Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Check if you have samba-docs installed. It includes the book "Samba 3 by Example".
My distro installs a pdf file: /usr/share/doc/packages/samba/Samba3-ByExample.pdf
Others install a postscript file. There is also a section in the "Samba3-HOWTO.pdf", also included with samba-docs, on using ldapsam. Chapter 10.4.4
According to Chapter 10 section 4.4.6 of Samba 3 by example, Samba-3 group management is based on POSIX groups. Samba_3 dows not support nested groups. If you search for samba.schema: locate samba.schema , you can find sample LDAP files. Also, do you have smbldap-tools installed. It also contains samba/ldap documentation. However, your questions sounds more like a general samba question.
Yes ark is a samba pdc and using LDAP backend and smbldap-tools to manage. This smb.conf is not in the pdc I made it on the file server which I want to authenticate against the pdc.
With this smb.conf it is working ok but I dont know and dont know how to test the authentication part.
When I login in to the pdc from a windows machine (I exist only on pdc) it shows me my share and I can do any thing to that directory. Do you think with this configuration any body can access (is there a security issue). The folders are having only user rwx permissions
[%U-doc]
comment = Document share only for official use
path = /vol1/%U
read only = No
guest ok = Yes
I don't think the guest ok = Yes is correct.
Look in your samba configuration useradd scripts. When a new user is added, I think that the samba useradd script should include a line like:
useradd -s /bin/false %U 2>/dev/null
Also check that each "username-doc" directory is created with 0700 permissions.
However, you are configuring a Domain Member Server as it it were a Domain Member Workstation client. I would recommend that you study Chapter 7 of the Samba3-ByExample.pdf document.
A dumb question. Isn't "password server =" an option used with "security = SERVER"?
I think it would be better if you used one of the ldap servers instead and base the configuration on the Domain Member Server examples in the Samba 3 by Example book. If you google for "IBM Redbook samba ldap" you may also come up with a couple excellent IBM Red Book on Samba and/or LDAP.
The example I was referring to was for a Samba Member Server that used a different LDAP server for authentication. It was the main server for one of several sites. I think it was in the 500 host network example.
I was going to edit my last post, because I forgot to say that I'm glad that you got it working.
If you have a computer that is going to be replaced at you company ( such as an old Pentium III desktop ), you might want to use it as an experimental box and try different samba configurations, working on the examples.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.