Difference between revisions of "Setting up a Share Using POSIX ACLs"

From SambaWiki
m (Updated link)
(Rewrote documentation. Clearer structure, more detailed examples/procedures)
Line 1: Line 1:
 
= Introduction =
 
= Introduction =
   
  +
Samba enables you to create file shares using POSIX access control lists (ACL) on:
On every Samba host you can, as on any MS Windows OS, share a folder to make it accessible for other users. There's no difference if this host is a Samba [[Active_Directory_Domain_Controller|Active Directory Domain Controller]], a [[Setting_up_Samba_as_a_Domain_Member|Domain Member]] or a [[Setting_up_Samba_as_a_Standalone_Server|Standalone Server]]. File shares can be setup in two ways: To be [[Shares_with_Windows_ACLs|managed from Windows using Windows tools and ACLs]] or completely via smb.conf parameters and POSIX ACLs. The latter is described in this documentation.
 
  +
* Domain members
  +
* NT4 PDC and BDCs
  +
* Standalone hosts
   
  +
{{Imbox
'''Important note:''' Samba Active Directory Domain Controllers have extended ACL support enabled globally, to enable [[Shares_with_Windows_ACLs|management of share permissions and ACLs via Windows]]!
 
  +
| type = important
  +
| text = On a Samba Active Directory (AD) domain controller (DC), extended ACL support is enabled globally and thus shares using POSIX ACLs are not supported. Samba AD DCs only support shares using Windows ACLs.
  +
}}
   
  +
As an alternative to POSIX ACLs, you can set up shares using Windows ACLs. For details, see [[Setting_up_a_Samba_Share_Using_Windows_ACLs|Setting up a Samba Share Using Windows ACLs]].
   
   
   
   
= Execute bit on files =
 
   
  +
= Preparing the Host =
For details, see [[Updating_Samba#File_Execution_Permissions|File Execution Permissions]].
 
   
  +
Before you are able to create a share, set up Samba. For details, see:
  +
* [[Setting_up_Samba_as_a_Domain_Member|Setting up Samba as a Domain Member]]
  +
* [[Setting_up_Samba_as_an_NT4_PDC_(Quick_Start)|Setting up Samba as an NT4 PDC (Quick Start)]]
  +
* [[Setting_up_Samba_as_an_NT4_BDC|Setting up Samba as an NT4 BDC]]
  +
* [[Setting_up_Samba_as_a_Standalone_Server|Setting up Samba as a Standalone Server]]
   
   
   
   
= Adding a new share =
 
   
  +
= Making Files Executeable =
* Create a new folder, that should be shared, if it doesn't already exist
 
   
  +
Using the default setting, users are only able to execute files, such as <code>*.exe</code> and <code>*.bat</code>, on a Samba share if they have the POSIX x-bit set. For example, the following file is executeable for the <code>root</code> user and members of the <code>Domain Users</code> group:
# mkdir -p /srv/samba/Demo/
 
   
  +
-rw<u>x</u>r-<u>x</u>--- 1 root "Domain Users" 133160 1. Jan 00:00 /srv/samba/Demo/example.exe
* Add a new share to your smb.conf. The following is the required minimum:
 
   
  +
In some scenarios it is necessary to enable users to execute all files on a share, regardless if the x-bit is set. To enable, set in the <code>[global]</code> section of your <code>smb.conf</code>:
[Demo]
 
path = /srv/samba/Demo/
 
read only = no
 
   
  +
acl allow execute always = yes
* Reload Samba
 
   
# smbcontrol all reload-config
 
   
   
   
   
 
= Adding a New Share =
= Setup share permissions (optional) =
 
   
  +
To share the <code>/srv/samba/Demo/</code> folder using the <code>Demo</code> share name:
As on MS Windows OS, you can define share permissions, which are validated directly when a user connects to a share. Share permissions are defined on each share individually. Samba needs to be reloaded/restarted if changes are made.
 
