Setting up a Share Using Windows ACLs: Difference between revisions
Mmuehlfeld (talk | contribs) (Added categories) |
Mmuehlfeld (talk | contribs) m (Added category) |
||
Line 266: | Line 266: | ||
---- |
---- |
||
[[Category:Active Directory]] |
[[Category:Active Directory]] |
||
[[Category: |
[[Category:Domain Members]] |
||
[[Category:File Serving]] |
[[Category:File Serving]] |
||
[[Category:NT4 Domains]] |
Revision as of 21:42, 26 February 2017
Introduction
Extended access control lists (ACL) enable you to set permissions on shares, files, and directories using Windows ACLs and applications. Samba supports shares using extended ACLs on:
- Domain members
- Active Directory (AD) domain controllers (DC)
- NT4 primary domain controller (PDC)
- NT4 backup domain controllers (BDC)
- Standalone hosts
As an alternative to extended ACLs, you can set up shares using POSIX ACLs. For details, see Setting up a Share Using POSIX ACLs.
Preparing the Host
You need to set up Samba before you are able to create a share. Depending on what type of Samba server you require, see:
- Setting up Samba as a Domain Member
- Setting up Samba as AD DC
- Setting up Samba as an NT4 PDC (Quick Start)
- Setting up Samba as an NT4 BDC
- Setting up Samba as a Standalone Server
File System Support
The file system, the share will be created on, must support:
- user and system
xattr
name spaces. - extended access control lists (ACL).
For further details, see File system support.
Samba Extended ACL Support
To create a share with extended access control list (ACL) support, the smbd
service must have been built with ACL support enabled. A Samba host working as an Active Directory (AD) domain controller (DC), is always enabled with extended ACL support.
To verify if Samba has been built with ACL support, enter:
# smbd -b | grep HAVE_LIBACL HAVE_LIBACL
If no output is displayed:
- Samba was built using the
--with-acl-support=no
parameter. - The Samba
configure
script was unable to locate the required libraries for ACL support. For details, see Samba Dependencies Required to Build Samba.
Enable Extended ACL Support in the smb.conf
File
To configure shares using extended access control lists (ACL), you must enable the support in the smb.conf
file. To enable extended ACL support globally, add the following settings to the [global]
section of your smb.conf
file:
vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes
On a Samba Active Directory (AD) domain controller (DC), extended ACL support is automatically enabled globally. You must not enable the support manually. |
Alternatively, to enable extended ACL support only for a specific share, add the parameters to the share's section.
For further details about the parameters, see the smb.conf(5)
man page.
Granting the SeDiskOperatorPrivilege
Privilege
Only users and groups having the SeDiskOperatorPrivilege
privilege granted can configure share permissions.
To grant the privilege to the Domain Admins
group, enter:
# net rpc rights grant "SAMDOM\Domain Admins" SeDiskOperatorPrivilege -U "SAMDOM\administrator" Enter SAMDOM\administrator's password: Successfully granted rights.
It is recommended to grant the privilege to a group instead of individual accounts. This enables you to add and revoke the privilege by updating the group membership. |
To list all users and groups having the SeDiskOperatorPrivilege
privilege granted, enter:
# net rpc rights list privileges SeDiskOperatorPrivilege -U "SAMDOM\administrator" Enter administrator's password: SeDiskOperatorPrivilege: BUILTIN\Administrators SAMDOM\Domain Admins
To share the /srv/samba/Demo/
directory using the Demo
share name:
- As the
root
user, create the directory:
# mkdir -p /srv/samba/Demo/
- Add the
[Demo]
share definition to yoursmb.conf
file:
[Demo] path = /srv/samba/Demo/ read only = no
- Further share-specific settings and file system permissions are set using the Windows utilities.
Do not set additional share parameters, such as force user
. Adding them to the share definition can prevent you from configuring or using the share.
- Reload the Samba configuration:
# smbcontrol all reload-config
When you configure a share with extended access control lists (ACL) support, you set the share permissions using Windows utilities instead of adding parameters to the share section in the smb.conf
file.
To set permissions and ACLs on the Demo
share:
- Log on to a Windows host using an account that has the
SeDiskOperatorPrivilege
privilege granted.
- Click
Start
, enterComputer Management
, and start the application.
- Select
Action
/Connect to another computer
.
- Enter the name of the Samba host and click
OK
to connect the console to the host.
- Open the
System Tools
/Shared Folders
/Shares
menu entry.
- Right-click to the share and select
Properties
.
- Select the
Share Permissions
tab and set the share permissions. For example:
- On a Samba share, you can omit the
SYSTEM
account in the file system ACLs. For details, see The SYSTEM Account. - Samba stores share permissions in the
/usr/local/samba/var/locks/share_info.tdb
database.
- Select the
Security
tab.
- Click the
Edit
button and set the file system ACLs on the share's root directory. For example:
- For details where the ACLs are stored, see File System ACLs in the Back End.
- Click
OK
to close thePermissions for Demo
window.
- Click
OK
to store the updated settings.
For further details about configuring share permissions and ACLs, see the Windows documentation.
Setting ACLs on a Folder
To set file system permissions on a folder located on a share that uses extended access control lists (ACL):
- Log on to a Windows host using an account that has
Full control
on the folder you want to modify the file system ACLs.
- Navigate to the folder.
- Right-click to the folder and select
Properties
.
- Select the
Security
tab and click theEdit
button.
- Set the permission. For example:
- On a Samba share, you can omit the
SYSTEM
account in the file system ACLs. For details, see The SYSTEM Account.
- For details where the ACLs are stored, see File System ACLs in the Back End.
- Click
OK
to close thePermissions for Folder
window.
- Click
OK
to store the updated settings.
For further details about setting ACLs, see the Windows documentation.
File System ACLs in the Back End
Samba stores the file system permissions in extended file system access control lists (ACL) and in an extended attribute. For example:
- To list the extended ACLs of the
/srv/samba/Demo/
directory, enter:
# getfacl /srv/samba/Demo/ # file: srv/samba/Demo/ # owner: root # group: root user::rwx user:root:rwx group::--- group:root:--- group:domain\040users:rwx group:domain\040admins:rwx mask::rwx other::--- default:user::rwx default:user:root:rwx default:group::--- default:group:root:--- default:group:domain\040users:rwx default:group:domain\040admins:rwx default:mask::rwx default:other::---
- To list the
user.SAMBA_PAI
extended attribute of the/srv/samba/Demo/
directory, enter:
# getfattr -d /srv/samba/Demo/ # file: srv/samba/Demo/ user.SAMBA_PAI=0sAgScBwAHAAABAAAAAAAAAAAAAAAC/////wABAAAAAAAAAAAAAAABEScAAAABECcAAAABAAAAAAAAAAAAAAAC/////wABAAAAAAAAAAAAAAMBEScAAAMBECcAAA==
The previous example of file system ACLs and the extended attribute is mapped to the following Windows ACLs:
Principal | Permissions | Applies to |
---|---|---|
Domain Users (SAMDOM\Domain Users) | Modify, Read & execute, List folder contents, Read, Write | (This folder, subfolders and files) |
Domain Admins (SAMDOM\Domain Admins) | Full control | (This folder, subfolders and files) |
Troubleshooting
For troubleshooting, see: