l.arzeni@pride.it wrote:
> Date: Thu, 7 Jan 1999 18:52:44 +0100
> From: "Luca Arzeni" <l.arzeni@pride.it>
> To: "Multiple recipients of list" <samba@samba.anu.edu.au>
> Subject: smb.conf information request
> Message-ID: <000d01be3a66$87292b50$8e04010a@c97_124.primi.pride.it>
>
> Hi there,
>
> ENVIRONMENT: server: HP-UX11.0, clients: WinNT 4.0 SP3 or SP4
>
> I'm trying to install SAMBA on our HP-UX server. I have many PC acting
as
> clients and I would like to share their home dirs on the server. I would
> like to allow to each guy to have Read/Write access in his home dir, and
> Read only in other guys' home dirs. I've tried modifying the
default
> smb.conf files, but there are troubles: if I try to share a dir, all guys
> can write on all dirs, otherwise no one is able to write in no dir. Also,
it
> seems that if a guy logs into server with a username, he can't connect
> another dir using another username (You know, NT ask the name to be used
for
> a connection).
>
> Is there anyone who has a simple file that I can modify for my purposes?
>
> Yours faithfully, Luca Arzeni
>
> Ing. Luca Arzeni
> Pride S.P.A.
> Via Cechov 48/50
> 20151 Milano
> Tel. 02 30012526
> Mob. 0347 6161545
> mail to: l.arzeni@pride.it
>
Simple file no - but this will work ;)
ENVIRONMENT: samba servers: Sun 5.4, 5.5.1, 2.6, 2.7, clients: Win95, WinNT 4.0
SP3 or SP4, Sun 5.4, 5.5.1,
2.6, 2.7, Linux Debian or RedHat
What follows describes how to impliment a secure ("deny unless
granted")
and very flexable technique called the gatekeeper security model. The lower
directories within a directory tree (ie: /home/*) are used as a padlocked gate
to
deny un-wanted users access to the files within. Once a user is allowed past
the 'gate' directory they can read and/or write to the files contained
within. With
very few minor modifications this techinque can adapt to meet all individual,
team,
workgroup, departmental, and orginazational file storage and sharing
requirements.
This technique scales very well and has been used in large multi-national
Fortune 500 companies. I have yet to find a business model that it cannot adapt
to.
The only issue that is that we must manually maintain /sync Unix Passwords,
Groups, Netgroups, and NT Passwords. No big deal. Be sure that both the Unix
username and the NT login name are the same. Ex Joe Doe = jdoe.
First we start by setting up three directory types: one for private data (the
user
home directory), a directory for groups to share data (controled by /etc/group
or
NIS/NIS+ netgroups), and a public access directory. Gently but firmly see if you
can coax your users to using this layout. It is the preferred security model.
Unix file system configuration:
Permissions on individual users HOME directories should be set to 700 (chmod
700)
Create the other directories with the following script:
#!/bin/sh
PCHOME=/home
mkdir $PCHOME/groups
chmod 755 $PCHOME/groups
# customize as needed to match groups or netgroups
for i in prog rnd sales tech sysadmin
do
mkdir $PCHOME/groups/$i
chgrp $i $PCHOME/groups/$i
chmod 770 $PCHOME/groups/$i
done
mkdir $PCHOME/public
chmod 777 $PCHOME/public
# end script
Samba (1.9.18p10) configuration information:
;=== Global Settings ==...
; Only allow your selected networks and hosts access
; modify these as needed
allow hosts = 10.10.60., 10.10.61.
...
;Make WinTel NT/95 Passwords NT's problem
security = server
encrypt passwords = yes
password server = name_of_your_PDC_goes_here
...
;=== Share Definitions == [pchome]
comment = users home directories
path = /home
browseable = yes
public = no
writable = yes
printable = no
directory mask = 755
create mask = 0644
force directory mode = 755
force create mode = 644
[groups]
comment = group specific shares
path = /home/groups
browseable = yes
public = no
writable = yes
printable = no
create mask = 660
force directory mode = 775
force create mode = 664
[public]
comment = Public Stuff
path = /home/public
public = yes
writable = yes
printable = no
create mask = 666
force directory mode = 777
force create mode = 666
[homes]
comment = Home Directory
path = /home/%u
browseable = no
writeable = yes
valid users = %S
If your users will not adapt then be sure to warn management about the security
implications. Specifically:
there will not be any private files on the server. I would do this email to that
there was a written
record. Then do the following :(
Reset the individual users home directories to 'chmod 750'
Note that there are no changes to the smb.conf file. Also; 6 months down the
line, when management
discovers exactly what the implications of relaxed security is you will be in
good shape to fix it :)
- Jim Mulholland
Principal Systems Administrator
Periphonics Corporation
jim.mulholland@peri.com
