymous = 2
wins server = 192.168.123.11
printcap name = /etc/printcap
load printers = no
[myshare]
path = /home/myshare
guest ok= no
write list= @"group1" @"DOMB+group2"
writeable = yes
force create mode = 0770
===============
Hope this helps,
Denis Cardon
Robin
Liverpool/Blackburn
UK
Diligenta Limited (No. 5535029) is a subsidiary of Tata Consultancy Services
Limited. Diligenta 2 Limited (No. 4087012) is a subsidiary of Diligenta Limited.
Both companies are registered in England and have their registered office at
Lynch Wood, Peterborough, PE2 6FY and are authorised and regulated by the
Financial Services Authority.
The information in this e-mail is confidential and may be legally privileged.
It is intended solely for the addressee and access to this e-mail by anyone
else is unauthorised. Although this message and any attachments are believed to
be free of any virus or other defect that might affect any computer system into
which it is received and opened, it is the responsibility of the recipient to
ensure that it is virus free and no responsibility is accepted by Diligenta
Limited or Diligenta 2 Limited for any loss or damage in any way arising from
its use. Any views or opinions presented are solely those of the author and do
not necessarily represent those of Diligenta Limited or Diligenta 2 Limited.
Replies to this e-mail may be monitored for operational or business reasons.
--
Denis Cardon
Tranquil IT Systems
44 bvd des pas enchantés
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.57
http://www.tranquil-it-systems.fr
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
