Setting up a Share Using POSIX ACLs

From SambaWiki
Jump to: navigation, search

Introduction

Samba enables you to create file shares using POSIX access control lists (ACL) on:

  • Domain members
  • NT4 PDC and BDCs
  • Standalone hosts

As an alternative to POSIX ACLs, you can set up shares using Windows ACLs. For details, see Setting up a Share Using Windows ACLs.



Preparing the Host

Before you are able to create a share, set up Samba. For details, see:



Making Files Executable

Using the default setting, users are only able to execute files, such as *.exe and *.bat, on a Samba share if they have the POSIX x-bit set. For example, the following file is executable for the root user and members of the Domain Users group:

-rwxr-x--- 1 root "Domain Users" 133160 1. Jan 00:00 /srv/samba/Demo/example.exe

In some scenarios it is necessary to enable users to execute all files on a share, regardless if the x-bit is set. To enable, set in the [global] section of your smb.conf:

acl allow execute always = yes



Adding a Share

To share the /srv/samba/Demo/ folder using the Demo share name:

  • Create the folder:
# mkdir -p /srv/samba/Demo/
  • Add the [Demo] share definition to your smb.conf file:
[Demo]
       path = /srv/samba/Demo/
       read only = no
These are the minimum parameters required to set up a writeable share. Optionally, you can set share permissions. For details, see Setting Share Permissions.
  • Reload the Samba configuration:
# smbcontrol all reload-config



Setting POSIX ACLs on a Samba Share

To control access to folders on a share, use the operating system-specific tools. For example, to set the owner of the /srv/samba/Demo/Example/ directory to root, grant read and write permissions to the owner and the Domain User group, and deny access to all other users, enter:

# chmod 2770 /srv/samba/Demo/Example/
# chown root:"Demo Group" /srv/samba/Demo/Example/

For further details about the permissions, see the chmod(1) and chown(1) man page.



Setting Share Permissions

Optional: Samba enables you to set permissions on each share which are validated when a user connects.

Access to the content on a share, is controlled using file system access control lists (ACL). For details, see Setting POSIX ACLs on a Samba Share


Configuring User and Group-based Share Access

Share-based access control enables you to grant or deny access to a share for certain users and groups. For example, to enable all members of the Domain Users group to access a share while access is denied for the example_user account, add the following parameters to the share's configuration:

       valid users = +SAMDOM\"Domain Users"
       invalid users = +SAMDOM\example_user

The invalid users parameter has a higher priority than the valid users parameter. For example, if the example_user account is a member of the Domain Users group, access is denied for this account in the previous example.

For further details, see the parameter descriptions in the smb.conf(5) man page.


Configuring Host-based Share Access

Host-based access control enables you to grant or deny access to a share based on host names, IP addresses, or IP ranges. For example, to enable the 127.0.0.1 IP address, the 10.99.0.0/24 IP range, and the GoodHost host name to access a share, and additionally deny access to the code>BadHost</code> host name, add the following parameters to the share's configuration:

       hosts allow = 127.0.0.1 10.99.0.0/24 GoodHost
       hosts deny = BadHost

The hosts deny parameter has a higher priority than the hosts allow parameter. For example, if the BadHost resolves to an IP address that is listed in the hosts allow parameter, access to this host is denied.

For further details, see the parameter descriptions in the smb.conf(5) man page.