- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - Linux
- >
- Re: RHEL 5 - Samba / Active Directory hide shares
Operating System - Linux
1753792
Members
7121
Online
108799
Solutions
Forums
Categories
Company
Local Language
юдл
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
юдл
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-05-2009 11:42 AM
тАО10-05-2009 11:42 AM
RHEL 5 - Samba / Active Directory hide shares
Does anyone have a decent solution for the following:
1. RHEL 5 using Active Directory.
2. Have multiple external sources (we'll call these companies) that access one samba server. These companies have their own unique shares.
How can I configure this so that each company cannot see the other companies shares ?
I'm not talking about the browsable option; I want users from each company to only see the shares that they are privileged to see.
I have experimented with setting this in smb.conf:
include=/etc/samba/include/smb.conf.per-user.%U
This basically uses a per-user smb.conf file. This does work but the problem is that this can be a management nightmare for a large number of users and shares.
There is supposed to be a similar group related option %G but it doesn;t seem to work.
Are multipled samba servers on one server the answer ?
Anyone have any ideas ?
Thanks,
BW.
1. RHEL 5 using Active Directory.
2. Have multiple external sources (we'll call these companies) that access one samba server. These companies have their own unique shares.
How can I configure this so that each company cannot see the other companies shares ?
I'm not talking about the browsable option; I want users from each company to only see the shares that they are privileged to see.
I have experimented with setting this in smb.conf:
include=/etc/samba/include/smb.conf.per-user.%U
This basically uses a per-user smb.conf file. This does work but the problem is that this can be a management nightmare for a large number of users and shares.
There is supposed to be a similar group related option %G but it doesn;t seem to work.
Are multipled samba servers on one server the answer ?
Anyone have any ideas ?
Thanks,
BW.
5 REPLIES 5
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-06-2009 04:52 AM
тАО10-06-2009 04:52 AM
Re: RHEL 5 - Samba / Active Directory hide shares
I'd say you have a problem in your design.
Assumption: each company must not know the names of other companies' shares (otherwise, why hide them?)
Scenario: Company A requests you to generate a share named "projects" and gets it. Now Company B wants a share named "projects" too.
What do you do?
You cannot accept the request, because a share with that name already exists. But if you deny the request, you'll reveal to Company B the fact that the share exists and belongs to some other Company.
You have a namespace problem: if the companies are not supposed to have any knowledge of each other, each company must have an independent namespace of share names, otherwise you will eventually leak information between companies.
Multiple Samba servers on one physical server: the design of SMB/CIFS protocol is going to make this somewhat tricky, but it's certainly possible to do it. You will need separate IP addresses for each server instance.
MK
Assumption: each company must not know the names of other companies' shares (otherwise, why hide them?)
Scenario: Company A requests you to generate a share named "projects" and gets it. Now Company B wants a share named "projects" too.
What do you do?
You cannot accept the request, because a share with that name already exists. But if you deny the request, you'll reveal to Company B the fact that the share exists and belongs to some other Company.
You have a namespace problem: if the companies are not supposed to have any knowledge of each other, each company must have an independent namespace of share names, otherwise you will eventually leak information between companies.
Multiple Samba servers on one physical server: the design of SMB/CIFS protocol is going to make this somewhat tricky, but it's certainly possible to do it. You will need separate IP addresses for each server instance.
MK
MK
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-06-2009 05:03 AM
тАО10-06-2009 05:03 AM
Re: RHEL 5 - Samba / Active Directory hide shares
You have a valid point with the namespace thing, however, it would never be an issue since all shares have a unique prefix to the share.
Even if there was only one company why do users need to see shares they are not entitled to see ?
Even if there was only one company why do users need to see shares they are not entitled to see ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-06-2009 06:42 AM
тАО10-06-2009 06:42 AM
Re: RHEL 5 - Samba / Active Directory hide shares
Shalom,
I'd set groups, either in ADS or Samba and use one group per company. Each samba share may be visible, but not browseable, which meets the goal.
SEP
I'd set groups, either in ADS or Samba and use one group per company. Each samba share may be visible, but not browseable, which meets the goal.
SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-06-2009 08:04 AM
тАО10-06-2009 08:04 AM
Re: RHEL 5 - Samba / Active Directory hide shares
This is the alternative plan. I was hoping there was a better method.
Part of the problem is that there are multiple shares per company (with different permissions) and ideally, Users will want to and should be able to see all of the shares they are entitled to see.
The %U in smb.conf works really great as it runs a user specific smb.conf file; just not very practical for managing many users.
Thanks.
Part of the problem is that there are multiple shares per company (with different permissions) and ideally, Users will want to and should be able to see all of the shares they are entitled to see.
The %U in smb.conf works really great as it runs a user specific smb.conf file; just not very practical for managing many users.
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-08-2009 08:53 AM
тАО10-08-2009 08:53 AM
Re: RHEL 5 - Samba / Active Directory hide shares
hi there,
by companies do you mean multiple domains in Windows AD with trust relationship between.
a few months earlier a client of ours was looking for a similar solution. with help from members of this very forum (S Protter taking lead role) i was able to compile things and put it up here http://blog.palalinha.com/2009/04/integrate-linux-box-with-windows-ad.html
once you join the linux box to the windows AD you can assign file permissions using the native linux commands or through webmin which can also help you with file permissions thru ACLs.(i wud suggest you dont use KDE for the purpose coz i find its buggy). since a trust relationship exists betwn the domains you will be able to assign file permissions without any issues.
i would not say this is the best possible solution. but mite give you a few leads.
please let me know if this makes sense.
thanks
by companies do you mean multiple domains in Windows AD with trust relationship between.
a few months earlier a client of ours was looking for a similar solution. with help from members of this very forum (S Protter taking lead role) i was able to compile things and put it up here http://blog.palalinha.com/2009/04/integrate-linux-box-with-windows-ad.html
once you join the linux box to the windows AD you can assign file permissions using the native linux commands or through webmin which can also help you with file permissions thru ACLs.(i wud suggest you dont use KDE for the purpose coz i find its buggy). since a trust relationship exists betwn the domains you will be able to assign file permissions without any issues.
i would not say this is the best possible solution. but mite give you a few leads.
please let me know if this makes sense.
thanks
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
News and Events
Support
© Copyright 2024 Hewlett Packard Enterprise Development LP