http:///https:///api.php?action=feedcontributions&user=Johnsimcall&feedformat=atomSambaWiki - User contributions [en]2024-03-28T20:36:29ZUser contributionsMediaWiki 1.39.5https://wiki.samba.org/index.php?title=Setting_up_a_Share_Using_POSIX_ACLs&diff=13890Setting up a Share Using POSIX ACLs2017-09-09T06:07:39Z<p>Johnsimcall: minor edit</p>
<hr />
<div>= Introduction =<br />
<br />
Samba supports shares with POSIX access control lists (ACL). They enable you to manage permissions locally on the Samba host using UNIX utilities. If the file system of the share supports extended attributes, you can use extended POSIX ACLs to set multiple users and groups in ACLs - similar to Windows ACLs. For details, see [[#Setting_Extended_ACLs|Setting Extended ACLs]]. In case you require the fine-granular Windows ACLs, set up instead a share using Windows ACLs. For details, see [[Setting_up_a_Share_Using_Windows_ACLs|Setting up a Share Using Windows ACLs]].<br />
<br />
Samba supports shares with POSIX ACLs on:<br />
* Domain members<br />
* NT4 PDC and BDCs<br />
* Standalone hosts<br />
<br />
{{Imbox<br />
| type = important<br />
| text = On a Samba Active Directory (AD) domain controller (DC), Windows ACL support is enabled globally, and therefore shares with POSIX ACLs are not supported.<br />
}}<br />
<br />
<br />
<br />
<br />
<br />
= Preparing the Host =<br />
<br />
Before you are able to create a share, set up Samba. For details, see:<br />
* [[Setting_up_Samba_as_a_Domain_Member|Setting up Samba as a Domain Member]]<br />
* [[Setting_up_Samba_as_an_NT4_PDC_(Quick_Start)|Setting up Samba as an NT4 PDC (Quick Start)]]<br />
* [[Setting_up_Samba_as_an_NT4_BDC|Setting up Samba as an NT4 BDC]]<br />
* [[Setting_up_Samba_as_a_Standalone_Server|Setting up Samba as a Standalone Server]]<br />
<br />
<br />
<br />
<br />
<br />
= Making Files Executable =<br />
<br />
Using the default setting, users are only able to execute files, such as <code>*.exe</code> and <code>*.bat</code>, on a Samba share if they have the POSIX x-bit set. For example, the following file is executable for the <code>root</code> user and members of the <code>Domain Users</code> group:<br />
<br />
-rw<u>x</u>r-<u>x</u>--- 1 root "Domain Users" 133160 1. Jan 00:00 /srv/samba/Demo/example.exe<br />
<br />
In some scenarios it is necessary to enable users to execute all files on a share, regardless if the x-bit is set. To enable, set in the <code>[global]</code> section of your <code>smb.conf</code>:<br />
<br />
acl allow execute always = yes<br />
<br />
<br />
<br />
<br />
<br />
= Adding a Share =<br />
<br />
To share the <code>/srv/samba/Demo/</code> directory using the <code>Demo</code> share name:<br />
<br />
* Create the directory:<br />
<br />
# mkdir -p /srv/samba/Demo/<br />
<br />
* Add the <code>[Demo]</code> share definition to your <code>smb.conf</code> file:<br />
<br />
[Demo]<br />
path = /srv/samba/Demo/<br />
read only = no<br />
<br />
: These are the minimum parameters required to set up a writeable share. Optionally, you can set share permissions. For details, see [[#Setting_Share_Permissions|Setting Share Permissions]].<br />
<br />
* Reload the Samba configuration:<br />
<br />
# smbcontrol all reload-config<br />
<br />
<br />
<br />
<br />
<br />
= Setting ACLs =<br />
<br />
== Setting Standard UNIX ACLs ==<br />
<br />
The standard access control lists (ACL) on a UNIX operating system supports setting permissions for one owner, one group, and everyone else (other). If you need to set multiple ACLs on a directory, see [[#Setting_Extended_ACLs|Setting Extended ACLs]].<br />
<br />
For example, to set the owner of the <code>/srv/samba/Demo/</code> directory to <code>root</code>, grant read and write permissions to the owner and the <code>Domain User</code> group, and deny access to all other users, enter:<br />
