Ubuntu – Samba setup for windows domain access

Background:

I am setting up a Linux box for a local accounting office. The purpose of the box is to alleviate the threat of viruses that have access to the network via USB drives. Please keep in mind that this office needs the highest security possible. My configuration is attempting to leverage Samba to allow members of the already configured (and highly secure) Windows 2008 Server to access the Samba share. I have added the user name of each of the people who need to access the Linux box to the system but have not added passwords as the passwords on the Windows Server are required to change quite often. Attempting to manage a password database on the Linux box is to be avoided if at all possible.

Requirements:

No password authentication required for logged-in Windows users to access Samba share.
As little manipulation of current Windows security policies as possible.
All users who access the share should have full read and write permissions (execute is NOT necessary).

Problem:

Currently, all attempts to connect to the Samba server by unauthenticated users is met with an error on the Windows side saying "Access to the resource {insert IP address} has been disallowed." Samba is running with the following smb.conf file that I built from scratch:

[global]
    workgroup = {Windows Domain Name}
    server string = Removable Media Server
    security = share
[media]
    path = /media
    writable = yes
    browsable = yes
    guest ok = yes
    guest only = yes
    force directory mode = 0666
    force create mode = 0666

Samba version is 3.6.9. Samba's testparm command returns no errors. I have always restarted the Samba server after making changes to the Samba configuration.

What I have tried:

In smb.conf:

Setting security to user.
And just about every setting I have run across.

Other things of note:

The Samba share IS seen by the Windows domain and is actually accessible from a Windows administrator session.

One more thing: I am very new to Samba so please bear with me.

Best Answer

Well, the first thing I was going to suggest was to set:

security = domain

But then I saw this in the Samba doc's chapter on Domain Membership:

Currently, domain security in Samba does not free you from having to create local UNIX users to represent the users attaching to your server. This means that if domain user DOM\fred attaches to your domain security Samba server, there needs to be a local UNIX user fred to represent that user in the UNIX file system.

Is it feasible for you to set up an account for each user that will be connecting?

I've never set up a Samba share inside a Windows domain, but here's a link to the Samba doc on Domain Menbership that I quoted above: Samba Domain Membership

Give the doc a look, and maybe it'll help you with what you need to do.

Best Answer

Related Solutions

Ubuntu – Samba needs additional restart on reboot

Ubuntu – Why is Samba Access from Windows So Slow

Related Question