Hi, is it possible to hide/restrict access to the home drives of our samba users when accessing them directly via netbios address? I have set up the home folders in ADUC. They are all mapped to drive H: and users have full access to their drive. The problem is, that others users also have access (accept write) to other users folders when opening the domain shares via \\<netbios name>\data\<user folders> The corresponding entry in /etc/samba/smb.conf is: [data] path = /files_samba/userdirs read only = No I have also tried additional option: browseable = no (the home drive won't show up at all after login) valid users = %u (the folder can't be created from ADUC because the administrator doesn't have the right to do that) The server is running at school and there are several pupils who have the ability to misuse this situation. Thanks in advance Thoralf
Hello Thoralf, Am 24.10.2013 20:32, schrieb "Th. S?ldenwagner":> is it possible to hide/restrict access to the home drives of our samba > users when accessing them directly via netbios address? > > The server is running at school and there are several pupils who have > the ability to misuse this situation.Don't simply hide something! That's security by obscurity. And I'm 100% sure, that it will be abused. :-) Is it neccessary, that users have access to foreign homes? Or is it just a misconfiguration? Here's a HowTo about setting up file shares: http://wiki.samba.org/index.php/Setup_and_configure_file_shares It also describes how to configure permissions. If you use a filesystem that supports user_xattr, you can use all ACL stuff windows provides. Regards, Marc
Hello Thoralf, Am 25.10.2013 16:06, schrieb "Th. S?ldenwagner":>> Here's a HowTo about setting up file shares: >> http://wiki.samba.org/index.php/Setup_and_configure_file_shares >> It also describes how to configure permissions. If you use a filesystem >> that supports user_xattr, you can use all ACL stuff windows provides.Have you followed the HowTo? Expecially configuring the permissions on the share on windows. If you setup the right permissions, then the users can only access their own folder and no other on the share. There are several best practice HowTos on the internet for the home dir share permissions, I guess. Maybe it's enough to simply remove the group or everyone from the ACLs of the share. Regards, Marc
Hello Hans, Am 26.10.2013 17:14, schrieb spamvoll at googlemail.com:> I have exactly the same problem. > Just installed 4.1.0, roaming profiles are working, only the user has > access to it, but Users Home Shares are visible and writeable for all. > > [Users] > comment = Home Directories > directory_mode: parameter = 0700 > path = /home/HOME/ > read only = No > csc policy = documents > > [Profiles] > path = /home/Profiles/ > read only = noDid you checked the HowTo? http://wiki.samba.org/index.php/Setup_and_configure_file_shares Have you enabled user_xattr on the filesystem where your homes are? And have you set the permissions on the share and it's folders on Windows? > directory_mode: parameter = 0700 What is this for a parameter? I don't find "directory_mode" in the (4.0.9) smb.conf manpage. Regards, Marc
"Th. Söldenwagner"
2013-Nov-09 21:14 UTC
[Samba] [SOLVED] Restrict access to users home drives
Thanks to this brand new Samba Wiki article https://wiki.samba.org/index.php/Setting_up_a_home_share all problems are gone. BR Thoralf Am 24.10.2013 20:32, schrieb "Th. S?ldenwagner":> Hi, > > is it possible to hide/restrict access to the home drives of our samba > users when accessing them directly via netbios address? > > I have set up the home folders in ADUC. They are all mapped to drive H: > and users have full access to their drive. The problem is, that others > users also have access (accept write) to other users folders when > opening the domain shares via > > \\<netbios name>\data\<user folders> > > The corresponding entry in /etc/samba/smb.conf is: > > [data] > path = /files_samba/userdirs > read only = No > > I have also tried additional option: > > browseable = no (the home drive won't show up at all after login) > valid users = %u (the folder can't be created from ADUC because the > administrator doesn't have the right to do that) > > The server is running at school and there are several pupils who have > the ability to misuse this situation. > > Thanks in advance > Thoralf > > > > >