Our DCs are Win2003 but we dealt with the same problem on Linux member servers.
We use filesystem ACLs to control access. The owner/group of a shared directory
is nobody:nobody.
The default ACL is:
default:user::rwx
default:group::---
default:other::---
plus numerous
default:group:<some AD group>:rwx
entries. One for each group
The reason for the group::--- is because the primary group is "Domain
Users" and we want to make sure that files don't default to allowing
access to this group.
-James
> -----Original Message-----
> On Behalf Of BJ?rn Lindqvist
> Sent: Tuesday, August 01, 2006 6:30 AM
> To: samba@lists.samba.org
> Subject: [Samba] Samba and unix permissions mismatch
>
>
> I have just managed to get my first Samba/LDAP PDC up and running. But
> I have one big security problem -- users logging in to the PDC using
> ssh can access all shares.
>
> User credentials, both for ssh login and for Samba access,
> are retrieved
> from the LDAP directory. All shares are stored in the /var/lib/samba
> directory. The directories permissions look like this:
>
> drwxrwx--- 2 root Domain Users 4096 25 jul 15.11 Common
> drwxrwx--- 2 root Domain Users 4096 13 jun 16.59 Customers
> drwxrwx--- 2 root Domain Users 4096 13 jun 16.32 Sales
> ... and so on.
>
> Each share is owned by root in the "Domain Users" group. In the
Unix
> world, each directory can only be owned by one user in one group. But
> in the Samba world, directories and shares aren't owned by any
> single group, instead a number of groups have access to the directory
> or share. That is why the shares has to be owned by the Unix group
> "Domain Users," which is a meta group in which all users of the
PDC
> belong.
>
> Obviously, this arrangement isn't very nice. Every user that logs in
> via ssh can access all shares. Yet all shares need to be owned by the
> group "Domain Users" otherwise some groups of users can't
access some
> shares. The Sales share, for example, should really be owned by both
> the Managers and the Accountants groups.
>
> So how do I fix this? There doesn't seem to be any easy way.
>
> Thanks in advance.
>
> --
> Mvh Bj?rn Lindqvist
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
>