Difference between revisions of "Setting up a Share Using POSIX ACLs"
Mmuehlfeld (talk | contribs) m (Updated link) |
Mmuehlfeld (talk | contribs) (Rewrote documentation. Clearer structure, more detailed examples/procedures) |
||
Line 1: | Line 1: | ||
= Introduction = | = Introduction = | ||
− | + | Samba enables you to create file shares using POSIX access control lists (ACL) on: | |
+ | * Domain members | ||
+ | * NT4 PDC and BDCs | ||
+ | * Standalone hosts | ||
− | + | {{Imbox | |
+ | | type = important | ||
+ | | text = On a Samba Active Directory (AD) domain controller (DC), extended ACL support is enabled globally and thus shares using POSIX ACLs are not supported. Samba AD DCs only support shares using Windows ACLs. | ||
+ | }} | ||
+ | As an alternative to POSIX ACLs, you can set up shares using Windows ACLs. For details, see [[Setting_up_a_Samba_Share_Using_Windows_ACLs|Setting up a Samba Share Using Windows ACLs]]. | ||
− | |||
− | + | = Preparing the Host = | |
+ | Before you are able to create a share, set up Samba. For details, see: | ||
+ | * [[Setting_up_Samba_as_a_Domain_Member|Setting up Samba as a Domain Member]] | ||
+ | * [[Setting_up_Samba_as_an_NT4_PDC_(Quick_Start)|Setting up Samba as an NT4 PDC (Quick Start)]] | ||
+ | * [[Setting_up_Samba_as_an_NT4_BDC|Setting up Samba as an NT4 BDC]] | ||
+ | * [[Setting_up_Samba_as_a_Standalone_Server|Setting up Samba as a Standalone Server]] | ||
− | |||
− | + | = Making Files Executeable = | |
− | + | Using the default setting, users are only able to execute files, such as <code>*.exe</code> and <code>*.bat</code>, on a Samba share if they have the POSIX x-bit set. For example, the following file is executeable for the <code>root</code> user and members of the <code>Domain Users</code> group: | |
− | + | -rw<u>x</u>r-<u>x</u>--- 1 root "Domain Users" 133160 1. Jan 00:00 /srv/samba/Demo/example.exe | |
− | + | In some scenarios it is necessary to enable users to execute all files on a share, regardless if the x-bit is set. To enable, set in the <code>[global]</code> section of your <code>smb.conf</code>: | |
− | |||
− | |||
− | + | acl allow execute always = yes | |
− | |||
− | = | + | = Adding a New Share = |
− | + | To share the <code>/srv/samba/Demo/</code> folder using the <code>Demo</code> share name: | |
+ | * Create the folder: | ||
+ | # mkdir -p /srv/samba/Demo/ | ||
− | + | * Add the <code>[Demo]</code> share definition to your <code>smb.conf</code> file: | |
[Demo] | [Demo] | ||
path = /srv/samba/Demo/ | path = /srv/samba/Demo/ | ||
read only = no | read only = no | ||
− | |||
− | |||
− | + | : These are the minimum parameters required to set up a writeable share. Optionally, you can set share permissions. For details, see [[#Setting_Share_Permissions|Setting Share Permissions]]. | |
+ | |||
+ | * Reload the Samba configuration: | ||
+ | |||
+ | # smbcontrol all reload-config | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | = Setting POSIX ACLs on a Samba Share = | ||
+ | To control access to folders on a share, use the operating system-specific tools. For example, to set the owner of the <code>/srv/samba/Demo/Example/</code> directory to <code>root</code>, grant read and write permissions to the owner and the <code>Domain User</code> group, and deny access to all other users, enter: | ||
+ | # chmod 2770 /srv/samba/Demo/Example/ | ||
+ | # chown root:"Demo Group" /srv/samba/Demo/Example/ | ||
− | == | + | {{Imbox |
+ | | type = note | ||
+ | | text = Setting the SGID bit (<code><u>2</u>770</code>) automatically inherits the directory's group to all new files and directories created, instead setting it to the user's primary group. | ||
+ | }} | ||
− | + | For further details about the permissions, see the <code>chmod(1)</code> and <code>chown(1)</code> man page. | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
+ | = Setting Share Permissions = | ||
+ | ''Optional'': Samba enables you to set permissions on each share which are validated when a user connects. | ||
+ | Access to the content on a share, is controlled using file system access control lists (ACL). For details, see [[#Setting_POSIX_ACLs_on_a_Samba_Share|Setting POSIX ACLs on a Samba Share]] | ||
− | |||
− | + | == Configuring User and Group-based Share Access == | |
− | + | Share-based access control enables you to grant or deny access to a share for certain users and groups. For example, to enable all members of the <code>Domain Users</code> group to access a share while access is denied for the <code>example_user</code> account, add the following parameters to the share's configuration: | |
− | + | valid users = +SAMDOM\"Domain Users" | |
− | + | invalid users = +SAMDOM\example_user | |
− | |||
− | + | The <code>invalid users</code> parameter has a higher priority than the <code>valid users</code> parameter. For example, if the <code>example_user</code> account is a member of the <code>Domain Users</code> group, access is denied for this account in the previous example. | |
