HPE Community
Operating System - HP-UX
1833754 Members
2478 Online
110063 Solutions
New Discussion

Samba with Active Directory

 
SOLVED
Go to solution
Coolmar
Esteemed Contributor

‎09-16-2005 02:48 AM

‎09-16-2005 02:48 AM

Samba with Active Directory

Hi,

I am fairly new to Samba in combination with Active Directory. I will try my best to get my question across...but I am finding it all pretty confusing.

We have a Windows Server being the primary domain controller and the "main" Advanced Server server. I have an HPUX system setup with Samba shares and DOMAIN security. There are users both on HPUX and the windows side. So, there are folks on the windows side that need to access the shares - however, I want to make the shares only accessible by those added to a specific group in Advanced Server (windows side). The problem that I am having is that the shares seem to be accessible by everyone. So, is there a way to make a share accessible by certain groups only - and those groups are not the standard Unix groups in /etc/group, but the AS groups?

[global]
workgroup = abcd
netbios name = SERVERA
server string = Samba Server
security = DOMAIN
map to guest = Bad User
password server = 192.x.x.x
syslog = 0
log file = /var/opt/samba/log.%m
max log size = 1000
wins server = 10.117.10.40
short preserve case = No
dos filetime resolution = Yes

[LYRS]
comment = Layers for GIS
path = /lyrs

[NAIS]
comment = NAIS Spatial Information
path = /nais

[GIS]
comment = GIS Unit Access
path = /gis
guest ok = Yes
public = Yes

The first ones should only be accessible by the XYZ group and the third to all.

Thanks,
Sally
0 Kudos
4 REPLIES 4
Geoff Wild
Honored Contributor

‎09-16-2005 04:28 AM

‎09-16-2005 04:28 AM

Re: Samba with Active Directory

Note - you need to put your server in SECURITY=ADS and use winbind...


Yes you can:

[LYRS]
comment = Layers for GIS
path = /lyrs
valid users = NTDOMAIN+groupid
force user = unixuser
force group = unixgroup

Don't add the + until you setup winbind!

See my thread:

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=949365

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Coolmar
Esteemed Contributor

‎09-16-2005 05:37 AM

‎09-16-2005 05:37 AM

Re: Samba with Active Directory

Thanks Geoff! I will give this a shot and see if it works. I just wanted to clarify the shares access. You said to add:

force user = unixuser
force group = unixgroup

So, by adding these two lines, only those belonging to the AS group xyz will be allowed to access? So in my case, I would only have to put "force group = xyz" because I only want to secure the share by the group only and not the user.

Thanks again,
S.
0 Kudos
Geoff Wild
Honored Contributor

‎09-16-2005 05:47 AM

‎09-16-2005 05:47 AM

Solution

Re: Samba with Active Directory

Nope - the force user/group sets the permissions on the Unix side (if you need them).

force user (S)
This specifies a UNIX user name that will be assigned as the default user for all users connecting to this service. This is useful for sharing files. You should also use it carefully as using it incorrectly can cause security problems.

This user name only gets used once a connection is established. Thus clients still need to connect as a valid user and supply a valid password. Once connected, all file operations will be performed as the "forced user", no matter what username the client connected as. This can be very useful.


Actually, if you connect to your server with SWAT:

http://yoursambaserver:901

Enter root and root password - there is really good online documentation.

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Coolmar
Esteemed Contributor

‎09-16-2005 06:06 AM

‎09-16-2005 06:06 AM

Re: Samba with Active Directory

Thanks Geoff.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.