PDA

View Full Version : Samba share limited to only root



gniecka
08-May-2014, 12:13
Dear all,

I have one directory:

drwxr-xr-- 4 ndbadm sapsys 4096 May 7 12:38 auto_backupy

I have created samba share for it:

[backup]
path = /HANA_DATA/hana_backup/auto_backupy
read only = Yes
guest ok = yes
force group = sapsys


but everyone from windows host can browse it - how to restrict this to asks for username when try to browse this share and only user will be root?

Regards
GN

jmozdzen
08-May-2014, 12:19
Hi GN,

Dear all,

I have one directory:

drwxr-xr-- 4 ndbadm sapsys 4096 May 7 12:38 auto_backupy

I have created samba share for it:

[backup]
path = /HANA_DATA/hana_backup/auto_backupy
read only = Yes
guest ok = yes
force group = sapsys


but everyone from windows host can browse it - how to restrict this to asks for username when try to browse this share and only user will be root?

well, you forced every access to use the group "sapsys"... and group "sapsys" has read/execute permission on the directory, so it's working as expected.

Not knowing the context, it is unclear if the following will really be helpful:

"Change the directory's ownership to user "root" and permissions to "700" - then only root will be allowed to access the directory."

Of course, this will then be a valid restriction for direct accesses (not via SaMBa), too.

Regards,
Jens

gniecka
08-May-2014, 12:30
Dear Jens,

this directory is the target directory for HANA backup mechanism
This backup script is runed from ndbadm user (sapsys group) and one of limitations is that this backup directory must be owned by ndbadm.sapsys.

another requirement is that this folder should be accessible/browsable from windows hosts for particular users - thats why I have made samba share for windows hosts - but I don't want to open this shared folder for everyone...

Regards
GN

jmozdzen
08-May-2014, 12:40
Dear Jens,

this directory is the target directory for HANA backup mechanism
This backup script is runed from ndbadm user (sapsys group) and one of limitations is that this backup directory must be owned by ndbadm.sapsys.

another requirement is that this folder should be accessible/browsable from windows hosts for particular users - thats why I have made samba share for windows hosts - but I don't want to open this shared folder for everyone...

Regards
GN

From smb.conf:

valid users (S)

This is a list of users that should be allowed to login to this service. Names starting with '@', '+' and '&' are interpreted using the same rules as described in the invalid users parameter.

If this is empty (the default) then any user can login. If a username is in both this list and the invalid users list then access is denied for that user.

The current servicename is substituted for %S. This is useful in the [homes] section.

Note: When used in the [global] section this parameter may have unwanted side effects. For example: If samba is configured as a MASTER BROWSER (see local master, os level, domain master, preferred master) this option
will prevent workstations from being able to browse the network.

Default: valid users = # No valid users list (anyone can login)

Example: valid users = greg, @pcusers
so setting "valid users = root" within the share definition should limit SaMBa access to the SaMBa user "root".

Regards,
Jens

gniecka
08-May-2014, 12:52
Jens,

I have tried this with no luck.
When I add
valid user = root
then I can't access this share from windows host at all...84

Regards
GN

jmozdzen
08-May-2014, 13:03
Hi GN,

Jens,

I have tried this with no luck.
When I add
valid user = root
then I can't access this share from windows host at all...

but you can log in to SaMBa as user root? Because the message seems to imply that you're trying to access as some different user, then are asked to provide new credentials, and these new credentials don't work as a valid username/password combo.

You of course need to limit access to a user that can access the SaMBa service...

Regards,
Jens

gniecka
08-May-2014, 13:23
Jens,

I have added new user to samba, have cleared all stored passwords for windows host and it works!

Thank you for support!