[Samba] Trouble with restricting access and ads - Samba

This is a discussion on [Samba] Trouble with restricting access and ads - Samba ; We are migrating old FreeBSD machines to Redhat EL 5. On FreeBSD, we have previously used "valid users =" with sucess. "valid users" was never a group, but always a list of user names like: valid users = david joe ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: [Samba] Trouble with restricting access and ads

  1. [Samba] Trouble with restricting access and ads

    We are migrating old FreeBSD machines to Redhat EL 5.

    On FreeBSD, we have previously used "valid users =" with sucess.
    "valid users" was never a group, but always a list of user names like:
    valid users = david joe henry

    Moving to Redhat Enterprise 5, I used the system authentication GUI
    to set up Winbind and Kerberos and pam and nsswitch.conf.
    We authenticate off AD, and do not make local Unix accounts for
    the samba share users.

    I discovered the old "valid users = " configuration from the FreeBSD
    legacy smb.conf did not allow access, but simply "users = " and
    a list of accounts worked OK. I tested with my user
    and it could read/write files on the share. I thought I
    was done, until I learned that any user authenticating in AD could
    connect to the published shares!!!!

    Here is my global section (beer used to protect the innocent):

    [global]
    workgroup = BEER
    realm = BEERAD
    server string = Web Server
    security = ADS
    password server = adc1.ad.beer.ca
    idmap backend = rid:BEER=5000-100000000
    idmap uid = 5000-100000000
    idmap gid = 5000-100000000
    template shell = /bin/bash
    winbind use default domain = Yes
    winbind enum users = No
    winbind enum groups = No
    ; winbind nested groups = Yes
    allow trusted domains = No
    log level = 3
    log file = /var/log/samba/%m.log
    max log size = 50
    dns proxy = No
    winbind use default domain = Yes
    encrypt passwords = yes

    [www]
    comment = web
    path = /usr/local/www/www
    guest ok = no
    valid users = john todd greg alice
    users = john todd greg alice
    write list = john todd greg alice
    writable = yes
    force user = www
    force group = www

    With the above set up, connection to www is not possible.

    If I comment out the valid users line, then authentication works.

    If I connect to \\\\beer\\www as user donald, which authenticates OK,
    I can read or write or delete files from the www share.

    I've spent a full day going through various permutations to the puzzle
    and cannot find a solution that only lets in the people I want to list.
    I either get nothing working, or everyone in the domain can
    connect and write!

    Please shed some light on this if anyone can.

    --Donald
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  2. Re: [Samba] Trouble with restricting access and ads

    Check the folder permission, remember the linux file permission are
    overridden on samba file permission.
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  3. Re: [Samba] Trouble with restricting access and ads

    On Tue, 2008-01-29 at 23:00 -0400, D G Teed wrote:
    > We are migrating old FreeBSD machines to Redhat EL 5.
    >
    > On FreeBSD, we have previously used "valid users =" with sucess.
    > "valid users" was never a group, but always a list of user names like:
    > valid users = david joe henry
    >
    > Moving to Redhat Enterprise 5,


    [...]

    > Please shed some light on this if anyone can.


    Why people never read release notes ? :-D

    Since a few samba versions the usernames must be fully qualified

    In domain FOO with user Bar you set:
    valid users = FOO\Bar

    setting just valid users = Bar won't do it.


    Simo.

    --
    Simo Sorce
    Samba Team GPL Compliance Officer
    Senior Software Engineer at Red Hat Inc.

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  4. Re: [Samba] Trouble with restricting access and ads

    Hi,

    Thanks for this tip. I did get valid users = DOMAIN\user
    working today. I have also verified someone authenticated
    in AD, but not in the parameter "valid users =" can not get in.
    Great - this is what I expect...

    I've now learned that testing I can access it is only half the test.
    I should also test that I can't access it if the user is not listed.
    I wonder how many sites are out there with only "users = "
    and no valid keyword in front of it, running with a share
    open to anyone on ADS, as we were initially? I read this
    help tip in many forums - and it seems correct because
    when they half test it, they can get in.

    I consider it a serious bug that with nothing for a write list,
    read list, nor valid user parameter, samba defaults to write
    access merely by having AD authentication succeed.
    This is with 3.0.25 in Redhat Enterprise 5.

    Or would you say this is linked to a pam misconfiguration?

    We've got guest ok = no and public = no everywhere in smb.conf

    I have this in my pam.d/samba :

    auth required pam_nologin.so
    auth sufficient pam_winbind.so use_first_pass
    auth required pam_deny.so
    account [default=bad success=ok user_unknown=ignore] pam_winbind.so
    account required pam_permit.so
    password sufficient pam_winbind.so use_authtok
    password required pam_deny.so
    session required pam_limits.so

    --Donald
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

+ Reply to Thread