-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thanks -- the first two were useful, but only blocked samba. Which, to be fair, is all I asked about.
Here's a third option, which will also block PAM: In ldap.conf (on my system, running Ubuntu 8.04 LTS Server), modify the following two lines: 1) pam_groupdn (group) In my case, this becomes: pam_groupdn cn=schnell,ou=Biochemistry groups,ou=Biochemistry,dc=cns 2) pam_member_attribute (attribute) In my case, it becomes: pam_member_attribute memberUid At that point attempts to log in with an LDAP user who isn't part of the group returns: You must be a memberUid of cn=schnell,ou=Biochemistry groups,ou=Biochemistry,dc=cns to login. Connection closed by 172.30.35.146 Samba returns that it cannot mount the share, or that the uid/password combination is wrong. In any case, I'm putting this up in case anyone else has seen the same problem... I'd still like a way to restrict to multiple groups, but this works for what I need now. Thanks for all the help! - -Alex t...@tms3.com wrote: > > > > On Tuesday 18/05/2010 at 8:46 am, Alex McKenzie wrote: > This is for the same file server I wrote about earlier. > > I would like to restrict access by group, as defined in LDAP. >> Two ways. > >> 1) First is at the share level, which is controlled by smb.conf and is >> fairly similar to permissions on a share in Window$. > >> man smb.conf > >> "To restrict a service to a particular set of users you can use the >> valid users parameter. > >> If any of the usernames begin with a '@' then the name will be >> looked up first in the NIS netgroups list (if Samba is compiled >> with netgroup support), followed by a lookup in the UNIX groups >> database and will expand to a list of all users in the group of >> that name." > >> Works with groups in ldap, if your posix box is setup correctly. > >> 2a) The second is to enable acls on your posix file system. If so, you >> can use a Window$ workstation and the Administrator account to write M$ >> file permissions to the directories in the share. > >> 2b) Or if it is a very simple set up, merely use standard posix file >> and directory permissions. For instance, say the samba share is >> \\servername\chemlab and the posix path is /usr/home/samba/chemlab, >> you could then simply do > >> chgrp -R CHEMLABGROUP /usr/home/samba/chemlab and chmod it to your >> liking. (Where CHEMLABGROUP is a samba ldap group). > The > obvious solution is to add a filter to the login LDAP search that > restricts to gidNumber=10038 or 10001, since those are the groups I > need. From what I'm seeing, I need to add that to /etc/ldap.conf in the > nss_base_ section, but how to do it isn't clear. > > Do I just enter it as a standard LDAP filter? In this case, I think I'd > want (|(gidNumber=10038)(gidNumber=10001)), but it's really not clear > the syntax really isn't clear from the file. Would it just be > > nss_base_passwd (|(gidNumber=10038)(gidNumber=10001))?one > > > That's what it looks like, anyway... if anyone can give me an answer, > or at least point me towards a good source of documentation on this, I'd > appreciate it. > > Thanks, > Alex McKenzie - -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvy5o4ACgkQWFYfIucpZ2MkeACfeDGnthp9QkLa1dO/Ili6b/bV u9EAnR5NgmEFulopWl+QMx01++X1MLnf =K9la -----END PGP SIGNATURE----- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba