HP3000-L Archives

December 2000, Week 5

HP3000-L@RAVEN.UTC.EDU

Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
From:
Lars Appel <[log in to unmask]>
Reply To:
Lars Appel <[log in to unmask]>
Date:
Fri, 29 Dec 2000 19:42:52 +0100
Content-Type:
text/plain
Parts/Attachments:
text/plain (58 lines)
>On-topic, but a little more chin-scratching-worthy:  If anyone is using
>"production" writeable Samba shares on MPE, what's your methodology for
>controlling access?

I'm mainly using the [homes] share template from the sample config, which
gives users access to their home directory (or home group in MPE speak) if
they can provide the proper password(s) in [userpw][,acctpw] syntax. This
gives pretty similar access as they would have by simply logging on in a
regular session.

Well, I typically tweak the default smb.conf slightly...

In the [homes] section I add "path = %H/.." and in the [global] section
I add "preserve case = yes" and "short preserve case = yes", the latter
two having nothing to do with security aspects. The former makes [homes]
map the users' account instead of MPE home group level, e.g. connecting
to \\my3000\operator.sys my PC can see all from /SYS down, with the MPE
groups looking like subdirectories. Read/write access is the same as if
I did a :hello operator.sys in that directory tree.

You can run /SAMBA/PUB/bin/smbstatus to see the network drive mappings
as well as the users that SMBD will switch to when accessing the files.

> ... But what if you want
>your entire Accounting department to be able to drop off some nasty old
>PC-generated files onto your pristine HP3K?

Well, the [homes] share essentially allows the same that a regular
session user could do with plain old file transfer (assuming his or
her session gets an MPE prompt). I'd strongly recommend users to
not use Samba to fiddle with non-bytestream files (the PC has no
idea how to use a KSAM or MSG file properly) and to be careful when
it comes to dragging files or directories into the waste basket or
pressing the DEL key too quickly...

So in some cases, it might be safer to restrict access for a user
to only a limited subdirectory inside his or here home account...

[playsafe]
  user = user.acct
  only user = yes
  guest ok = no
  write ok = yes
  path = /ACCT/GRP/subdir

Using the HFS subdirectory will also avoid the somewhat confusing
error messages of a PC user trying to create a file or directory
name inside the MPE group level that has more that 16 characters,
e.g. New_Text_Document.txt ;-)

You might want to comment-out the [homes] share in smb.conf if you
prefer to only allow access to explicitly declared shares (instead
of all home directories for all MPE users with an MPE home group).

Lars.

(I'd love to see shared experience from *real* Samba users, too)

ATOM RSS1 RSS2