samba-users May 2010 archive
Main Archive Page > Month Archives  > samba-users archives
samba-users: Re: [Samba] Restricting file server access by group

Re: [Samba] Restricting file server access by group

From: Alex McKenzie <alex_at_nospam>
Date: Tue May 18 2010 - 19:12:14 GMT
To: samba@lists.samba.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks -- the first two were useful, but only blocked samba. Which, to
be fair, is all I asked about.

Here's a third option, which will also block PAM:

In ldap.conf (on my system, running Ubuntu 8.04 LTS Server), modify the
following two lines:

1) pam_groupdn (group)

  In my case, this becomes:
pam_groupdn cn=schnell,ou=Biochemistry groups,ou=Biochemistry,dc=cns

2) pam_member_attribute (attribute)

In my case, it becomes:
pam_member_attribute memberUid

At that point attempts to log in with an LDAP user who isn't part of the
group returns:

You must be a memberUid of cn=schnell,ou=Biochemistry
groups,ou=Biochemistry,dc=cns to login.
Connection closed by 172.30.35.146

Samba returns that it cannot mount the share, or that the uid/password
combination is wrong.

In any case, I'm putting this up in case anyone else has seen the same
problem... I'd still like a way to restrict to multiple groups, but this
works for what I need now.

Thanks for all the help!

- -Alex

tms3@tms3.com wrote:
>
>
>
> On Tuesday 18/05/2010 at 8:46 am, Alex McKenzie wrote:
> This is for the same file server I wrote about earlier.
>
> I would like to restrict access by group, as defined in LDAP.
>> Two ways.
>
>> 1) First is at the share level, which is controlled by smb.conf and is
>> fairly similar to permissions on a share in Window$.
>
>> man smb.conf
>
>> "To restrict a service to a particular set of users you can use the
>> valid users parameter.
>
>> If any of the usernames begin with a '@' then the name will be
>> looked up first in the NIS netgroups list (if Samba is compiled
>> with netgroup support), followed by a lookup in the UNIX groups
>> database and will expand to a list of all users in the group of
>> that name."
>
>> Works with groups in ldap, if your posix box is setup correctly.
>
>> 2a) The second is to enable acls on your posix file system. If so, you
>> can use a Window$ workstation and the Administrator account to write M$
>> file permissions to the directories in the share.
>
>> 2b) Or if it is a very simple set up, merely use standard posix file
>> and directory permissions. For instance, say the samba share is
>> \\servername\chemlab and the posix path is /usr/home/samba/chemlab,
>> you could then simply do
>
>> chgrp -R CHEMLABGROUP /usr/home/samba/chemlab and chmod it to your
>> liking. (Where CHEMLABGROUP is a samba ldap group).
> The
> obvious solution is to add a filter to the login LDAP search that
> restricts to gidNumber=10038 or 10001, since those are the groups I
> need. From what I'm seeing, I need to add that to /etc/ldap.conf in the
> nss_base_ section, but how to do it isn't clear.
>
> Do I just enter it as a standard LDAP filter? In this case, I think I'd
> want (|(gidNumber=10038)(gidNumber=10001)), but it's really not clear
> the syntax really isn't clear from the file. Would it just be
>
> nss_base_passwd (|(gidNumber=10038)(gidNumber=10001))?one
>
>
> That's what it looks like, anyway... if anyone can give me an answer,
> or at least point me towards a good source of documentation on this, I'd
> appreciate it.
>
> Thanks,
> Alex McKenzie
- --
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkvy5o4ACgkQWFYfIucpZ2MkeACfeDGnthp9QkLa1dO/Ili6b/bV
u9EAnR5NgmEFulopWl+QMx01++X1MLnf
=K9la
-----END PGP SIGNATURE-----
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba