Re: [Samba] A question about Samba, authentication, groups, quotas, etc.
I think I might have worked out the grouping problem locally by simply adding (manually) the names of members of B to /etc/group, and changing the directory ownership to the corresponding groups. Its a strange situation as there are users in /etc/group that are not present in /etc/passwd (they are Windows AD authenticated). However, a few irritants remain. 1. When I try to use: valid users = @localgroupname it does not permit mounting of the shares (though ssh logins work fine). I have to use valid users = %U to get past that. Is there some way I could enter the group membership to smb.conf ? 2. Regarding C. D and E, I have done something similar, and added valid users = @localCgroupname etc. to the shares definition. However, when I use a smb login from a Mac client, I see only the home directory mounted and not the second share that the user is a member of (this user is a member of B and C). Any suggestions are welcome. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] A question about Samba, authentication, groups, quotas, etc.
On Wed, Sep 22, 2010 at 11:44 PM, Grant grantlid...@gmail.com wrote: Since you are already doing everything based on AD ... Have the windows folks make AD security groups for your groups b c d e And then filter the shares using smb.conf entries like valid users = @ad\groupB write list = @ad\groupB To make it really convenient for you have the ad team make you an admin for a small area in AD where you set up and administer your groups using active directory users and computers on a windows box It was the first thing I tried. Here are some reasons it will not work: 1. For some strange reason, not all the members of set B are capable of being added to these new groups (don't ask me, its windows after all - I am not the AD admin). 2. The response of the admins is rather slow. If someone joins or leaves B, I want to be able to respond faster than the weeks lead time we currently have. So, I guess I am asking if there is something like a samba user whitelist (that I could use in conjunction with denying everyone access by default). Or something equivalent to this. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] A question about Samba, authentication, groups, quotas, etc.
Hello, Server: Ubuntu Lucid server version Role: Samba file server (I administer it) Authentication: Against a Windows AD (I do not administer it) using winbind. No other authentication scheme is practicable/possible - I do NOT want to manage passwords locally on this machine. LDAP: Not explicitly configured - local policies require a binary *.so file that does not work with Debian based systems (I don't set this policy). Status: Authentication works and shares have been set up. People from Windows, Mac and Linux can successfully access their shares. The system is firewall and samba (hosts deny, hosts allow) secured to deny access from anyone outside of the network. Excerpt from /etc/samba/smb.conf: security = ads realm = AD server name in capital case password server = AD server name workgroup = LOCALGROUP idmap uid = 500-100 idmap gid = 500-100 winbind separator = + winbind enum users = no winbind enum groups = no winbind use default domain = yes template homedir = /home/%D/%U template shell = /bin/bash client use spnego = yes domain master = no [homes] comment = Home Directories browseable = no read only = no create mask = 0700 directory mask = 0700 valid users = %U invalid users = root bin daemon nobody named sys tty disk users I want to make certain things happen with this, but being a slight Samba newbie (and generally impatient of anything windows related) I do not know the best way forward (or if what I want is even possible). The situation: Consider sets of people A = a colossal set of about 1 people, each of which can authenticate against the AD referenced above. B = a set of about 30 people - a subset of A (every member of B is a member of A) C, D, E = smaller sets of about 4-5 people each. The intersection of C, D, E is non-zero. The union of C, D and E is a subset of B. Wish I could draw a Venn diagram. All these sets have a fluid membership (people come and go). But the set relationships above, and the rough numbers above remain more or less constant. I want: 1. No member of A that is not a member of B to ever be able to access any shares on the server. 2. No member of B to be able to access the home directories (under /home/LOCALGROUP/ that are not his / her own or one of C, D, or E (read on) if he / she is also a member of C. D or E. 3. Members of C, D and E should be able to access /home/LOCALGROUP/C (or D or E) but no one else should be able to. 4. Impose quotas on all members of B (have maximum upper sizes for /home/LOCALGROUP/member of B) and have fixed sizes for C, D and E. If this were a simple Unix setup, I would define group memberships (and impose quota on /home). But this is a little bit different (and the users are not even listed in /etc/passwd), and I am a bit new to Samba. Any suggestions ? Thanks. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] A question about Samba, authentication, groups, quotas, etc.
I understand neither the language nor the intent of this message. How could the initial message possibly be spam ? Was it the use of the capital case for the workgroup ? 2010/9/22 postmas...@avi-drome.nl Message rejected: message contains bad words. Message is marked as spam. De informatie uit deze e-mail (en eventuele bijlagen) is uitsluitend bestemd voor de geadresseerde(n), gebruik door anderen is niet toegestaan. De informatie kan vertrouwelijk van aard zijn en onder een geheimhoudingsplicht vallen. Indien deze e-mail niet voor u bestemd is, wordt u verzocht de afzender daarvan op de hoogte te stellen en deze e-mail te vernietigen. Afzender en/of haar werkgever kan de veiligheid en betrouwbaarheid van e-mail communicatie niet garanderen en aanvaardt geen aansprakelijkheid voor schade ten gevolge van het gebruik van email. Onze diensten en overige werkzaamheden worden uitgevoerd op basis van een overeenkomst van opdracht, waarop onze algemene voorwaarden van toepassing zijn. Please consider the environment before printing this e-mail -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] A question about Samba, authentication, groups, quotas, etc.
This happens sometimes when a local mail server rejects a message as spam because it contains words in a different language than used locally. Your original post did make it to the samba list. The spam message fortunately only went to the original sender (you). Someone on the list however didn't see your post. On 22/09/10 01:59 PM, Madhusudan Singh wrote: I understand neither the language nor the intent of this message. How could the initial message possibly be spam ? Was it the use of the capital case for the workgroup ? 2010/9/22postmas...@avi-drome.nl Message rejected: message contains bad words. Message is marked as spam. De informatie uit deze e-mail (en eventuele bijlagen) is uitsluitend bestemd voor de geadresseerde(n), gebruik door anderen is niet toegestaan. De informatie kan vertrouwelijk van aard zijn en onder een geheimhoudingsplicht vallen. Indien deze e-mail niet voor u bestemd is, wordt u verzocht de afzender daarvan op de hoogte te stellen en deze e-mail te vernietigen. Afzender en/of haar werkgever kan de veiligheid en betrouwbaarheid van e-mail communicatie niet garanderen en aanvaardt geen aansprakelijkheid voor schade ten gevolge van het gebruik van email. Onze diensten en overige werkzaamheden worden uitgevoerd op basis van een overeenkomst van opdracht, waarop onze algemene voorwaarden van toepassing zijn. Please consider the environment before printing this e-mail -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] A question about Samba, authentication, groups, quotas, etc.
On Sep 22, 2010, at 9:24 AM, Madhusudan Singh singh.madhusu...@gmail.com wrote: Hello, Server: Ubuntu Lucid server version Role: Samba file server (I administer it) Authentication: Against a Windows AD (I do not administer it) using winbind. No other authentication scheme is practicable/possible - I do NOT want to manage passwords locally on this machine. LDAP: Not explicitly configured - local policies require a binary *.so file that does not work with Debian based systems (I don't set this policy). Status: Authentication works and shares have been set up. People from Windows, Mac and Linux can successfully access their shares. The system is firewall and samba (hosts deny, hosts allow) secured to deny access from anyone outside of the network. Excerpt from /etc/samba/smb.conf: security = ads realm = AD server name in capital case password server = AD server name workgroup = LOCALGROUP idmap uid = 500-100 idmap gid = 500-100 winbind separator = + winbind enum users = no winbind enum groups = no winbind use default domain = yes template homedir = /home/%D/%U template shell = /bin/bash client use spnego = yes domain master = no [homes] comment = Home Directories browseable = no read only = no create mask = 0700 directory mask = 0700 valid users = %U invalid users = root bin daemon nobody named sys tty disk users I want to make certain things happen with this, but being a slight Samba newbie (and generally impatient of anything windows related) I do not know the best way forward (or if what I want is even possible). The situation: Consider sets of people A = a colossal set of about 1 people, each of which can authenticate against the AD referenced above. B = a set of about 30 people - a subset of A (every member of B is a member of A) C, D, E = smaller sets of about 4-5 people each. The intersection of C, D, E is non-zero. The union of C, D and E is a subset of B. Wish I could draw a Venn diagram. All these sets have a fluid membership (people come and go). But the set relationships above, and the rough numbers above remain more or less constant. I want: 1. No member of A that is not a member of B to ever be able to access any shares on the server. 2. No member of B to be able to access the home directories (under /home/LOCALGROUP/ that are not his / her own or one of C, D, or E (read on) if he / she is also a member of C. D or E. 3. Members of C, D and E should be able to access /home/LOCALGROUP/C (or D or E) but no one else should be able to. 4. Impose quotas on all members of B (have maximum upper sizes for /home/LOCALGROUP/member of B) and have fixed sizes for C, D and E. If this were a simple Unix setup, I would define group memberships (and impose quota on /home). But this is a little bit different (and the users are not even listed in /etc/passwd), and I am a bit new to Samba. Any suggestions ? Thanks. -- Since you are already doing everything based on AD ... Have the windows folks make AD security groups for your groups b c d e And then filter the shares using smb.conf entries like valid users = @ad\groupB write list = @ad\groupB To make it really convenient for you have the ad team make you an admin for a small area in AD where you set up and administer your groups using active directory users and computers on a windows box -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
