Goetz, Patrick G
2019-Jun-11 19:45 UTC
[Samba] Samba + AD Authentication: Restricting access to shares
Because most of our servers are restricted to specific user groups and the AD domain covers the entire university, I need to find a way to limit access to samba shares, preferably using AD security groups; i.e. I want to do something like: [EMdata] comment = TEM Data path = /EMdata valid users = @cns-cryo-emusers guest ok = no writeable = yes where cns-cryo-emusers is an AD security group. Has this been implemented in any version of Samba? Otherwise, is there any way to limit access when doing AD authentication? We don't have any local users to limit access to; it's all domain users. The local accounts are strictly used for administrative purposes.
Rowland penny
2019-Jun-11 20:12 UTC
[Samba] Samba + AD Authentication: Restricting access to shares
On 11/06/2019 20:45, Goetz, Patrick G via samba wrote:> Because most of our servers are restricted to specific user groups and > the AD domain covers the entire university, I need to find a way to > limit access to samba shares, preferably using AD security groups; i.e. > I want to do something like: > > [EMdata] > comment = TEM Data > path = /EMdata > valid users = @cns-cryo-emusers > guest ok = no > writeable = yes > > > where cns-cryo-emusers is an AD security group. Has this been > implemented in any version of Samba? Otherwise, is there any way to > limit access when doing AD authentication? We don't have any local > users to limit access to; it's all domain users. The local accounts are > strictly used for administrative purposes. > >Then do it the way Windows does it, set permissions on the share from the 'security' tab on Windows, see here: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs Set your share like this: [EMdata] ??? comment = TEM Data ??? path = /EMdata ??? read only = no Rowland
Uwe Laverenz
2019-Jun-12 20:08 UTC
[Samba] Samba + AD Authentication: Restricting access to shares
Hi, Am 11.06.19 um 21:45 schrieb Goetz, Patrick G via samba:> [EMdata] > comment = TEM Data > path = /EMdata > valid users = @cns-cryo-emusers > guest ok = no > writeable = yes > > > where cns-cryo-emusers is an AD security group. Has this been > implemented in any version of Samba? Otherwise, is there any way toNot sure but: have you tried '+' instead of '@'? valid users = +cns-cryo-emusers Uwe