Samba4/Ubuntu Shares Incorrectly Available to All Users

Posted by Dan on Server Fault See other posts from Server Fault or by Dan
Published on 2012-10-31T10:16:47Z Indexed on 2012/10/31 11:02 UTC
Read the original article Hit count: 316

I've got my Ubuntu server working with Samba4 and got it set up as the Primary domain controller on my network with AD and all that goodness.

However, I'm trying to get my Samba configuration to work with the users and groups I've defined with the Active Directory tools from Windows.

For instance, I've got a share X which I want users A and B (as part of the 'management' group, known as LLGrpManager in my setup) to see, but no body else. However, after making changes to the configuration, restarting Samba, I test by connecting to the share with my Mac over Samba as user 'C' which isn't part of the management group, and I can, incorrectly, see the X share.

I've tried alsorts of combinations of specifying the group with no luck at all. I've got a feeling that my global config might be too lenient or something to do with file permissions but being a bit green, I'm without clue.

My /etc/samba/smb.conf

# Global parameters
[global]
    server role = domain controller
    server string = Office Server
    workgroup = LLDOMAIN
    realm = lldomain.local
    netbios name = DUMBO
    passdb backend = samba4
    logon path = \\%L\profiles\%U
    logon drive = L:
    log file = /var/log/samba/%m.log
    max log size = 50
    security = ads
    domain logons = yes
    domain master = auto
    usershare allow guests = no
    valid users = %S

[netlogon]
    path = /var/lib/samba/sysvol/lldomain.local/scripts
    read only = no
    guest ok = no
[sysvol]
    path = /var/lib/samba/sysvol
    read only = No
    guest ok = no
    valid users = @LLDOMAIN\LLGrpManager
[ShareX]
    path = /data
    comment = Entire Data Volume
    guest ok = no
    comment = Entire Data Volume
    guest ok = no
    valid users = @LLDOMAIN\LLGrpManager
    admin users = @LLDOMAIN\LLGrpManager
    browsable = no
    inherit acls = yes
    inherit permissions = yes
  ...

My /etc/nsswitch.conf

I've also instructed the system to use the nss winbind library when searching for users or groups by adding the stanza passwd and group in /etc/nsswitch.conf:

passwd:         compat winbind
group:          compat winbind
shadow:         compat

Permissions on the folder in question

drwxrwxrwt   8 root root 4.0K Oct 28 19:11 data

© Server Fault or respective owner

Related posts about ubuntu

Related posts about active-directory