Danny Fedor
2014-Apr-20 20:14 UTC
[Samba] Allow access to a share for only one machine account
I have two domain controllers running ubuntu (12.04 and 13.10) both with samba (4.1.6 and 4.1.7) installed and running (and with sssd on both machines to retrieve uid/gid from AD). I wish to set a share on ubuntu2 in the way so it could be accessible only from ubuntu1 (and by any user from ubuntu1, for instance by local root). I have found this solution though I'm not sure it solves my issue: http://community.centrify.com/t5/Centrify-enabled-Samba/How-to-allow-Windows-machine-accounts-to-connect-to-a-share-as/td-p/11834 Anyway, it does not work -- klist doesn't return any ticket for the machine account on either ubuntu1 or ubuntu2 (yet both machines are listed in AD in the group "Domain Computers") if I'm logged as a local user (if I log in as a domain user, than klist correctly shows a ticket for my user account, but still none for the machine). Is there any other, better way to set this up? -- View this message in context: http://samba.2283325.n4.nabble.com/Allow-access-to-a-share-for-only-one-machine-account-tp4664550.html Sent from the Samba - General mailing list archive at Nabble.com.
Marc Muehlfeld
2014-Apr-20 23:50 UTC
[Samba] Allow access to a share for only one machine account
Hello Danny, Am 20.04.2014 22:14, schrieb Danny Fedor:> I have two domain controllers running ubuntu (12.04 and 13.10) both with > samba (4.1.6 and 4.1.7) installed and running (and with sssd on both > machines to retrieve uid/gid from AD). I wish to set a share on ubuntu2 in > the way so it could be accessible only from ubuntu1 (and by any user from > ubuntu1, for instance by local root).Isn't hosts allow = ubuntu1 what you're looking for? Regards, Marc
Rowland Penny
2014-Apr-21 09:04 UTC
[Samba] Allow access to a share for only one machine account
On 20/04/14 21:14, Danny Fedor wrote:> I have two domain controllers running ubuntu (12.04 and 13.10) both with > samba (4.1.6 and 4.1.7) installed and running (and with sssd on both > machines to retrieve uid/gid from AD). I wish to set a share on ubuntu2 in > the way so it could be accessible only from ubuntu1 (and by any user from > ubuntu1, for instance by local root). > > I have found this solution though I'm not sure it solves my issue: > http://community.centrify.com/t5/Centrify-enabled-Samba/How-to-allow-Windows-machine-accounts-to-connect-to-a-share-as/td-p/11834 > > Anyway, it does not work -- klist doesn't return any ticket for the machine > account on either ubuntu1 or ubuntu2 (yet both machines are listed in AD in > the group "Domain Computers") if I'm logged as a local user (if I log in as > a domain user, than klist correctly shows a ticket for my user account, but > still none for the machine). > > Is there any other, better way to set this up? > > > > -- > View this message in context: http://samba.2283325.n4.nabble.com/Allow-access-to-a-share-for-only-one-machine-account-tp4664550.html > Sent from the Samba - General mailing list archive at Nabble.com.I think that you are misunderstanding how Samba 4 in AD mode works, you can have local users and you can have domain users, but the two cannot meet ;-) You can have a local user on ubuntu1 and a local user with the same name on ubuntu2, but they would not be the same user! you might think they are the same user, but as far as ubuntu1 & ubuntu2 are concerned, they are different. You need to forget local users, put everybody into AD, use rfc2307 attributes, create an AD group for the users that need to access the share, then use setfacl to set up the access to the share. Rowland