[UniMacTech] "valid users" attribute for SMB shares with Leopard Server

Andrew Wellington andrew.wellington at anu.edu.au
Tue Apr 21 16:20:21 EST 2009 

Mark (and Tony),

This is not how Leopard Server handles Samba shares. The new way is  
essentially this:

/etc/smb.conf
	Overall Samba configuration file. Includes the configuration files  
below. Can include site-specific customisations after final comment.
/var/db/smb.conf
	Auto-generated Samba configuration file containing items like  
hostname, workgroup etc, as well as any home directory share  
configuration
/var/samba/shares/*
	Configuration for other share points configured in server admin.  
Included from smb.conf using the usershares mechanism.

Both /var/db/smb.conf and /var/samba/shares/* will be overwritten by  
Apple's server administration tools with no regard for any local  
changes you may have made.

Because the defined shares are now made through the usershares  
mechanism there is no real way of modifying them. This basically means  
you have to either deal with this issue (there's no real security  
problem with allowing people to connect but then not be able to do  
anything, but maybe a usability one by it being presented as  
available), or you have to define your shares manually in /etc/ 
smb.conf after the site specific configuration comment at the bottom  
(or include another file there that has the configuration) and ignore  
Server Admin's shares for this -- not a great solution either.

Regards,
Andrew

=======================================
Andrew Wellington
Mac OS X Systems Administrator
Systems & Desktop Services
Division of Information
R.G Menzies Building (Bldg #2)
The Australian National University
Canberra ACT 0200 Australia

T: +61 2 6125 7805
W: http://information.anu.edu.au/

CRICOS Provider #00120C


On 21/04/2009, at 3:48 PM, Tony Williams wrote:

> Mark,
>
> You should find a section for each of your windows shares in  
> smb.conf - there will be  line [sharename] and it is in that section  
> that you will need to add a "valid users =" line with the name of  
> the group that can mount the share i.e "valid users = @validgroup,  
> @validgroup2, username1, username2".
>
> I don't have a 10.5 server up right here to check but that is  
> certainly the case on my 10.4 box.
>
> // Tony
>
> On Tue, Apr 21, 2009 at 3:15 PM, Mark Szota <mark.szota at infotech.monash.edu.au 
> > wrote:
>> Hi folks
>>
>> I am setting up a couple of share points via Samba using Leopard  
>> Server, what I want to know is if I can add a Samba "valid users"  
>> attribute to some configuration file so that I can restrict shares  
>> to a partiuclar user? As it stands I have all my shares setup, and  
>> have the ACL's modified so that only the username I want can read &  
>> write to them. However other Samba users (who I want to access  
>> other SMB shares) can actually log in to a share, but then get a  
>> mount error because they don't have enough permissions to do  
>> anything. I have set the POSIX and ACL permissions this way to stop  
>> them from accessing or modifying anything. I have also set Service  
>> ACL's so that users I want can access the Samba service. This seems  
>> to be the best result I can get so far.
>>
>> What I would like is for them to not even be able to authenticate  
>> to an SMB share they should not have access to (rather than just  
>> getting a mount error), which from memory is what the "valid users"  
>> attribute will allow me to do. Do I need to do some voodoo magic  
>> with ACL's or POSIX permissions, or is there a way I can do what I  
>> want via GUI tools or at the command line? Or worse yet, have I  
>> missed something completely obvious ? :)
>>
>> The /etc/smb.conf file seems to be just a fairly generic template,  
>> there are no share-specific settings in it, so I assume they are  
>> stored in some other file, but I do not know where..
>>
>> Hope that makes sense!
>>
>> Cheers
>> Mark

More information about the unimactech mailing list