topic Re: CIFS Valid Users issue in Operating System - HP-UX

CIFS Valid Users issue

Rob Marles — Thu, 24 Aug 2006 14:46:39 GMT

Hello

I need to create a share in which only a handfull of users can have r/w access.

Here's my sample smb.conf file:

[global] security = share
guest account = root
admin users = administrator
delete readonly = Yes
log file = /opt/samba/log/log.%m
max log size = 200
valid users = root
<-snip->
[dev]
path = /tmp/devshare
writable = Yes
guest ok = no
valid users = robm abdulai

I can access this dev share, however Abdulai cannot.

His unix/windows user accounts are a mirror of mine, so this should work for him as well.

Anyone have any advice as to how I can allow abdulai access as well?

Thanks.

Re: CIFS Valid Users issue

IT_2007 — Thu, 24 Aug 2006 14:50:45 GMT

did you check for typo's in the smb.conf file for abdulai? Is it all lowercase or first letter upper case?

Re: CIFS Valid Users issue

Rob Marles — Thu, 24 Aug 2006 14:55:22 GMT

Yes, abdulai is all lower case and there doesn't seem to be any spelling mistakes.

thanks.

Re: CIFS Valid Users issue

Don McCall_1 — Mon, 28 Aug 2006 05:18:02 GMT

So the user robm is able to get access to the 'dev' share, but the user abdulai is NOT, right - and they get an error message on the pc something like 'access denied'?
One thing that could be going wrong is permissions at the HP-UX level on the directory the share is pointing to. for instance does robm have read/execute access to that directory (either because he's the dir owner, or in a group that has access), but abdulai does NOT? this will cause access to a share to fail for a user. If your permissions (HPUX permissions) are wide open on the share (777) and you have at LEAST 'x' permissions on every directory down the path from / TO the share for everyone, then you will have to look elswhere: I would turn 'log level = 10' on in the smb.conf file, and then have abdulai try to do a net use r: \\servername\dev and then take a look at the resulting log file in /var/opt/samba/log.....
Look for what happens after the 'tconx' attempt.

The other thing to make sure of is that robm is actually getting access to the share as himself instead of 'root', or some other user: once you have accessed the share, copy a file to it, and look at the unix ownership, to make sure it's really 'robm' as the owner. Share level security is very buggy; and it tries everything it can to get you access to a share in any way it can. Since you have set guest = no, and a valid users parameter, I would NOT expect this, but you also have your guest user set to 'root' - which is highly unusual, and very scary, security wise. I would change this immediately. Finally, security = user or domain is much better if you can use it, that way you know exactly who is accessing your system, and they have to be authenticated with their username and password before accessing any shares.

Hope this helps.