1
1
I have a Samba file server running, and I was wondering how I could make multiple user accounts that have different permissions. For example, at the moment I have a user, smbusr, but when I ssh to the share, I can read, write, execute, and even navigate out of the samba directory and do stuff on the actual computer. This is bad because I want to be able to give out my IP so friends/family can use the server, but I don't want them to be able to do just anything.
I want to lock the user in the samba share directory(and all the sub directories). Eventually I would like several profiles such as (smbusr_R, smbusr_RW, smbguest_R, smbguest_RW).
I also have a second question related to this, is SSH the best method to connect from other unix machines? What about VPN? Or simply mounting like this:
mount -t ext3 -o user=username //ipaddr/share /mnt/mountpoint
Is that mounting command above the same thing as a vpn? This is really confusing me.
Thanks for the help guys, let me know if you need to see any files, or need anymore information.
EDIT: Here is my samba share definition:
[SAMBA]
path = /samba
browseable = yes
guest ok = no
read list = smbusr_RO
write list = smbusr
EDIT2: Here is my entire smb.conf file:
Scriptonaut
Posted 2012-11-12T04:52:50.147
Reputation: 135
I changed it so now there are only two accounts, smbusr and smbusr_RO. I put my share definition in the main post, does that look alright?
I'm having permissions confusion now. What should I put for my create mask and directory mask if I want nobody besides root to be able to change permissions? Who should I make the owner of my samba share, and what group should I make it? Thanks – Scriptonaut – 2012-11-12T06:55:09.070
add smbuser to readlist as well. do your filesystem permissions give both groups the appropriate permissions as well? – Frank Thomas – 2012-11-12T08:22:14.717
I added my smb.conf file to the main post, could you look at it to see if there's anything preventing access?
I'm not quite sure what you mean by my filesystem permissions. I can't seem to even log in as root. Are there things I can try to do in case it is the filesystem permissions? – Scriptonaut – 2012-11-12T08:46:11.973
see edits above – Frank Thomas – 2012-11-12T21:55:39.440
What does the preceding 2 in the permissions mean? I'll try to implement this, thanks a lot :)
Also, why do I put the smbusr and smbusr_RO groups rather than the users themselves? – Scriptonaut – 2012-11-12T23:24:04.620
First off, I've been assuming smbusr is a group. is that not the case? if so you should really consider creating a group, adding whatever users you like to it and then replacing all refs to smbusr above to the group name. sorry for the confusion. the 2 indicates SetGid. when set on a directory, SetGid causes all newly created sub-directories to use the same group owner as the parent. otherwise the default owner is user:user and only that user would be able to access the folder, just all the group members. http://pubs.opengroup.org/onlinepubs/009695399/functions/setgid.html
– Frank Thomas – 2012-11-13T05:53:53.770I'm totally open to doing a group if it's better. What would be the advantages? Would it be merely that I could have multiple accounts under the same group?
Ah, I get it. Is the group smbusers already made for me? Is it already set up? Would there be any disadvantage by doing:
Also, at the moment write permissions are revoked once I go into a samba subdirectory I can write in samba, but even if I'm logged in as smbusr, I can't write in the sub dirs. – Scriptonaut – 2012-11-14T02:37:21.907
who is the owner/group on the folder? perhaps using setGID and setting up groups is more of a pain than your needs require. using samba to control your readonly restriction should work. I usually like to lock down the filesystem to match, but its not strictly required for only two users. as for 2770, did you create a group or use smbusers? are both users members? also who is the owner of \samba? the short of it is, to use 2770, both users would have to be either the owner, or in the owner-group. if not, smbuserRO would have to use the 'other' permissions (4 or 5). – Frank Thomas – 2012-11-14T07:27:23.210
Alright, I have it mostly figured out. I made a group smbusers, and my global settings look just like the ones in your main comment(except I also added my local account(scroty) to the invalid users). My [SAMBA] profile looks just like yours. The only thing I did different at this point is that for chmod I used 02770. – Scriptonaut – 2012-11-14T08:05:23.580
Here's my current problem(s). I'm able to mount the drive for smbusr, I can read and write in every folder/subfolder just like I intended. However, I can't seem to mount the drive using smbusr_RO. It just pops up another box and asks me to re enter my credentials. My second problem is, when I mount the drive in linux, I can't cd to the mount location without becoming root. Other than that everything works. Could you give me an email or other way to contact you so I can send you the IP address of the server? If you're willing, I'd like you to try to break in and see if I have any weak spots. – Scriptonaut – 2012-11-14T08:07:49.207
you can reach me temporarily at auto44259584@hushmail.com . please send the output of these commands: 'ls -al /samba', 'members smbusers' (you may have to install 'members'), 'testparm -s', 'groups smbuser', 'groups smbuser_RO'. that should be sufficient to get a good view of the problem. – Frank Thomas – 2012-11-14T15:49:23.267
I've responded to your email, but if you don't recieve it, check your spam filter. anyway, I'm happy to help at your pace, so let me know once you've run smbpasswd for smbuser_RO, and we'll pick up from there. Cheers. – Frank Thomas – 2012-11-15T19:27:07.223