"Th. Söldenwagner"
2013-Oct-25 14:27 UTC
[Samba] Fwd: Re: Restrict access to users home drives
Hello Marc, Am 24.10.2013 21:00, schrieb Marc Muehlfeld:> Hello Thoralf, > > Am 24.10.2013 20:32, schrieb "Th. S?ldenwagner": >> is it possible to hide/restrict access to the home drives of our samba >> users when accessing them directly via netbios address? >> >> The server is running at school and there are several pupils who have >> the ability to misuse this situation. > > Don't simply hide something! That's security by obscurity. And I'm 100% > sure, that it will be abused. :-) > > Is it neccessary, that users have access to foreign homes? Or is it just > a misconfiguration?On the contrary! As I mentioned, I don't want all users have access to foreign homes. So, maybe a misconfiguration. Following is what I did so far: 1. Created user demo1 in ADUC and set its home drive to H: with the path \\elektra\data\%username% 2. the directory was automatically created on the samba (4.1.0) server with these permissions: drwxrwxr-x+ 2 3000000 users The corresponding entry in smb.conf is: [data] path = /files_samba/userdirs read only = yes 3. created test.txt on H: as user demo1. The permissions are: -rwxrwxr-x+ 1 3000057 users 0 Oct 21 19:06 test.txt 4. logged in as user demo2 and opened the samba shares in address line: \\elektra All shares show up and I can open the data folder and all other user folders except that I can't write to them. Users shouldn't be able to see other folders at all or the data share should be restricted but I have no idea how to set this up... Should this be done in ADUC or on the samba side?> Here's a HowTo about setting up file shares: > http://wiki.samba.org/index.php/Setup_and_configure_file_shares > It also describes how to configure permissions. If you use a filesystem > that supports user_xattr, you can use all ACL stuff windows provides.My filesystem supports user_xattr. Best regards Thoralf
Jonathan Buzzard
2013-Oct-25 14:48 UTC
[Samba] Fwd: Re: Restrict access to users home drives
On Fri, 2013-10-25 at 16:27 +0200, "Th. S?ldenwagner" wrote: [SNIP]> 3. > created test.txt on H: as user demo1. The permissions are: > -rwxrwxr-x+ 1 3000057 users 0 Oct 21 19:06 test.txt >Duh you have read and execute permissions granted to all and by the looks of it also write permissions granted to the users group. What exactly are you expecting??? This is Unix file permissions 101. Try something along the lines of cd /files_samba/userdirs chmod 0700 * JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom.