Hello, Server: Ubuntu Lucid server version Role: Samba file server (I administer it) Authentication: Against a Windows AD (I do not administer it) using winbind. No other authentication scheme is practicable/possible - I do NOT want to manage passwords locally on this machine. LDAP: Not explicitly configured - local policies require a binary *.so file that does not work with Debian based systems (I don't set this policy).
Status: Authentication works and shares have been set up. People from Windows, Mac and Linux can successfully access their shares. The system is firewall and samba (hosts deny, hosts allow) secured to deny access from anyone outside of the network. Excerpt from /etc/samba/smb.conf: security = ads realm = <AD server name in capital case> password server = AD server name workgroup = LOCALGROUP idmap uid = 500-1000000 idmap gid = 500-1000000 winbind separator = + winbind enum users = no winbind enum groups = no winbind use default domain = yes template homedir = /home/%D/%U template shell = /bin/bash client use spnego = yes domain master = no [homes] comment = Home Directories browseable = no read only = no create mask = 0700 directory mask = 0700 valid users = %U invalid users = root bin daemon nobody named sys tty disk users I want to make certain things happen with this, but being a slight Samba newbie (and generally impatient of anything windows related) I do not know the best way forward (or if what I want is even possible). The situation: Consider sets of people A = a colossal set of about 10000 people, each of which can authenticate against the AD referenced above. B = a set of about 30 people - a subset of A (every member of B is a member of A) C, D, E = smaller sets of about 4-5 people each. The intersection of C, D, E is non-zero. The union of C, D and E is a subset of B. Wish I could draw a Venn diagram. All these sets have a fluid membership (people come and go). But the set relationships above, and the rough numbers above remain more or less constant. I want: 1. No member of A that is not a member of B to ever be able to access any shares on the server. 2. No member of B to be able to access the home directories (under /home/LOCALGROUP/ that are not his / her own or one of C, D, or E (read on) if he / she is also a member of C. D or E. 3. Members of C, D and E should be able to access /home/LOCALGROUP/C (or D or E) but no one else should be able to. 4. Impose quotas on all members of B (have maximum upper sizes for /home/LOCALGROUP/<member of B>) and have fixed sizes for C, D and E. If this were a simple Unix setup, I would define group memberships (and impose quota on /home). But this is a little bit different (and the users are not even listed in /etc/passwd), and I am a bit new to Samba. Any suggestions ? Thanks. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba