Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Client Shares and Virtual Users

Status
Not open for further replies.
nbjayme

nbjayme

Programmer
Jun 25, 2002
13
PH
Hello All,

I want to be able to create shares and let Samba Check for validation on the PDC without adding those users in my Linux Box.

We have a Samba PDC and the clients are in Win9x,WinXP, and Linux.

I'm on a Linux Box with FC1.

I hope there is an easy way to do this without necessarily install and manage winbind.

Please help.
 
Sort by date Sort by votes
The way I do this is to create a generic read or write users.

Eg.
Create a share called SAP
Create user sapread and sapwrite
In the user.map file, I map NT User ID's to the above users depending on the access requirements.


"If you always do what you've always done, you will always be where you've always been."
 
Upvote 0 Downvote
Thanks for the reply.

I believe I need to create a user in smbpasswd for that, as well as, in /etc/passwd.

If you have 50 users the setup though can be laborious. Say Emma is mapped to sapread but in another share I want her to be able to write. In the long run, user.map solution will not suffice on a per share configuration.

The solution is something like this but I just don't know how to setup.

Say you have two shares PublicFiles and PrivateFiles and two users Emma and Robin. Emma will have write Privilege in PrivateFiles.

[global]
# tells samba to validate using a Domain Controller
# samba does not need to be a domain member
security=< I'm not sure of the correct setting>
# tells samba the Domain Controller
password server= <machine name or IP>

[PublicFiles]
path=/home/localnixuser/PublicFiles
# users are existing in NT/Samba PDC only.
valid users= emma robin
#map robin and emma to local nixuser
force user= localnixuser
#only read access even though localnixuser
#have write privilege
read only= yes

[PrivateFiles]
path=/home/localnixuser/PrivateFiles
# users are existing in NT/Samba PDC only.
read list = robin
write list= emma
#map robin and emma to local nixuser
force user=localnixuser

[WorldFiles]
path=/home/localnixuser/WorldFiles
# no password required for this share
guest ok = yes
read only = yes

This approach is fine grained because you may be able to
specify valid users per share, as well as , a user's privilege.

I hope somebody made a solution. :(

 
Upvote 0 Downvote
I don't think there is an easier solution.
It's not possible to have smb users without having a unix user.
But the shared accounts may be the only option.

Let's say there's a share called Finance
For this share you can have a unix user called finread and finwrite both of group finance.
You don't have to create smbpasswd entries as the unix machine is a domain member and authenticated on the NT domain and not with it's own password database.
/finance can be owned by finwrite:finance with perm 775

User.map can have
finread = ntusra ntuserb
finwrite = ntuserc ntuserd

Share definition can be
[finance]
path = /finance
read list = finread
write list = finwrite


&quot;If you always do what you've always done, you will always be where you've always been.&quot;
 
Upvote 0 Downvote
Thanks for the reply and a thorough illustration.

for multiple shares and multiple users it would become too much for the user map setup.

I hope the samba team will make a new security model with the above example i illustrated. what do we call it?

security=virtualusers

instead of using "password server" i think it would be much flexible to employ the "passdb backend" parameter.

the flexibility of the security model can open up gui's to let a local nix user share their folders with fine-grain control.

The rule is to restrict local users create shares only within their home directory and any link outside their home directory is invalid. "force user" will be restricted to the local user who made the share.

The root account can use the "force user" option. But it can be overriden by a local nix user with "override root setting=yes". This will close all shares created by root into a user's home directory.

Therefore, samba needs a hack to provide the new security model. A mechanism should also be provided for allowing local nix users to have their own smb.conf

I hope they include it in Samba4.
 
Upvote 0 Downvote
I don't think we'll see anything from Samba due to the security implications.
Maybe SMB_DYN will cater for it. (Quite and interesting project :

&quot;If you always do what you've always done, you will always be where you've always been.&quot;
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

kenowens
  • Locked
  • Question
client application ramdomly creates duplicate sessions
Replies
1
Views
134
blister911
blister911
SpenceWaller
  • Locked
  • Question
Citrix CSG - Allow users to change password
Replies
0
Views
81
SpenceWaller
SpenceWaller
KurpeusLondon
  • Locked
  • Question
Citrix receiver client within Xen APP 6.5
Replies
1
Views
97
ntinlin
ntinlin
treedstang
  • Locked
  • Question
SAMBA4 DOMAIN NOT SEEING IMPORTED USERS OR GROUPS FROM SAMBA3 DOMAIN
Replies
0
Views
90
treedstang
treedstang
Breezeman
  • Locked
  • Question
Stop users from saving to their user directory on C: of application servers
Replies
3
Views
130
JayIT
JayIT

Part and Inventory Search

Sponsor

Back
Top