<br />
# chmod 2770 /srv/samba/Demo/<br />
# chown root:"Demo Group" /srv/samba/Demo/<br />
<br />
{{Imbox<br />
| type = note<br />
| text = Setting the SGID bit (<code><u>2</u>770</code>) automatically inherits the directory's group to all new files and directories created, instead setting it to the user's primary group.<br />
}}<br />
<br />
For further details about the permissions, see the <code>chmod(1)</code> and <code>chown(1)</code> man page.<br />
<br />
<br />
<br />
== Setting Extended ACLs ==<br />
<br />
If your file system supports extended access control lists (ACL), you can use extended POSIX ACLs. They enable you to set permissions for multiple users and groups on a file or directory - similar to Windows ACLs. However, POSIX ACLs are limited to the following general permissions modes:<br />
* None<br />
* Read<br />
* Write<br />
* Full control<br />
<br />
For example, to set read, write, and execute permissions for the <code>Domain Admins</code> group, read and execute permissions for the <code>Domain Users</code> group, and deny access to everyone else on the <code>/srv/samba/Demo/</code> directory:<br />
<br />
* Add the <code>inherit acls = yes</code> parameter to the share's configuration. For example:<br />
[Demo]<br />
path = /srv/samba/Demo/<br />
read only = no<br />
inherit acls = yes<br />
: The <code>inherit acls = yes</code> parameter enables ACL inheritance of extended ACLs. For further details, see the parameter description in the <code>smb.conf</code> man page.<br />
<br />
* Reload Samba:<br />
<br />
# smbcontrol all reload-config<br />
<br />
* Verify that the directory is stored on a file system that supports extended ACLs. For details, see [[File System Support]].<br />
<br />
* Disable auto-granting permissions for the primary group of user accounts:<br />
# setfacl -m group::--- /srv/samba/Demo/<br />
# setfacl -m default:group::--- /srv/samba/Demo/<br />
: The primary group of the directory is additionally mapped to the dynamical <code>CREATOR GROUP</code> principal. If you use extended POSIX ACLs on a Samba share, this principal is automatically added and you cannot remove it. For further details about the <code>CREATOR GROUP</code> principal, see [https://support.microsoft.com/de-at/help/243330/well-known-security-identifiers-in-windows-operating-systems Well-known security identifiers in Windows operating systems].<br />
<br />
* Set the permissions on the directory:<br />
<br />
:* Grant read, write, and execute permissions to the <code>Domain Admins</code> group:<br />
# setfacl -m group:"SAMDOM\Domain Admins":rwx /srv/samba/Demo/<br />
<br />
:* Grant read and execute permissions to the <code>Domain Users</code> group:<br />
# setfacl -m group:"SAMDOM\Domain Users":r-x /srv/samba/Demo/<br />
<br />
:* Set permissions for the <code>other</code> ACL entry to deny access to users that do not match other ACL entries:<br />
# setfacl -R -m other::--- /srv/samba/Demo/<br />
<br />
: These settings are only applied to the directory itself. In Windows, this is converted to <code>This folder only</code>.<br />
<br />
* To configure that the same permissions set in the previous step are inherited to new file system objects created in this directory, enter:<br />
<br />
# setfacl -m default:group:"SAMDOM\Domain Admins":rwx /srv/samba/Demo/<br />
# setfacl -m default:group:"SAMDOM\Domain Users":r-x /srv/samba/Demo/<br />
# setfacl -m default:other::--- /srv/samba/Demo/<br />
<br />
: With this settings, the <code>This folder only</code> mode for the principals now changed to <code>This folder, subfolders, and files</code>.<br />
<br />
The ACLs set in the previous steps are mapped to the following Windows ACLs:<br />
<br />
{| class="wikitable"<br />
!Principal<br />
!Access<br />
!Applies to<br />
