Samba Share Server Permission Help

carlosinfl · 07-14-2008, 01:57 PM

I have a single server on my LAN that is a Samba file server [10.1.1.199].

This machine has 2 shares. One is the "it" share which I want authentication on. I don't want anyone to be able to access and or browse this share unless you're a member of the "admin" group.

Then I have a second share which is called "perfwg" share which I want to be public and open to anyone (read or write).

Is this possible to do? Have one share authenticated and another share open?

Here is my smb.conf

Code:

# ----------------------- Standalone Server Options ------------------------
#
# Security can be set to user, share(deprecated) or server(deprecated)
#
# Backend to store user information in. New installations should 
# use either tdbsam or ldapsam. smbpasswd is available for backwards 
# compatibility. tdbsam requires no further configuration.

        security = user
        passdb backend = tdbsam


# A file share for the IDE I.T. Dept.
[it]
comment = I.T. Share
path = /share/it
public = no
writable = yes
browseable = yes
printable = no
create mask = 0770
directory mask = 0770
force group = admin

# A file share for the Performance WG.
[perfwg]
comment = Performance WG Share
path = /share/perfwg
public = yes
writable = yes
browseable = yes
printable = no
create mask = 0775
directory mask = 0775
security = share

I have the permissions for the /share folder that homes both the "it" & "perfwg" folders (shares)

Code:

[root@fback share]# ls -la
total 24
drwxrwx---  4 root admin 4096 Jul 14 14:30 .
drwxr-xr-x 24 root root       4096 Jul 11 10:58 ..
drwxrws---  6 root admin 4096 Jul 14 14:29 it
drwxrwxrwx  2 root root       4096 Jul 14 14:25 perfwg

Anyone know how to make this work?

allend · 07-15-2008, 08:35 AM

http://www.samba.org/samba/docs/man/...rols.html#ugbc

carlosinfl · 07-15-2008, 08:43 AM

Quote:

Originally Posted by allend

http://www.samba.org/samba/docs/man/...rols.html#ugbc

Thanks for the link. I am looking for the obvious entry to apply and I assume I need to add:

Code:

# A file share for the Performance WG.
[perfwg]
comment = Performance WG Share
path = /share/perfwg
public = yes
writable = yes
browseable = yes
printable = no
create mask = 0775
directory mask = 0775
guest ok = yes

Is that correct?

carlmarshall · 07-15-2008, 09:17 AM

Putting the line:

guest ok = yes

will allow anyone into the perfwg share without a password. However this will not stop authenticated users from accessing the it share. Add to the it share:

valid users = @itstaff

assuming that the I.T. staff are all members of the itstaff group, alternatively you can specify individuals e.g.:

valid users = fred mary joe ann

Carl.

carlosinfl · 07-15-2008, 09:46 AM

When I add the following to the perfwg share only:

guest ok = yes

I then restart Samba and when I try to access the share from a Windows XP machine, I am still prompted for a username & password.

I want the "perfwg" share to be an open share meaning that anyone w/o a shell account or an account on the Linux/Samba server can browse the share.
The "it" share however can only be accessed by people who have an actual Linux shell account on that box and also are members of the "admin" group.

Is this not possible?

carlmarshall · 07-16-2008, 03:50 AM

Here's how I have mine set which works fine and does what you seem to be after.

[public]
comment = Publicly Accessible Storage
path = /data/public
admin users = nobody
force user = allusers
force group = users
guest ok = yes

[private]
comment = Private Storage Area
path = /data/private
force user = allusers
force group = users
valid users = @admins

The system user "allusers" beolongs to the system group of "users" and has rwx rights on the /data directory and the 2 subdirectories.

System accounts for the administrators belong to the "users" and the "admins" group.

Make sure you add smbpasswds for the administrators of course.

I did notice one anomaly though. If a member of the admins group has the wrong password, they can't access the public area either.

Carl.

carlosinfl · 07-16-2008, 07:01 AM

I guess I am just not understanding this...

I have two shares. Both shares are located in the /share/ directory.

Code:

drwxrwxrwx  4 root     root       4096 Jul 14 14:30 .
drwxr-xr-x 24 root     root       4096 Jul 11 10:58 ..
drwxrws---  6 root     ctia_admin 4096 Jul 14 14:29 it
drwxrwxrwx  2 allusers users      4096 Jul 14 14:25 perfwg

Now when I try to access the share from a Windows XP machine as \\server\perfwg - I am prompted for a username & password still. The /share directory has 777 access even though it is owned by root:root. Then the perfwg share (public) also has 777 and is owned by a account I created "allusers:users".

I guess I am still missing something.