   
  +
* Create the folder:
   
 
# mkdir -p /srv/samba/Demo/
   
  +
* Add the <code>[Demo]</code> share definition to your <code>smb.conf</code> file:
== User/group based share access ==
 
   
 
[Demo]
 
[Demo]
 
path = /srv/samba/Demo/
 
path = /srv/samba/Demo/
 
read only = no
 
read only = no
valid users = +SAMDOM\"Domain Users"
 
invalid users = +SAMDOM\"Demo Group" SAMDOM\foobar
 
   
  +
: These are the minimum parameters required to set up a writeable share. Optionally, you can set share permissions. For details, see [[#Setting_Share_Permissions|Setting Share Permissions]].
The example above allows connection to the "Demo" share, if the user is member of the "Domain Users" group. Member of the "Demo Group" and user "foobar" are not allowed to connect, even if they are part of "Domain Users". Where the lists conflict, the "invalid users" parameter has precedence!
 
   
 
* Reload the Samba configuration:
   
 
# smbcontrol all reload-config
   
== Host based share access ==
 
   
Contrary to MS Windows hosts, Samba is able to limit the access to a share to a list of IPs, subnets or hostnames.
 
   
[Demo]
 
path = /srv/samba/Demo
 
read only = no
 
hosts allow = 127.0.0.1 10.99.0.0/24 GoodHost1
 
   
The above example allows access to the share only if the connection is initiated from 127.0.0.1, the subnet 10.99.0.0/24 or the host with name "GoodHost1". Alternatively it is possible to deny hosts via
 
   
  +
= Setting POSIX ACLs on a Samba Share =
hosts deny = BadHost1
 
   
  +
To control access to folders on a share, use the operating system-specific tools. For example, to set the owner of the <code>/srv/samba/Demo/Example/</code> directory to <code>root</code>, grant read and write permissions to the owner and the <code>Domain User</code> group, and deny access to all other users, enter:
If both parameters (allow/deny) are defined and the lists conflict, the "allow" parameter has precedence! For further information and examples, see the smb.conf man page.
 
   
 
# chmod 2770 /srv/samba/Demo/Example/
 
# chown root:"Demo Group" /srv/samba/Demo/Example/
   
  +
{{Imbox
  +
| type = note
  +
| text = Setting the SGID bit (<code><u>2</u>770</code>) automatically inherits the directory's group to all new files and directories created, instead setting it to the user's primary group.
  +
}}
   
  +
For further details about the permissions, see the <code>chmod(1)</code> and <code>chown(1)</code> man page.
   
   
= File system ACLs =
 
   
ACLs on POSIX enabled shares are set using the typical tools: "chmod", "chown" and "chgrp".
 
   
Example:
 
   
  +
= Setting Share Permissions =
# mkdir /srv/samba/Demo/Example/
 
  +
# chmod 2770 /srv/samba/Demo/Example/
 
  +
''Optional'': Samba enables you to set permissions on each share which are validated when a user connects.
# chown foobar:"Demo Group" /srv/samba/Demo/Example/
 
  +
  +
Access to the content on a share, is controlled using file system access control lists (ACL). For details, see [[#Setting_POSIX_ACLs_on_a_Samba_Share|Setting POSIX ACLs on a Samba Share]]
  +
  +
  +
  +
== Configuring User and Group-based Share Access ==
  +
  +
Share-based access control enables you to grant or deny access to a share for certain users and groups. For example, to enable all members of the <code>Domain Users</code> group to access a share while access is denied for the <code>example_user</code> account, add the following parameters to the share's configuration:
  +
 
valid users = +SAMDOM\"Domain Users"
 
invalid users = +SAMDOM\example_user
   
  +
The <code>invalid users</code> parameter has a higher priority than the <code>valid users</code> parameter. For example, if the <code>example_user</code> account is a member of the <code>Domain Users</code> group, access is denied for this account in the previous example.
These commands create a new folder in the root of the "Demo" share. The permissions (2770) define that only the owner "foobar" and group "Demo Group" have read/write/execute permissions on the folder. You might have noticed the SGID (setgid) bit was set on the folder. This means that all files and subfolders that will be created, inherit the group ("Demo Group") instead setting it to the default group of the users doing the creation.
 
   
  +
For further details, see the parameter descriptions in the <code>smb.conf(5)</code> man page.
   
