Setting up a Share Using POSIX ACLs: Difference between revisions

From SambaWiki
mNo edit summary
 
(30 intermediate revisions by 4 users not shown)
Line 1: Line 1:
= Introduction =
= Introduction =


Samba supports shares with filesystem access control lists (ACLs) on Unix domain members, they enable you to manage permissions locally on the Samba host using UNIX utilities. The Unix file system must support extended attributes, this will enable you to use NFS4 ACLs; on Linux you are limited to using the withdrawn but still used POSIX draft ACLs to set multiple users and groups in ACLs. For details, see [[#Setting_Extended_ACLs|Setting Extended ACLs]].
Samba allows you, to do most [[Setup_and_configure_file_shares|share configurations via Windows and using Windows ACLs]]. This is also the recommended way!


{{Imbox
But it is also possible to set ACLs directly on the filesystem and define access to the share in the smb.conf share configuration. This guide describes the way of accomplish this.
| type = note
| text = You are advised that a better option than POSIX draft ACLs is to use Windows ACLs, this will allow you to set up fine-granular ACLs. For details, see [[Setting_up_a_Share_Using_Windows_ACLs|Setting up a Share Using Windows ACLs]].
}}




Samba supports shares with POSIX draft ACLs on:
'''Important information:'''
* Domain members
* NT4 PDC and BDCs
* Standalone hosts


'''Samba Active Directory Domain Controllers have enabled extended ACL support globally. For this kind of Samba servers, you can't choose this way to setup shares and permissions. See [[Setup_and_configure_file_shares_with_Windows_ACLs|Setup and configure file shares with Windows ACLs]] instead.'''


{{Imbox
| type = important
| text = On a Samba Active Directory (AD) domain controller (DC), Windows ACL support is enabled globally, and therefore shares with POSIX ACLs are not supported. You must use Windows ACLs.
}}


= Preparing the Host =


Before you are able to create a share, set up Samba. For details, see:
* [[Setting_up_Samba_as_a_Domain_Member|Setting up Samba as a Domain Member]]
* [[Setting_up_Samba_as_an_NT4_PDC_(Quick_Start)|Setting up Samba as an NT4 PDC (Quick Start)]]
* [[Setting_up_Samba_as_an_NT4_BDC|Setting up Samba as an NT4 BDC]]
* [[Setting_up_Samba_as_a_Standalone_Server|Setting up Samba as a Standalone Server]]




= Preparatory work =


It's possible to have a mixed configuration of shares with Windows ACL support and POSIX ACL shares. But in that case, the <u>[[Setup_and_configure_file_shares_with_Windows_ACLs#ACL_support_on_member_server|Windows ACL support]] must not be enabled globally</u>!




= Making Files Executable =


Using the default setting, users are only able to execute files, such as <code>*.exe</code> and <code>*.bat</code>, on a Samba share if they have the POSIX x-bit set. For example, the following file is executable for the <code>root</code> user and members of the <code>Domain Users</code> group:


-rw<u>x</u>r-<u>x</u>--- 1 root "Domain Users" 133160 1. Jan 00:00 /srv/samba/Demo/example.exe


In some scenarios it is necessary to enable users to execute all files on a share, regardless if the x-bit is set. To enable, set in the <code>[global]</code> or in a specific share section of your <code>smb.conf</code>:
= Execution of files =


acl allow execute always = yes
With Samba 3.6 and older, the execution right in the ACL was not checked. So a user could execute a file, even if he/she did not have execute rights on it. In Samba 4 and later, this has been fixed, so that by default, execution is denied, when the file doesn't have the x-bit set!


= Adding a Share =
In some situations, like when upgrading from an older Samba version, your files may haven't the x-Bit set, due to a previous configuration. A <u>workaround</u>, to make *.exe, *.bat, etc. files executable again, is to set


To share the <code>/srv/samba/Demo/</code> directory using the <code>Demo</code> share name:
acl allow execute always = True


* Create the directory:
in your smb.conf (per share or globally). But rate this as a workaround! You should fix the permissions and add the x-bit for user/group/other, when the file should be executed.


# mkdir -p /srv/samba/Demo/


* Add the <code>[Demo]</code> share definition to your <code>smb.conf</code> file:


[Demo]
path = /srv/samba/Demo/
read only = no


: These are the minimum parameters required to set up a writeable share. Optionally, you can set share permissions. For details, see [[#Setting_Share_Permissions|Setting Share Permissions]].


* Reload the Samba configuration:
= Adding a new share =


# smbcontrol all reload-config
* Create a folder to be shared:
# mkdir -p /srv/samba/Demo/



* Add a new share to your smb.conf. The following is the required minimum:



= Setting ACLs =

== Setting Standard UNIX permissions ==

The classic UNIX rights support setting permissions for one owner, one group, and everyone else (other). If you need to set multiple ACLs on a directory, see [[#Setting_Extended_ACLs|Setting Extended ACLs]].

For example, to set the owner of the <code>/srv/samba/Demo/</code> directory to <code>root</code>, grant read and write permissions to the owner and the <code>Domain Users</code> group, and deny access to all other users, enter:

# chmod 2770 /srv/samba/Demo/
# chown root:"Domain Users" /srv/samba/Demo/

{{Imbox
| type = note
| text = Setting the SGID bit (<code><u>2</u>770</code>) automatically inherits the directory's group to all new files and directories created, instead setting it to the user's primary group.
}}

For further details about the permissions, see the <code>chmod(1)</code> and <code>chown(1)</code> man page.



== Setting Extended ACLs ==

If your file system supports extended access control lists (ACL), you can use [[NFS4_ACL_overview|NFS4 ACLs]], which allows to store the same permissions bits as Windows ACLs. On Linux however, [[NFS4_ACL_overview|NFS4 ACLs]] are not supported usually; here only deprecated POSIX draft ACLs exist. They also enable you to set permissions for multiple users and groups on a file or directory - similar to Windows ro NFS4 ACLs but less precise. We'll look a bit closer at those here, even if we recommend to run a Samba fileserver on a system that implements [[NFS4_ACL_overview|NFS4 ACLs]]. Linux' POSIX draft ACLs are limited to the following general permissions modes:
* None
* Read
* Write
* Full control

For example, to set read, write, and execute permissions for the <code>Domain Admins</code> group, read and execute permissions for the <code>Domain Users</code> group, and deny access to everyone else on the <code>/srv/samba/Demo/</code> directory:

* Add the <code>inherit acls = yes</code> and <code>map acl inherit = yes</code> parameters to the share's configuration. For example:
[Demo]
[Demo]
path = /srv/samba/Demo/
path = /srv/samba/Demo/
read only = no
read only = no
map acl inherit = yes
inherit acls = yes
: The parameters influence the ACL inheritance of extended ACLs. For further details, see the parameter descriptions in the <code>smb.conf</code> man page.


* Reload Samba:
* Reload Samba:

# smbcontrol all reload-config
# smbcontrol all reload-config


* Verify that the directory is stored on a file system that supports extended ACLs. For details, see [[File System Support]].
= Setup share permissions =


* Disable auto-granting permissions for the primary group of user accounts:
Share permissions are defined in your servers smb.conf section indiviually for each share. After changes, a reload of Samba is required!
# setfacl -m group::--- /srv/samba/Demo/
# setfacl -m default:group::--- /srv/samba/Demo/
: The primary group of the directory is additionally mapped to the dynamical <code>CREATOR GROUP</code> principal. If you use POSIX draft ACLs on a Samba share, this principal is automatically added and you cannot remove it. For further details about the <code>CREATOR GROUP</code> principal, see [https://support.microsoft.com/de-at/help/243330/well-known-security-identifiers-in-windows-operating-systems Well-known security identifiers in Windows operating systems].


* Set the permissions on the directory:
Example:


:* Grant read, write, and execute permissions to the <code>Domain Admins</code> group:
[Demo]
path = /srv/samba/Demo
# setfacl -m group:"SAMDOM\Domain Admins":rwx /srv/samba/Demo/

read only = no
:* Grant read and execute permissions to the <code>Domain Users</code> group:
valid users = +SAMDOM\DemoGroup
# setfacl -m group:"SAMDOM\Domain Users":r-x /srv/samba/Demo/
guest ok = no

:* Set permissions for the <code>other</code> ACL entry to deny access to users that do not match other ACL entries:
# setfacl -R -m other::--- /srv/samba/Demo/

: These settings are only applied to the directory itself. In Windows, this is converted to <code>This folder only</code>.

* To configure that the same permissions set in the previous step are inherited to new file system objects created in this directory, enter:

# setfacl -m default:group:"SAMDOM\Domain Admins":rwx /srv/samba/Demo/
# setfacl -m default:group:"SAMDOM\Domain Users":r-x /srv/samba/Demo/
# setfacl -m default:other::--- /srv/samba/Demo/

: With this settings, the <code>This folder only</code> mode for the principals now changed to <code>This folder, subfolders, and files</code>.

The ACLs set in the previous steps are mapped to the following Windows ACLs:

{| class="wikitable"
!Principal
!Access
!Applies to
!Comments
|-
|SAMDOM\Domain Admins
|Full control
|This folder, subfolders, and files
|
|-
|SAMDOM\Domain Users
|Read & execute
||This folder, subfolders, and files
|
|-
|Everyone
|None
|This folder, subfolders, and files
|Samba maps the permissions for this principal from the UNIX <code>other</code> ACL entry.
|-
|''directory_owner'' (Unix User\''directory_owner'') *
|Full control
|This folder only
|Samba maps the owner of the directory to this entry.
|-
|''directory_primary_group'' (Unix User\''directory_primary_group'') *
|None
|This folder only
|Samba maps the primary group of the directory to this entry.
|-
|CREATOR OWNER *
|Full control
|Subfolders and files only
|On new file system objects, the creator inherits automatically the permissions of this principal.
|-
|CREATOR GROUP *
|None
|Subfolders and files only
|On new file system objects, the creator's primary group inherits automatically the permissions of this principal.
|}

<nowiki>*</nowiki> Configuring or removing these principals from the ACLs is only supported when using Windows ACLs. For details, see [[Setting up a Share Using Windows ACLs]].

For further details, see the <code>setfacl</code> man page.

= Setting Share Permissions =


''Optional'': Samba enables you to set permissions on each share which are validated when a user connects.
Explanations:


Access to the content on a share, is controlled using file system access control lists (ACL). For details, see [[#Setting_POSIX_ACLs_on_a_Samba_Share|Setting POSIX ACLs on a Samba Share]]
path = /srv/samba/Demo
# Defines the location of the folder in the local filesystem.


read only = no
# The share is read/write enabled.


valid users = +SAMDOM\DemoGroup
# Only members of this domain group are allowed to access the share.
# Filesystem ACLs are not affected by this setting.


== Configuring User and Group-based Share Access ==
guest ok = no
# It's not allowed to access the share without password (guest account).


Share-based access control enables you to grant or deny access to a share for certain users and groups. For example, to enable all members of the <code>Domain Users</code> group to access a share while access is denied for the <code>example_user</code> account, add the following parameters to the share's configuration:
This are just a few possible parameters, that can be set on a share. See


valid users = +SAMDOM\"Domain Users"
# man smb.conf
invalid users = SAMDOM\example_user


The <code>invalid users</code> parameter has a higher priority than the <code>valid users</code> parameter. For example, if the <code>example_user</code> account is a member of the <code>Domain Users</code> group, access is denied for this account in the previous example.
for more share parameters and their options.


For further details, see the parameter descriptions in the <code>smb.conf(5)</code> man page.






== Configuring Host-based Share Access ==


Host-based access control enables you to grant or deny access to a share based on host names, IP addresses, or IP ranges. For example, to enable the 127.0.0.1 IP address, the 10.99.0.0/24 IP range, and the <code>GoodHost</code> host name to access a share, and additionally deny access for the <code>BadHost</code> host name, add the following parameters to the share's configuration:
= Change permissions on folders of a share =


hosts allow = 127.0.0.1 10.99.0.0/24 GoodHost
Changes of permissions are done using the classic *nix tools 'chmod', 'chown' and 'chgrp'.
hosts deny = BadHost


The <code>hosts deny</code> parameter has a higher priority than the <code>hosts allow</code> parameter. For example, if <code>BadHost</code> resolves to an IP address that is listed in the <code>hosts allow</code> parameter, access to this host is denied.
Example:


