nobo
captain.intern.channel-one.de") by samba.anu.edu.au with ESMTP
id <S12879848AbPKIObX>; Wed, 10 Nov 1999 01:31:23 +1100
Received: from dhcp-97.intern.channel-one.de (channel-one.de) [192.168.66.97]
by captain.intern.channel-one.de with esmtp id 11lCIi-0006sQ-00; Tue, 9 Nov
1999 15:31:12 +0100
Sender: tg
Message-ID: <38283030.C3C8FCFD@channel-one.de>
Date: Tue, 09 Nov 1999 15:31:12 +0100
From: Tobias Galitzien <tg@channel-one.de>
X-Mailer: Mozilla 4.7 [en] (X11; I; Linux 2.2.13 i586)
X-Accept-Language: en
MIME-Version: 1.0
To: samba@samba.org
Subject: security=server, users can get admin rights
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8BIT
Return-Path: <tg@channel-one.de>
X-Orcpt: rfc822;samba@samba.org
Hello!
The truoblesome configuration is:
Windows NT 4.0 Terminal Server with Citrix Metaframe connecting to a
Samba 2.0.5a, authenticating against a PDC of Windows NT Server 4.0.
Users are connecting to the WTS by various ICA Clients.
So in smb.conf, I set:
security = server
password server = <the PDC>
encrypt passwords = yes
null passwords = no
Then I have a share for the admins, who will have full control in all
home directories:
[manager]
directory = /home
admin users = @manager
valid users = @manager,@edv
And a (maybe problematic) homes share:
[home]
directory = /home/user/%u
create mask = 700
directory mask = 700
I didn´t use "homes" because my customer wanted to keep the look and
feel of his old Netware server.
Now every user can map his home directory with his password (on the
PDC). That´s good. But when he uses "net use \\samba\manager /USER:<one
of the admins>" he gets the share without a further question for the
admin´s password and has full control in all the home directories.
What is wrong? The UNIX rights for the home directories are all 700.
Any hints greatly appreciated!
Tobias