!Comments<br />
|-<br />
|SAMDOM\Domain Admins<br />
|Full control<br />
|This folder, subfolders, and files<br />
|<br />
|-<br />
|SAMDOM\Domain Users<br />
|Read & execute<br />
||This folder, subfolders, and files<br />
|<br />
|-<br />
|Everyone<br />
|None<br />
|This folder, subfolders, and files<br />
|Samba maps the permissions for this principal from the UNIX <code>other</code> ACL entry.<br />
|-<br />
|''directory_owner'' (Unix User\''directory_owner'') *<br />
|Full control<br />
|This folder only<br />
|Samba maps the owner of the directory to this entry.<br />
|-<br />
|''directory_primary_group'' (Unix User\''directory_primary_group'') *<br />
|None<br />
|This folder only<br />
|Samba maps the primary group of the directory to this entry.<br />
|-<br />
|CREATOR OWNER *<br />
|Full control<br />
|Subfolders and files only<br />
|On new file system objects, the creator inherits automatically the permissions of this principal.<br />
|-<br />
|CREATOR GROUP *<br />
|None<br />
|Subfolders and files only<br />
|On new file system objects, the creator's primary group inherits automatically the permissions of this principal.<br />
|}<br />
<br />
<nowiki>*</nowiki> Configuring or removing these principals from the ACLs is only supported when using Windows ACLs. For details, see [[Setting up a Share Using Windows ACLs]].<br />
<br />
For further details, see the <code>setfacl</code> man page.<br />
<br />
<br />
<br />
<br />
<br />
= Setting Share Permissions =<br />
<br />
''Optional'': Samba enables you to set permissions on each share which are validated when a user connects.<br />
<br />
Access to the content on a share, is controlled using file system access control lists (ACL). For details, see [[#Setting_POSIX_ACLs_on_a_Samba_Share|Setting POSIX ACLs on a Samba Share]]<br />
<br />
<br />
<br />
== Configuring User and Group-based Share Access ==<br />
<br />
Share-based access control enables you to grant or deny access to a share for certain users and groups. For example, to enable all members of the <code>Domain Users</code> group to access a share while access is denied for the <code>example_user</code> account, add the following parameters to the share's configuration:<br />
<br />
valid users = +SAMDOM\"Domain Users"<br />
invalid users = +SAMDOM\example_user<br />
<br />
The <code>invalid users</code> parameter has a higher priority than the <code>valid users</code> parameter. For example, if the <code>example_user</code> account is a member of the <code>Domain Users</code> group, access is denied for this account in the previous example.<br />
<br />
For further details, see the parameter descriptions in the <code>smb.conf(5)</code> man page.<br />
<br />
<br />
<br />
== Configuring Host-based Share Access ==<br />
<br />
Host-based access control enables you to grant or deny access to a share based on host names, IP addresses, or IP ranges. For example, to enable the 127.0.0.1 IP address, the 10.99.0.0/24 IP range, and the <code>GoodHost</code> host name to access a share, and additionally deny access to the <code>BadHost</code> host name, add the following parameters to the share's configuration:<br />
<br />
hosts allow = 127.0.0.1 10.99.0.0/24 GoodHost<br />
hosts deny = BadHost<br />
<br />
The <code>hosts deny</code> parameter has a higher priority than the <code>hosts allow</code> parameter. For example, if the <code>BadHost</code> resolves to an IP address that is listed in the <code>hosts allow</code> parameter, access to this host is denied.<br />
<br />
For further details, see the parameter descriptions in the <code>smb.conf(5)</code> man page.<br />
<br />
<br />
<br />
<br />
<br />
----<br />
[[Category:Active Directory]]<br />
[[Category:Domain Members]]<br />
[[Category:File Serving]]<br />
[[Category:NT4 Domains]]</div>Johnsimcall