For further details, see the parameter descriptions in the <code>smb.conf(5)</code> man page.
# mkdir /srv/samba/Demo/Example/
# chown foobar:DemoGroup /srv/samba/Demo/Example/
# chmod 2770 /srv/samba/Demo/Example/


These commands create a new folder 'Example' in the root of the 'Demo' share previously created. The permissions ('2770') define that the user ('foobar') and the group ('DemoGroup') have read/write/execute on the folder. The set-GID-bit defines that all files/folders below this one, inherit the group ('DemoGroup') from the parent folder.


= Related documentation =


The following documentation treat topics, related on setting up file shares with special permissions or purposes:


* [[Setting_up_a_home_share|Setting up a home share]]


----
* [[Samba_%26_Windows_Profiles|Samba and Windows Profiles]]
[[Category:Active Directory]]
[[Category:Domain Members]]
[[Category:File Serving]]
[[Category:NT4 Domains]]

Latest revision as of 16:01, 16 June 2023

Introduction

Samba supports shares with filesystem access control lists (ACLs) on Unix domain members, they enable you to manage permissions locally on the Samba host using UNIX utilities. The Unix file system must support extended attributes, this will enable you to use NFS4 ACLs; on Linux you are limited to using the withdrawn but still used POSIX draft ACLs to set multiple users and groups in ACLs. For details, see Setting Extended ACLs.


Samba supports shares with POSIX draft ACLs on:

  • Domain members
  • NT4 PDC and BDCs
  • Standalone hosts


Preparing the Host

Before you are able to create a share, set up Samba. For details, see:



Making Files Executable

Using the default setting, users are only able to execute files, such as *.exe and *.bat, on a Samba share if they have the POSIX x-bit set. For example, the following file is executable for the root user and members of the Domain Users group:

-rwxr-x--- 1 root "Domain Users" 133160 1. Jan 00:00 /srv/samba/Demo/example.exe

In some scenarios it is necessary to enable users to execute all files on a share, regardless if the x-bit is set. To enable, set in the [global] or in a specific share section of your smb.conf:

acl allow execute always = yes

Adding a Share

To share the /srv/samba/Demo/ directory using the Demo share name:

  • Create the directory:
# mkdir -p /srv/samba/Demo/
  • Add the [Demo] share definition to your smb.conf file:
[Demo]
       path = /srv/samba/Demo/
       read only = no
These are the minimum parameters required to set up a writeable share. Optionally, you can set share permissions. For details, see Setting Share Permissions.
  • Reload the Samba configuration:
# smbcontrol all reload-config



Setting ACLs

Setting Standard UNIX permissions

The classic UNIX rights support setting permissions for one owner, one group, and everyone else (other). If you need to set multiple ACLs on a directory, see Setting Extended ACLs.

For example, to set the owner of the /srv/samba/Demo/ directory to root, grant read and write permissions to the owner and the Domain Users group, and deny access to all other users, enter:

# chmod 2770 /srv/samba/Demo/
# chown root:"Domain Users" /srv/samba/Demo/

For further details about the permissions, see the chmod(1) and chown(1) man page.


Setting Extended ACLs

If your file system supports extended access control lists (ACL), you can use NFS4 ACLs, which allows to store the same permissions bits as Windows ACLs. On Linux however, NFS4 ACLs are not supported usually; here only deprecated POSIX draft ACLs exist. They also enable you to set permissions for multiple users and groups on a file or directory - similar to Windows ro NFS4 ACLs but less precise. We'll look a bit closer at those here, even if we recommend to run a Samba fileserver on a system that implements NFS4 ACLs. Linux' POSIX draft ACLs are limited to the following general permissions modes:

  • None
  • Read
  • Write
  • Full control

For example, to set read, write, and execute permissions for the Domain Admins group, read and execute permissions for the Domain Users group, and deny access to everyone else on the /srv/samba/Demo/ directory:

