Hello guys,
I am using Samba version 3.5.6~dfsg-3squeeze6 and it is running very well with
winbind authentication on our internal network.
Now I want to expose one share and one printer to another network
(192.168.2.0/24), so now this server is configured with two NICs.
My smb.conf is as follows:
[global]
workgroup = GALILEU-F
realm = GALILEU-F.GALILEU.PT
server string = Samba Server Version %v
security = ADS
auth methods = winbind
password server = 192.168.0.2
username map = /etc/samba/smbusers
log file = /var/log/samba/log.%m
max log size = 50
printcap name = cups
local master = No
dns proxy = No
ldap ssl = no
idmap backend = tdb
idmap alloc backend = tdb
idmap uid = 5000-6000
idmap gid = 5000-6000
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
guest ok = Yes
hosts allow = 127., 192.168.0., 10.150.21., 192.168.2.
cups options = raw
guest account = nobody
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
[dropbox]
comment = Partilha das Galileus
path = /home/joe/Dropbox
admin users = ghelpdesk, a230w
write list = ghelpdesk, a230w
read only = No
acl group control = Yes
create mask = 0777
directory mask = 0777
inherit permissions = Yes
inherit acls = Yes
inherit owner = Yes
guest ok = No
map acl inherit = Yes
[print$]
comment = Printer Drivers
guest only = yes
path = /var/lib/samba/drivers
write list = ghelpdesk, a230w
[sharpdesk]
comment = Sharpdesk
path = /home/fotocopiadora/sharpdesk
write list = "@domain users"
read only = No
[formacao]
comment = Partilha Formacao
path = /home/joe/Formacao
guest ok = yes
browseable = yes
read only = no
write list = bmartins, amoreira
Share to expose is 'formacao' but I want it to be only writable by two
AD users and read-only for everyone else. Also, users on 192.168.2.0 network
should not be able to even list other shares/printers.
With the smb.conf above mentioned, Windows keeps asking me for authentication.
Can you please help me on this? Is this possible to do with Samba/CUPS?
Also if you could give me some security tips or documentation to read on this,
it would be helpful.
Best regards,
Bruno Martins
On 2/4/2012 3:22 AM, Bruno Martins wrote:> Hello guys, > > I am using Samba version 3.5.6~dfsg-3squeeze6 and it is running very well with winbind authentication on our internal network. > Now I want to expose one share and one printer to another network (192.168.2.0/24), so now this server is configured with two NICs. > > My smb.conf is as follows: > > [global] > workgroup = GALILEU-F > realm = GALILEU-F.GALILEU.PT > server string = Samba Server Version %v > security = ADS > auth methods = winbind > password server = 192.168.0.2 > username map = /etc/samba/smbusers > log file = /var/log/samba/log.%m > max log size = 50 > printcap name = cups > local master = No > dns proxy = No > ldap ssl = no > idmap backend = tdb > idmap alloc backend = tdb > idmap uid = 5000-6000 > idmap gid = 5000-6000 > winbind enum users = Yes > winbind enum groups = Yes > winbind use default domain = Yes > guest ok = Yes > hosts allow = 127., 192.168.0., 10.150.21., 192.168.2. > cups options = raw > guest account = nobody > > [printers] > comment = All Printers > path = /var/spool/samba > printable = Yes > browseable = No > > [dropbox] > comment = Partilha das Galileus > path = /home/joe/Dropbox > admin users = ghelpdesk, a230w > write list = ghelpdesk, a230w > read only = No > acl group control = Yes > create mask = 0777 > directory mask = 0777 > inherit permissions = Yes > inherit acls = Yes > inherit owner = Yes > guest ok = No > map acl inherit = Yes > > [print$] > comment = Printer Drivers > guest only = yes > path = /var/lib/samba/drivers > write list = ghelpdesk, a230w > > [sharpdesk] > comment = Sharpdesk > path = /home/fotocopiadora/sharpdesk > write list = "@domain users" > read only = No > > [formacao] > comment = Partilha Formacao > path = /home/joe/Formacao > guest ok = yes > browseable = yes > read only = no > write list = bmartins, amoreira > > Share to expose is 'formacao' but I want it to be only writable by two AD users and read-only for everyone else. Also, users on 192.168.2.0 network should not be able to even list other shares/printers. > With the smb.conf above mentioned, Windows keeps asking me for authentication. > > Can you please help me on this? Is this possible to do with Samba/CUPS? > > Also if you could give me some security tips or documentation to read on this, it would be helpful. > > Best regards, > > Bruno MartinsDo those users have write access to that directory in Linux?
On Sat, Feb 4, 2012 at 6:22 AM, Bruno Martins <bmartins at galileu.pt> wrote:> [formacao] > ? ? ? ?comment = Partilha Formacao > ? ? ? ?path = /home/joe/Formacao > ? ? ? ?guest ok = yes > ? ? ? ?browseable = yes > ? ? ? ?read only = no > ? ? ? ?write list = bmartins, amoreira > > Share to expose is 'formacao' but I want it to be only writable by two AD users and read-only for everyone else.Then you would want "read only = yes", yes?> With the smb.conf above mentioned, Windows keeps asking me for authentication.Is the AD guest account enabled? If not, it may fall back to local authentication as in http://blog.realcomputerguy.com/2010/12/samba-and-guest-shares-with-security.html but I haven't tried it.