+ | For further details, see the parameter descriptions in the <code>smb.conf(5)</code> man page. | ||
+ | == Configuring Host-based Share Access == | ||
− | + | Host-based access control enables you to grant or deny access to a share based on host names, IP addresses, or IP ranges. For example, to enable the 127.0.0.1 IP address, the 10.99.0.0/24 IP range, and the <code>GoodHost</code> host name to access a share, and additionally deny access to the code>BadHost</code> host name, add the following parameters to the share's configuration: | |
− | + | hosts allow = 127.0.0.1 10.99.0.0/24 GoodHost | |
+ | hosts deny = BadHost | ||
− | + | The <code>hosts deny</code> parameter has a higher priority than the <code>hosts allow</code> parameter. For example, if the <code>BadHost</code> resolves to an IP address that is listed in the <code>hosts allow</code> parameter, access to this host is denied. | |
− | + | For further details, see the parameter descriptions in the <code>smb.conf(5)</code> man page. |
Revision as of 15:57, 7 January 2017
Contents
Introduction
Samba enables you to create file shares using POSIX access control lists (ACL) on:
- Domain members
- NT4 PDC and BDCs
- Standalone hosts
![]() | On a Samba Active Directory (AD) domain controller (DC), extended ACL support is enabled globally and thus shares using POSIX ACLs are not supported. Samba AD DCs only support shares using Windows ACLs. |
As an alternative to POSIX ACLs, you can set up shares using Windows ACLs. For details, see Setting up a Samba Share Using Windows ACLs.
Preparing the Host
Before you are able to create a share, set up Samba. For details, see:
- Setting up Samba as a Domain Member
- Setting up Samba as an NT4 PDC (Quick Start)
- Setting up Samba as an NT4 BDC
- Setting up Samba as a Standalone Server
Making Files Executeable
Using the default setting, users are only able to execute files, such as *.exe
and *.bat
, on a Samba share if they have the POSIX x-bit set. For example, the following file is executeable for the root
user and members of the Domain Users
group:
-rwxr-x--- 1 root "Domain Users" 133160 1. Jan 00:00 /srv/samba/Demo/example.exe
In some scenarios it is necessary to enable users to execute all files on a share, regardless if the x-bit is set. To enable, set in the [global]
section of your smb.conf
:
acl allow execute always = yes
To share the /srv/samba/Demo/
folder using the Demo
share name:
- Create the folder:
# mkdir -p /srv/samba/Demo/
- Add the
[Demo]
share definition to yoursmb.conf
file:
[Demo] path = /srv/samba/Demo/ read only = no
- These are the minimum parameters required to set up a writeable share. Optionally, you can set share permissions. For details, see Setting Share Permissions.
- Reload the Samba configuration:
# smbcontrol all reload-config
To control access to folders on a share, use the operating system-specific tools. For example, to set the owner of the /srv/samba/Demo/Example/
directory to root
, grant read and write permissions to the owner and the Domain User
group, and deny access to all other users, enter:
# chmod 2770 /srv/samba/Demo/Example/ # chown root:"Demo Group" /srv/samba/Demo/Example/
![]() | Setting the SGID bit (2770 ) automatically inherits the directory's group to all new files and directories created, instead setting it to the user's primary group. |
For further details about the permissions, see the chmod(1)
and chown(1)
man page.
Optional: Samba enables you to set permissions on each share which are validated when a user connects.
Access to the content on a share, is controlled using file system access control lists (ACL). For details, see Setting POSIX ACLs on a Samba Share
Share-based access control enables you to grant or deny access to a share for certain users and groups. For example, to enable all members of the Domain Users
group to access a share while access is denied for the example_user
account, add the following parameters to the share's configuration:
valid users = +SAMDOM\"Domain Users" invalid users = +SAMDOM\example_user
The invalid users
parameter has a higher priority than the valid users
parameter. For example, if the example_user
account is a member of the Domain Users
group, access is denied for this account in the previous example.
For further details, see the parameter descriptions in the smb.conf(5)
man page.
Host-based access control enables you to grant or deny access to a share based on host names, IP addresses, or IP ranges. For example, to enable the 127.0.0.1 IP address, the 10.99.0.0/24 IP range, and the GoodHost
host name to access a share, and additionally deny access to the code>BadHost host name, add the following parameters to the share's configuration:
hosts allow = 127.0.0.1 10.99.0.0/24 GoodHost hosts deny = BadHost
The hosts deny
parameter has a higher priority than the hosts allow
parameter. For example, if the BadHost
resolves to an IP address that is listed in the hosts allow
parameter, access to this host is denied.
For further details, see the parameter descriptions in the smb.conf(5)
man page.