samba - Feb 2005 - Shares of Logged Out Users Still Visible By Next User

Hi. 

I'm running Samba 3.0.2 (a?) on Linux.  For the most part, it's working 
great. I have set up Samba as a PDC and also just as a workgroup server. 

However, under both scenarios I'm seeing a troublesome behavior with Windows
XP machines that have many users who frequently log on and log off. 

If User A logs off Windows XP and User B logs on 30 or 40 seconds later, 
sometimes User B can see and access private shares that only User A is
authorized
to see or browse or read or write. It seems that User A's shares will 
disappear from the Samba Server after a few minutes -- but during those first
minutes
after logging on, User B can see both HIS shares and User A's shares. During
the transition period, User B can actually copy or delete anything he wants 
from User A.  

Anybody have any clue what's going on and how to prevent it? Is the problem 
on the Samba side or on the Windows side. In my particular application, this is 
a very dangerous situation. 

Andy Liebman

Andy,

Please show us how you have configured the [homes] stanza. Are you using 
"valid users = %S" in the stanza?

- John T.

On Thursday 03 February 2005 21:32, AndyLiebman@aol.com
wrote:
> Hi.
>
> I'm running Samba 3.0.2 (a?) on Linux.  For the most part, it's
working
> great. I have set up Samba as a PDC and also just as a workgroup server.
>
> However, under both scenarios I'm seeing a troublesome behavior with
> Windows XP machines that have many users who frequently log on and log off.
>
> If User A logs off Windows XP and User B logs on 30 or 40 seconds later,
> sometimes User B can see and access private shares that only User A is
> authorized to see or browse or read or write. It seems that User A's
shares
> will disappear from the Samba Server after a few minutes -- but during
> those first minutes after logging on, User B can see both HIS shares and
> User A's shares. During the transition period, User B can actually copy
or
> delete anything he wants from User A.
>
> Anybody have any clue what's going on and how to prevent it? Is the
problem
> on the Samba side or on the Windows side. In my particular application,
> this is a very dangerous situation.
>
> Andy Liebman
-- 
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668

Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.

In a message dated 2/4/2005 12:14:15 AM Eastern Standard Time, jht@samba.org 
writes:
Andy,

Please show us how you have configured the [homes] stanza. Are you using 
"valid users = %S" in the stanza?

- John T.
Hi John, 

Actually I don't use HOMES directories. And I am not using the "valid
users"
line anywhere in my smb.conf files. 

Each user has many private shares that only HE/SHE is supposed to be able to 
access. Those shares are defined in individual smb.username.conf files. In the 
GLOBAL section of my smb.conf file, I have the statement: 

"include = /etc/samba/smb.%u.conf"

The listings in the individual "smb.username.conf" files look like one
of the
two following models: 

[Private Projects]
    comment = Metadata No Media Here
    path = /home/andy/Projects
    write list = @editors
    read only = No
    guest okay = No
    create mask = 0775
    directory mask = 0775
    force directory mode = 2070
    force group = editors

[andy_TuesdayFiles]
    comment = Media Files
    path = /RAIDS/RAID_1/media/andy_TuesdayFiles
    write list = @editors
    read only = No
    guest okay = No
    create mask = 0775
    directory mask = 0775

Note:  The /RAIDS/RAID_1/media directory has the sticky bit set for the group 
, so the group is always "editors" inside the media folder. 

It's very important the the ownership and permissions of the files inside 
these shares be set broadly -- because they are often moved to other locations 
where other people need to access them. However, while they reside inside a 
particular user's share (and corresponding directory) they should only be 
accessible to that particular user. 

Andy