Samba as Active Directory Member Server & Station
Samba comme Serveur ou Station Membre d'Active Directory
|
Beyond
the built-in users and home shares, which are
user-centric, group shares can be generated.
You will find below
some reference data to
help you fine-tune the settings and tailor the shared spaces to your
needs. Proper permissions are obtained by tuning both the share level
and the file system level and it can be very tricky.
But there are
three simple built-in template models to assist you in setting up
group shares :
|
the common workspace |
all specified groups can read and write in the workspace |
|
the readers / writers workspace |
all specified groups can read in the workspace but only one group has write permission |
|
the mail box workspace |
all specified groups have write permission (though they cannot read the files back) but only one has read permission |
REFERENCE
from
Samba 3 official documentation
|
invalid users |
(S) |
Specifies a
list of users that can connect to a share and that should not be
allowed to login to this service. A name starting with a '@' is
interpreted as an NIS netgroup first (if your system supports
NIS), and then as a UNIX group if the name was not found in the
NIS netgroup database. A name starting with '+' is interpreted
only by looking in the UNIX group database. A name starting with
'&' is interpreted only by looking in the NIS netgroup
database (this requires NIS to be working on your system). The
characters '+' and '&' may be used at the start of the name in
either order so the value +&group means check the UNIX group
database, followed by the NIS netgroup database, and the value
&+group means check the NIS netgroup database, followed by the
UNIX group database (the same as the '@' prefix). |
|
valid users |
(S) |
Specifies a
list of users that can connect to a share and should be allowed to
login to this service. A name starting with a '@' is
interpreted as an NIS netgroup first (if your system supports
NIS), and then as a UNIX group if the name was not found in the
NIS netgroup database. A name starting with '+' is interpreted
only by looking in the UNIX group database. A name starting with
'&' is interpreted only by looking in the NIS netgroup
database (this requires NIS to be working on your system). The
characters '+' and '&' may be used at the start of the name in
either order so the value +&group means check the UNIX group
database, followed by the NIS netgroup database, and the value
&+group means check the NIS netgroup database, followed by the
UNIX group database (the same as the '@' prefix). If this is empty
(the default) then any user can login. If a username is in both
this list and the invalid users list then access is denied for
that user. |
|
guest ok |
|
If this parameter is set for a service, then no password is required to connect to the service. Privileges will be those of the guest account. |
|
|
|
|
|
admin users |
(S) |
Specifies a list of users who will be granted administrative privileges on the share. They will do all file operations as the super-user (root). You should use this option very carefully, as any user in this list will be able to do anything they like on the share, irrespective of file permissions. Default: NULL, no admin users. |
|
force group |
(S) |
Specifies a
UNIX group name that will be assigned as the default primary group
for all users connecting to this service. This option, sometimes
called group, assigns a static group ID that will be used on all
connections to a share after the client has successfully
authenticated. This is useful for sharing files by ensuring that
all access to files on service will use the named group for their
permissions checking. Thus, by assigning permissions for this
group to the files and directories within this service the Samba
administrator can restrict or allow sharing of these files. This
assigns a specific group to each new file or directory created
from an SMB client. Allowable values: a Unix group name. Sets the
effective group name assigned to all users accessing a share. Used
to override a user's normal group memberships. In Samba 2.0.5 and
above this parameter has extended functionality in the following
way. If the group name listed here has a '+' character prepended
to it then the current user accessing the share only has the
primary group default assigned to this group if they are already
assigned as a member of that group. This allows an administrator
to decide that only users who are already in a particular group
will create files with group ownership set to that group. This
gives a finer granularity of ownership assignment. For example,
the setting force group = +sys means that only users who are
already in group sys will have their default primary group
assigned to sys when accessing this Samba share. All other users
will retain their ordinary primary group. If the parameter is also
set the group specified in force group will override the primary
group set in force user. |
|
force user |
(S) |
Specifies a
UNIX user name that will be assigned as the default user for all
users connecting to this service. This is useful for sharing
files. You should also use it carefully as using it incorrectly
can cause security problems. The force user option assigns a
static user ID that will be used on all connections to a share
after the client has successfully authenticated. This user name
only gets used once a connection is established. Thus clients
still need to connect as a valid user and supply a valid password.
Once connected, all file operations will be performed as the "forced user", no matter what username the client
connected as. This assigns a specific user to each new file or
directory created from an SMB client. In Samba 2.0.5 and above
this parameter also causes the primary group of the forced user to
be used as the primary group for all file activity. Prior to 2.0.5
the primary group was left as the primary group of the connecting
user (this was a bug). |
|
|
|
|
|
read list |
(S) |
List of users that are given read-only access to a service. If the connecting user is in this list then they will not be given write access, no matter what the option is set to. The list can include group names using the syntax described in the parameter. Default: read list = <empty string> |
|
write list |
(S) |
List of users that are given read-write access to a service. If the connecting user is in this list then they will be given write access, no matter what the option is set to. The list can include group names using the @group syntax. Note that if a user is in both the read list and the write list then they will be given write access. Default: write list = <empty string> |
(S) The current servicename is substituted for %SUser and group-based controls can prove quite useful. In some situations it is distinctly desirable to affect all file system operations as if a single user were doing so. The use of the force user and force group behavior will achieve this. In other situations it may be necessary to effect a paranoia level of control to ensure that only particular authorized persons will be able to access a share or its contents. Here the use of the valid users or the invalid users may be most useful. If you get an error message containing the string “Bad password”, then you probably have either an incorrect hosts allow, hosts deny or valid users line in your smb.conf, or your guest account is not valid. Check what your guest account is using testparm and temporarily remove any hosts allow, hosts deny, valid users or invalid users lines.