Setting up a Share Using Windows ACLs: Difference between revisions
Mmuehlfeld (talk | contribs) m (moved Setup and configure file shares to Setup and configure file shares with Windows ACLs: Renaming the page, as I will add a second page, how to setup shares with classic (Posix) ACLs.) |
Mmuehlfeld (talk | contribs) (Add link to the POSIX share/ACL HowTo and a few minor changes accross the page) |
||
Line 1: | Line 1: | ||
= Introduction = |
= Introduction = |
||
Samba allows you, since version 4, to do most share configuration via windows. In particular, the permission management with real Windows ACLs and multiple entries is much easier when done on Windows. The following |
Samba allows you, since version 4, to do most share configuration via windows, what is also the recommended way. In particular, the permission management with real Windows ACLs and multiple entries is much easier when done on Windows. The following documentation will give you an overview of how to manage shares. |
||
Please note, that it's also possible to [[Setup_and_configure_file_shares_with_POSIX_ACLs|configure shares and ACLs, using the classic way with POSIX ACLs and smb.conf parameters]]. |
|||
= Preparatory work = |
= Preparatory work = |
||
Line 17: | Line 23: | ||
== ACL support on member server == |
== ACL support on member server == |
||
The following is only required on Domain Member Servers and not on Domain Controllers! |
The following is only <u>required on Domain Member Servers and not on Domain Controllers</u>! |
||
* Add the following to your [global] section of your smb.conf: |
* Add the following to your [global] section of your smb.conf: |
||
Line 25: | Line 31: | ||
store dos attributes = Yes |
store dos attributes = Yes |
||
:This options are required on Member Servers, to enable the possibility for real windows ACLs. |
:This options are required on Member Servers, to enable the possibility for real windows ACLs. Domain Controllers have ACL support enabled globally by default! |
||
Line 110: | Line 116: | ||
= Related |
= Related documentation = |
||
The following |
The following documentation treat topics, related on setting up file shares with special permissions or purposes: |
||
* [[Setting_up_a_home_share|Setting up a home share]] |
* [[Setting_up_a_home_share|Setting up a home share]] |
Revision as of 00:54, 15 June 2014
Introduction
Samba allows you, since version 4, to do most share configuration via windows, what is also the recommended way. In particular, the permission management with real Windows ACLs and multiple entries is much easier when done on Windows. The following documentation will give you an overview of how to manage shares.
Please note, that it's also possible to configure shares and ACLs, using the classic way with POSIX ACLs and smb.conf parameters.
Preparatory work
Filesystem support
To use the advanced features of Samba, it has to be compiled with ACL support (e. g. RHEL requires the libacl-devel to be installed, when compiling). Also you need a filesystem that supports the "user" and "system" xattr namespaces. It also needs to have ACL and XATTR support.
XFS automatically supports ACLs. If you are using either ext3 or ext4 for your file system, you will need to include the options "user_xattr" and "acl" in your /etc/fstab entries. Example:
/dev/sda3 /srv/samba/Demo ext4 user_xattr,acl 1 1
ACL support on member server
The following is only required on Domain Member Servers and not on Domain Controllers!
- Add the following to your [global] section of your smb.conf:
vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes
- This options are required on Member Servers, to enable the possibility for real windows ACLs. Domain Controllers have ACL support enabled globally by default!
SeDiskOperatorPrivilege
- To configure share permissions, you need an account with „SeDiskOperatorPrivilege“. To grant this privilege, e. g. to the „Domain Admin“ group, run the following command on your server:
# net rpc rights grant 'SAMDOM\Domain Admins' SeDiskOperatorPrivilege -Uadministrator
- Existing privileges you can reviewed by
# net rpc rights list accounts -Uadministrator
- Create a folder that you want to share
# mkdir -p /srv/samba/Demo/
- Add a new share to your smb.conf:
[Demo] path = /srv/samba/Demo/ read only = no
- Reload Samba:
# smbcontrol all reload-config
- Log on to a Windows machine using an account, to which the „SeDiskOperatorPrivilege“ was granted to or an account in a group with granted privilege.
- Open the Start Menu and search for „Computer Management“.
- In the menu bar go to „Action“ / „Connect to another computer“.
- Enter the name of your Samba server, you've create the new share on.
- Navigate to „System Tools“ / „Shared Folders“ / „Shares“ and select the new added share.
- Right-click to the share name, choose „Properties“ .
- Go to the „Share Permissions“ tab. Here you can configure who can access the share and the appropriate permissions.
- Go to the „Security“ tab, click the „Edit“ button and configure the filesystem permissions.
- Save the changes by closing the windows with „OK“.
- Log on to a Windows machine as Domain Administrator.
- Navigate to the folder of which you want to change the permissions.
- Right-click to the folder and choose „Properties“.
- Go to the „Security“ tab and click the „Edit“ button.
- Change the permissions to your needs.
- Save the changes by closing the windows with „OK“.
Related documentation
The following documentation treat topics, related on setting up file shares with special permissions or purposes: