I have just managed to get my first Samba/LDAP PDC up and running. But I have one big security problem -- users logging in to the PDC using ssh can access all shares.
User credentials, both for ssh login and for Samba access, are retrieved from the LDAP directory. All shares are stored in the /var/lib/samba directory. The directories permissions look like this: drwxrwx--- 2 root Domain Users 4096 25 jul 15.11 Common drwxrwx--- 2 root Domain Users 4096 13 jun 16.59 Customers drwxrwx--- 2 root Domain Users 4096 13 jun 16.32 Sales ... and so on. Each share is owned by root in the "Domain Users" group. In the Unix world, each directory can only be owned by one user in one group. But in the Samba world, directories and shares aren't owned by any single group, instead a number of groups have access to the directory or share. That is why the shares has to be owned by the Unix group "Domain Users," which is a meta group in which all users of the PDC belong. Obviously, this arrangement isn't very nice. Every user that logs in via ssh can access all shares. Yet all shares need to be owned by the group "Domain Users" otherwise some groups of users can't access some shares. The Sales share, for example, should really be owned by both the Managers and the Accountants groups. So how do I fix this? There doesn't seem to be any easy way. Thanks in advance. -- Mvh Björn Lindqvist -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba