Hi,
I hope I've reported all you need to understand my situation:
Samba-3.0.14a on RH9 joined to Windows Server 2003 and configured with
Kerberos.
Following my smb.conf.
[global]
netbios name = MILLX03
os level = 16
wins server = xxx.xxx.xxx.xxx (AD Server)
socket options = IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE
workgroup = DOMAIN
realm = REALM.COM
security = ADS
encrypt passwords = yes
allow trusted domains = Yes
winbind use default domain = Yes
winbind separator = /
winbind enum users = Yes
winbind enum groups = Yes
idmap uid = 10000-100000
idmap gid = 10000-100000
hide unreadable = Yes
template shell = /bin/false
use sendfile = Yes
printer admin = xxx
admin users = xxx
log file = /var/log/samba/log.%m
log level = 2 auth:10 sam:10
max log size = 50
printcap name = cups
disable spoolss = No
show add printer wizard = Yes
printing = cups
load printers = yes
nt acl support = Yes
map acl inherit = Yes
client use spnego = Yes
[data]
comment = DATA repository
path = /data
read only = No
create mask = 0775
security mask = 0777
force security mode = 0
directory mask = 0775
directory security mask = 0777
force directory security mode = 0
dos filetimes = yes
Following my data structure:
/data
/user
/dtomasoni
/another user ...
Data share is mounted on XFS filesystem so I use ACL:
/data
# file: data
# owner: root
# group: root
user::rwx
group::r-x
group:domain\040users:r-x
mask::rwx
other::r-x
default:user::rwx
default:group::---
default:group:domain\040users:r-x
default:mask::rwx
default:other::r-x
/user
# file: user
# owner: root
# group: root
user::rwx
group::---
group:domain\040users:r-x
mask::rwx
other::r-x
default:user::rwx
default:group::---
default:group:domain\040users:r-x
default:mask::rwx
default:other::r-x
/dtomasoni
# file: dtomasoni
# owner: root
# group: root
user::rwx
user:dtomasoni:rwx
group::r-x
mask::rwx
other::---
default:user::rwx
default:user:dtomasoni:rwx
default:group::---
default:mask::rwx
default:other::---
My target is to allow read/write permission on user's shares but nobody else
can see others share than own.
Target reached succesfully with "smbclient //millx03/data
-Udtomasoni%dtomaso", but not with "smbclient -k //millx03/data
-Udtomasoni%dtomaso", I have also reported below this behavior that
unfortunatly is the same when I connect to the share by my W2k and XP
client.
[root@millx03 data]# smbclient -k //millx03/data -Udtomasoni%dtomaso
added interface ip=xxx.xxx.xxx.xxx bcast=xxx.xxx.xxx.xxx
nmask=xxx.xxx.xxx.xxx
Doing kerberos session setup
OS=[Unix] Server=[Samba 3.0.14a]
smb: \> dir
. D 0 Mon May 16 11:17:43 2005
.. D 0 Fri May 20 15:39:24 2005
user D 0 Fri May 20 18:21:48 2005
50906 blocks of size 16384. 50894 blocks available
smb: \> cd user
smb: \user\> dir
. D 0 Fri May 20 18:21:48 2005
.. D 0 Mon May 16 11:17:43 2005
50906 blocks of size 16384. 50894 blocks available
smb: \user\> ...
[root@millx03 data]# smbclient //millx03/data -Udtomasoni%dtomaso
added interface ip=xxx.xxx.xxx.xxx bcast=xxx.xxx.xxx.xxx
nmask=xxx.xxx.xxx.xxx
Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.0.14a]
smb: \> dir
. D 0 Mon May 16 11:17:43 2005
.. D 0 Fri May 20 15:39:24 2005
user D 0 Fri May 20 18:21:48 2005
50906 blocks of size 16384. 50894 blocks available
smb: \> cd user
smb: \user\> dir
. D 0 Fri May 20 18:21:48 2005
.. D 0 Mon May 16 11:17:43 2005
dtomasoni D 0 Wed May 18 19:01:55 2005
50906 blocks of size 16384. 50894 blocks available
smb: \user\> ...
Whats the different by these two method of authentication on browsing
folders?
Thanks a lot.
Marco.
