Am Sonntag, 2. Januar 2011, 23:39:52 schrieb Marco Gaiarin:
> Mandi! Malte Starostik
> In chel di` si favelave...
>
> > I can't confirm this. I'm running WPKG off a samba server and the
> > clients access the share with machine credentials just fine. I've
> > granted read access to the "Domain Computers" group and all is well.
> > The share that the clients write their logfile to is writable by "Domain
> > Computers" and has the sticky bit set a client can only mess with the log
> > file(s) it created.
>
> Really, really, REALLY interested on that!!!
>
> Can you sand some more info? Samba version? Server and cient
> configuration?
>
> I've tried some weeks ago on debian lenny (samba 3.2.X) and i was not
> able to make it work...
The server is currently running Samba 3.5.6 on Gentoo Linux, but it was
working with 3.2.x before as well. The user/group mapping is handled by
winbind. The basic configuration is like this:
[global]
workgroup = DOMAIN
security = ads
realm = DOMAIN.TLD
idmap backend = tdb
idmap uid = 100000 - 999999
idmap gid = 100000 - 999999
idmap config DOMAIN : backend = rid
idmap config DOMAIN : base_rid = 0
idmap config DOMAIN : range = 1000000 - 9999999
winbind use default domain = yes
[wpkg]
path = /srv/wpkg
read only = yes
Please note that the idmap configuration syntax has changed from Samba 3.2. to
3.4 (or 3.3?), so the aboe is not compatible with 3.2.
These are the permissions of the WPKG share:
$ getfacl /srv/wpkg
# file: /srv/wpkg/
# owner: root
# group: root
user::rwx
user:apache:rwx
group::r-x
group:domain\040admins:r-x
group:domain\040computers:r-x
group:domain\040controllers:r-x
mask::rwx
other::---
There should be no need for POSIX ACLs, if the share is owned by the group
"domain computers" and group readable, it should work as well - not being
world readable prevents users from copying software off the share or dive into
configurations they maybe shouldn't see...
The clients are running Windows XP Pro and are joined to the domain. WPKG
Client is configured to authenticate as "SYSTEM" - this enables machine
authentication.
There is one requirement that might get in the way: machine authentication
requires kerberos, so you need an AD domain, either with a Windows 2000+ DC or
Samba 4. I haven't tried the latter yet, but I certainly will some day. A
Windows NT (resp. Samba 3) domain will not do.
Cheers,
Malte
-------------------------------------------------------------------------
wpkg-users mailing list archives >> http://lists.wpkg.org/pipermail/wpkg-users/
_______________________________________________
wpkg-users mailing list
wpkg-users@lists.wpkg.org
http://lists.wpkg.org/mailman/listinfo/wpkg-users