  • Add the inherit acls = yes and map acl inherit = yes parameters to the share's configuration. For example:
[Demo]
       path = /srv/samba/Demo/
       read only = no
       map acl inherit = yes
       inherit acls = yes
The parameters influence the ACL inheritance of extended ACLs. For further details, see the parameter descriptions in the smb.conf man page.
  • Reload Samba:
# smbcontrol all reload-config
  • Verify that the directory is stored on a file system that supports extended ACLs. For details, see File System Support.
  • Disable auto-granting permissions for the primary group of user accounts:
# setfacl -m group::--- /srv/samba/Demo/
# setfacl -m default:group::--- /srv/samba/Demo/
The primary group of the directory is additionally mapped to the dynamical CREATOR GROUP principal. If you use POSIX draft ACLs on a Samba share, this principal is automatically added and you cannot remove it. For further details about the CREATOR GROUP principal, see Well-known security identifiers in Windows operating systems.
  • Set the permissions on the directory:
  • Grant read, write, and execute permissions to the Domain Admins group:
# setfacl -m group:"SAMDOM\Domain Admins":rwx /srv/samba/Demo/
  • Grant read and execute permissions to the Domain Users group:
# setfacl -m group:"SAMDOM\Domain Users":r-x /srv/samba/Demo/
  • Set permissions for the other ACL entry to deny access to users that do not match other ACL entries:
# setfacl -R -m other::--- /srv/samba/Demo/
These settings are only applied to the directory itself. In Windows, this is converted to This folder only.
  • To configure that the same permissions set in the previous step are inherited to new file system objects created in this directory, enter:
# setfacl -m default:group:"SAMDOM\Domain Admins":rwx /srv/samba/Demo/
# setfacl -m default:group:"SAMDOM\Domain Users":r-x /srv/samba/Demo/
# setfacl -m default:other::--- /srv/samba/Demo/
With this settings, the This folder only mode for the principals now changed to This folder, subfolders, and files.

The ACLs set in the previous steps are mapped to the following Windows ACLs:

Principal Access Applies to Comments
SAMDOM\Domain Admins Full control This folder, subfolders, and files
SAMDOM\Domain Users Read & execute This folder, subfolders, and files
Everyone None This folder, subfolders, and files Samba maps the permissions for this principal from the UNIX other ACL entry.
directory_owner (Unix User\directory_owner) * Full control This folder only Samba maps the owner of the directory to this entry.
directory_primary_group (Unix User\directory_primary_group) * None This folder only Samba maps the primary group of the directory to this entry.
CREATOR OWNER * Full control Subfolders and files only On new file system objects, the creator inherits automatically the permissions of this principal.
CREATOR GROUP * None Subfolders and files only On new file system objects, the creator's primary group inherits automatically the permissions of this principal.

* Configuring or removing these principals from the ACLs is only supported when using Windows ACLs. For details, see Setting up a Share Using Windows ACLs.

For further details, see the setfacl man page.

Setting Share Permissions

Optional: Samba enables you to set permissions on each share which are validated when a user connects.

Access to the content on a share, is controlled using file system access control lists (ACL). For details, see Setting POSIX ACLs on a Samba Share


Configuring User and Group-based Share Access

Share-based access control enables you to grant or deny access to a share for certain users and groups. For example, to enable all members of the Domain Users group to access a share while access is denied for the example_user account, add the following parameters to the share's configuration:

       valid users = +SAMDOM\"Domain Users"
       invalid users = SAMDOM\example_user

The invalid users parameter has a higher priority than the valid users parameter. For example, if the example_user account is a member of the Domain Users group, access is denied for this account in the previous example.

For further details, see the parameter descriptions in the smb.conf(5) man page.


Configuring Host-based Share Access

Host-based access control enables you to grant or deny access to a share based on host names, IP addresses, or IP ranges. For example, to enable the 127.0.0.1 IP address, the 10.99.0.0/24 IP range, and the GoodHost host name to access a share, and additionally deny access for the BadHost host name, add the following parameters to the share's configuration:

       hosts allow = 127.0.0.1 10.99.0.0/24 GoodHost
       hosts deny = BadHost

The hosts deny parameter has a higher priority than the hosts allow parameter. For example, if BadHost resolves to an IP address that is listed in the hosts allow parameter, access to this host is denied.

For further details, see the parameter descriptions in the smb.conf(5) man page.