Re: RHEL 5 - Samba / Active Directory hide shares

westb · ‎10-05-2009

Does anyone have a decent solution for the following:

1. RHEL 5 using Active Directory.
2. Have multiple external sources (we'll call these companies) that access one samba server. These companies have their own unique shares.

How can I configure this so that each company cannot see the other companies shares ?

I'm not talking about the browsable option; I want users from each company to only see the shares that they are privileged to see.

I have experimented with setting this in smb.conf:
include=/etc/samba/include/smb.conf.per-user.%U

This basically uses a per-user smb.conf file. This does work but the problem is that this can be a management nightmare for a large number of users and shares.

There is supposed to be a similar group related option %G but it doesn;t seem to work.

Are multipled samba servers on one server the answer ?

Anyone have any ideas ?

Thanks,

BW.

Matti_Kurkela · ‎10-06-2009

I'd say you have a problem in your design.

Assumption: each company must not know the names of other companies' shares (otherwise, why hide them?)

Scenario: Company A requests you to generate a share named "projects" and gets it. Now Company B wants a share named "projects" too.
What do you do?

You cannot accept the request, because a share with that name already exists. But if you deny the request, you'll reveal to Company B the fact that the share exists and belongs to some other Company.

You have a namespace problem: if the companies are not supposed to have any knowledge of each other, each company must have an independent namespace of share names, otherwise you will eventually leak information between companies.

Multiple Samba servers on one physical server: the design of SMB/CIFS protocol is going to make this somewhat tricky, but it's certainly possible to do it. You will need separate IP addresses for each server instance.

MK

MK

westb · ‎10-06-2009

You have a valid point with the namespace thing, however, it would never be an issue since all shares have a unique prefix to the share.

Even if there was only one company why do users need to see shares they are not entitled to see ?

Steven E. Protter · ‎10-06-2009

Shalom,

I'd set groups, either in ADS or Samba and use one group per company. Each samba share may be visible, but not browseable, which meets the goal.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

westb · ‎10-06-2009

This is the alternative plan. I was hoping there was a better method.

Part of the problem is that there are multiple shares per company (with different permissions) and ideally, Users will want to and should be able to see all of the shares they are entitled to see.

The %U in smb.conf works really great as it runs a user specific smb.conf file; just not very practical for managing many users.

Thanks.

iinfi1 · ‎10-08-2009

hi there,
by companies do you mean multiple domains in Windows AD with trust relationship between.
a few months earlier a client of ours was looking for a similar solution. with help from members of this very forum (S Protter taking lead role) i was able to compile things and put it up here http://blog.palalinha.com/2009/04/integrate-linux-box-with-windows-ad.html

once you join the linux box to the windows AD you can assign file permissions using the native linux commands or through webmin which can also help you with file permissions thru ACLs.(i wud suggest you dont use KDE for the purpose coz i find its buggy). since a trust relationship exists betwn the domains you will be able to assign file permissions without any issues.

i would not say this is the best possible solution. but mite give you a few leads.

please let me know if this makes sense.
thanks

Re: RHEL 5 - Samba / Active Directory hide shares

RHEL 5 - Samba / Active Directory hide shares