   
   
 
== Configuring Host-based Share Access ==
   
  +
Host-based access control enables you to grant or deny access to a share based on host names, IP addresses, or IP ranges. For example, to enable the 127.0.0.1 IP address, the 10.99.0.0/24 IP range, and the <code>GoodHost</code> host name to access a share, and additionally deny access to the code>BadHost</code> host name, add the following parameters to the share's configuration:
= Related documentation =
 
   
 
hosts allow = 127.0.0.1 10.99.0.0/24 GoodHost
The following documentation discusses related topics:
 
 
hosts deny = BadHost
   
  +
The <code>hosts deny</code> parameter has a higher priority than the <code>hosts allow</code> parameter. For example, if the <code>BadHost</code> resolves to an IP address that is listed in the <code>hosts allow</code> parameter, access to this host is denied.
* [[User_home_drives|Setting up home drives]]
 
   
  +
For further details, see the parameter descriptions in the <code>smb.conf(5)</code> man page.
* [[Implementing_roaming_profiles|Implementing Windows roaming profiles]]
 

Revision as of 15:57, 7 January 2017

Introduction

Samba enables you to create file shares using POSIX access control lists (ACL) on:

  • Domain members
  • NT4 PDC and BDCs
  • Standalone hosts

As an alternative to POSIX ACLs, you can set up shares using Windows ACLs. For details, see Setting up a Samba Share Using Windows ACLs.



Preparing the Host

Before you are able to create a share, set up Samba. For details, see:



Making Files Executeable

Using the default setting, users are only able to execute files, such as *.exe and *.bat, on a Samba share if they have the POSIX x-bit set. For example, the following file is executeable for the root user and members of the Domain Users group:

-rwxr-x--- 1 root "Domain Users" 133160 1. Jan 00:00 /srv/samba/Demo/example.exe

In some scenarios it is necessary to enable users to execute all files on a share, regardless if the x-bit is set. To enable, set in the [global] section of your smb.conf:

acl allow execute always = yes



Adding a New Share

To share the /srv/samba/Demo/ folder using the Demo share name:

  • Create the folder:
# mkdir -p /srv/samba/Demo/
  • Add the [Demo] share definition to your smb.conf file:
[Demo]
       path = /srv/samba/Demo/
       read only = no
These are the minimum parameters required to set up a writeable share. Optionally, you can set share permissions. For details, see Setting Share Permissions.
  • Reload the Samba configuration:
# smbcontrol all reload-config



Setting POSIX ACLs on a Samba Share

To control access to folders on a share, use the operating system-specific tools. For example, to set the owner of the /srv/samba/Demo/Example/ directory to root, grant read and write permissions to the owner and the Domain User group, and deny access to all other users, enter:

# chmod 2770 /srv/samba/Demo/Example/
# chown root:"Demo Group" /srv/samba/Demo/Example/

For further details about the permissions, see the chmod(1) and chown(1) man page.



Setting Share Permissions

Optional: Samba enables you to set permissions on each share which are validated when a user connects.

Access to the content on a share, is controlled using file system access control lists (ACL). For details, see Setting POSIX ACLs on a Samba Share


Configuring User and Group-based Share Access

Share-based access control enables you to grant or deny access to a share for certain users and groups. For example, to enable all members of the Domain Users group to access a share while access is denied for the example_user account, add the following parameters to the share's configuration:

       valid users = +SAMDOM\"Domain Users"
       invalid users = +SAMDOM\example_user

The invalid users parameter has a higher priority than the valid users parameter. For example, if the example_user account is a member of the Domain Users group, access is denied for this account in the previous example.

For further details, see the parameter descriptions in the smb.conf(5) man page.


Configuring Host-based Share Access

Host-based access control enables you to grant or deny access to a share based on host names, IP addresses, or IP ranges. For example, to enable the 127.0.0.1 IP address, the 10.99.0.0/24 IP range, and the GoodHost host name to access a share, and additionally deny access to the code>BadHost host name, add the following parameters to the share's configuration:

       hosts allow = 127.0.0.1 10.99.0.0/24 GoodHost
       hosts deny = BadHost

The hosts deny parameter has a higher priority than the hosts allow parameter. For example, if the BadHost resolves to an IP address that is listed in the hosts allow parameter, access to this host is denied.

For further details, see the parameter descriptions in the smb.conf(5) man page.