Interesting challenge (for me at least)

Billy Crook billycrook at gmail.com
Thu Feb 25 20:28:26 CST 2010 

Is there a reason that the easy/simple solution of NOT integrating this
specific samba instance with AD wouldn't work?

Just add unix users by the same name of the AD users, smbpasswd -a them, and
have the users choose a new pwd for their samba access.

On mount, the client windows box will try auth w/ AD creds, fail, and ask
for a un/pw to use with samba.

The biggest problem I see is that the AD admin could trivially deploy
keylogger.  So look in to a one-time-password system.

You could additionally install openvpn on the centos box, and only run samba
on the vpn virtual nic.  Then no matter who has what windows credentials
they would also need vpn credentials.  This could be set up in an afternoon.

On Feb 25, 2010 11:17 AM, "Haworth, Michael A." <
Michael_Haworth at pas-technologies.com> wrote:

 This is most likely pretty elementary, but I wanted to bounce it off of
some people that know more than me and can point out any flaws in my very
weary logic before I do a concept presentation to my bosses:



I have a folder that has to be available on the network (currently Windows
with AD), but *must* be protected from unauthorized access (including access
by Domain Admins). Here is what I think a valid solution *could* be:



1.       Build up a CentOS box.

2.       Install and configure SAMBA to allow for sharing to windows
computers.

3.       Create a SAMBA share for the required folder (and sort out
auto-mount in case of a reboot).

4.       create two accounts - one to allow for Read/Write access to the
shared folder and one to allow for Read-only access

5.       Issue the account credentials to the manager of the folder (in this
case, out Export Compliance Officer) and then allow it to be that persons
problem to manage who knows the credentials.



I see this as a low stress, low cost, quick, and above all - easy - way to
deal with a potential compliance issue. The reason that we can not simply
use Active Directory to restrict access is that one of our Domain Admins is
a foreign national - if we were to place a 'deny access' on the folder, he
could remove it if he wished - and getting rid of AD or Windows is not an
option ATM, but it is still in process.



Any help from the list is greatly appreciated,

*Michael Haworth <michael_haworth at pas-technologies.com>***

Enterprise Systems Support Manager

*PAS Technologies Inc.*

D: (816) 556-5157

M: (816) 585-1033

F: (816) 556-5189



------------------------------
CONFIDENTIALITY NOTICE: This email message and any attachments are for the
sole use of the intended recipient(s) and may contain proprietary,
confidential, trade secret or privileged information. Any unauthorized
review, use, disclosure or distribution is prohibited and may be a violation
of law. If you are not the intended recipient or a person responsible for
delivering this message to an intended recipient, please contact the sender
by reply email and destroy all copies of the original message.

_______________________________________________
KCLUG mailing list
KCLUG at kclug.org
http://kclug.org/mailman/listinfo/kclug
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kclug.org/pipermail/kclug/attachments/20100225/31d48fc4/attachment.htm>

More information about the KCLUG mailing list