OK, I fixed all of my winbind problems (I think), but I'm not sure the
outcome is optimal, so I'm looking for advice and counsel at more of a
philosophical level, rather than a pure technical level.
I would be grateful for comments on the following setup:
::Background::
SuSE 9.0, Samba 3.0.4-5 rpms from ftp.sernet.de (quasi-official SuSE
rpms, as I understand it). The machine is configured as a member
server in a true Windows NT4 domain. (The smb.conf file is at the end
of this post). This machine is temporary; it needs to run for two
months. We followed the instructions in Samba3 By Example as a starting
point.
::Setup::
All of the folders to be shared are in a directory called /data on the
machine. As we are using PAM with winbind for Samba authentication
only, there are no unix accounts used by Windows workstation users; we
did not change any of the pam.d files other than /pam.d/samba, and we
have done no Windows-to-Unix user nor group mapping. System admins
that need to log in to the Samba box use Linux accounts at the console.
::File System Permissions::
We chowned the entire /data tree as root.root, and then chmodded the
entire data tree as 777.
A few users (about 10) make use of home folders, so we created these
manually in /data/Users to avoid fussing with the pam module that can
do this. These folders too were chmodded as 777.
We also put "inherit permissions = yes" in the [global] section to
keep
new files created by Windows users have the same 777 permissions.
::Share-Level Permissions::
We couldn't find how to use NT Domain accounts to control permissions at
the share level. Probably this is somewhere in TOSHARG or Samba3 By
Example (which are both pretty dog-eared now), but we didn't see it.
Googling got us the answer, and you can see how we did it in the
smb.conf file below.
We then carefully reviewed on the NT4 PDC in User Manager the
memberships of each of the Domain Security Groups we used in smb.conf.
::Result::
With one day of testing, so far so good. Windows domain users can
access the shares they should, read, write and create files and folders
in those shares, etc. Windows domain users are challenged with a
username:password dialog box when they try to access a share to which
their logged in NT user account does not have access (via NT Global
group membership, or lack thereof), and this seems to work OK. That
is, they can access the prohibited share if they use an NT account that
is a member of an NT Global group authorized to access that share.
::Thoughts::
I'm not entirely happy with the underlying file system being wide open.
When I set up Microsoft shares in an AD domain, I like to use the
share-level access to block viewing of unauthorized shares (less
clutter, primarily), and then ACLs to control access at the file system
level. This allows users to access a share, but not necessarily all of
the sub-folders within a share, which can be useful. This Samba setup
I believe won't have that capability, which is OK for now.
I would be grateful for your comments on this smb.conf setup, and for
ways to improve it. (There are some comments indicating changes to
come, BTW).
Thanking you all in advance (note the actual workgroup name has been
changed in smb.conf below...)
Mark
-------begin smb.conf-----
[global]
workgroup = JOEMAMA
security = domain
unix charset = LOCALE
username map = /etc/samba/smbusers
log level = 1
syslog = 0
log file = /var/log/samba/%m
max log size = 0
smb ports = 139 445
name resolve order = wins bcast hosts
server string = SuSE Linux Samba Server
time server = yes
wins server = 172.22.6.11
template primary group = "Domain Users"
template shell = /bin/bash
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind separator = +
template homedir = /data/Users/%U
use sendfile = yes
large readwrite = yes
socket options = TCP_NODELAY SO_KEEPALIVE SO_SNDBUF=8192 SO_RCVBUF=8192
oplocks = no
level2 oplocks = no
inherit permissions = yes
[homes]
comment = %u's Home Directory
valid users = %D-%S %S
read only = no
browseable = no
[Accounting]
comment = Company Financial Reports
path = /data/Company/Accounting
valid users = @"%D+Accounting"
read only = Yes
[AcctPrivate]
comment = Accounting Department Use Only
path = /data/Company/AcctPrivate
valid users = @"%D+Accounting-Private"
[Billing]
comment = Billing Department Working Files
path = /data/Company/Billing
valid users = @"%D+Billing"
[IT_Dept]
comment = Techie Stuff You May Need
path = /data/Company/IT_Dept
valid users = @"%D+Domain Users"
[IT_Private]
comment = For IT Department Use Only
path = /data/Company/IT_Private
valid users = @"%D+IT-Dept"
[Lab]
comment = For Lab Department Use Only
path = /data/Company/Lab
valid users = @"%D+Lab"
[LabPrivate]
comment = Lab Management Use Only
path = /data/Company/LabPrivate
valid users = @"%D+Lab"
# Change valid users to head of lab!
[Public]
path = /data/Company/Public
writeable = yes
public = yes
valid users = @"%D+Domain Users"
comment = Public Documents
[Research]
comment = For Research Department Use Only
path = /data/Company/Research
valid users = @"%D+Domain Users"
# Correct valid users to members of research local group.
--------end of smb.conf------
--
_____________________________________________
A Message From... L. Mark Stone
Reliable Networks of Maine, LLC
477 Congress Street, 5th Floor
Portland, ME 04101
Tel: (207) 772-5678
Web: http://www.RNoME.com
