Hello

I have 8 Windows machines, all of which have a copy of their critical files (My Documents and a few others) stored on the Fedora server. I use a Windows rsync client (cwRsync) to perform the copy each night.

As this is a small company and everyone is trusted, I've just configured samba with security level 'share', and made the samba guest user the owner of all the directories that are shared.

Recently, someone started prying through confidential files and I need to limit access to some files on the server while still allowing certain users to see them.

1. I don't know how to setup ACLs or even how to see if it's possible with my installation.

2. I don't know if I can do this through samba, but when I tried setting the security level to 'user', even though all the shares are public and writeable, I was not able to supply the correct username/password when trying to connect from a Windows machine.

All in all I'm very confused. What I need to do is allow everyone access to most shares, and some people access to all shares. What is the best way to do this?

Kind regards,
Steve

Hi

Set the security level to user. Then, you'll need to define users and passwords for Samba. Note that these usernames must already exist as Linux users on that particular machine. I. e. to create a Samba user called "abc" a user called "abc" must also already exist on the Linux machine. This means that for each Samba user of the fileserving machine, you'll need to create a Linux user, before creating the Samba user. I'm not sure, but I also think you will have needed to compile Samba with MySQL when installing it for this to work. I did, and the steps below work fine for me for restricting a certain user to only a certain directory. As for individual file restrictions, I'm not sure how you do that. Here goes (for directory security):

Steps:

1. Set security in the smb.conf to user.
2. Create the username of the user you want to give access to the Samba machine from Windows, by doing the below in an xterm on the Linux machine:

useradd testuser
passwd testuser

Set the Linux password for that user in the passwd step. For Samba-only access, I usually just repeat the username with a 1 after it.

Now, create the Samba user for testuser.

Steps:

1. smbpasswd -a testuser
2. Type the password and confirm.
3. smbpasswd testuser
4. Type the password and confirm again.

Now you'll need to configure the directory this user has access to, by adding a share definition in the smb.conf file. For testuser, put in smb.conf:

[TESTUSER_HOME]
path = /home/testuser
strict locking = no
blocking locks = yes
fake oplocks = yes
guest ok = no
writeable = yes
create mode = 0777
directory mode = 0777
browseable = yes
public = no
username = testuser
read list = testuser
write list = testuser
valid users = testuser

Remeber to restart samba so the new user level security settings take effect. Do this by going

killall nmbd
killall smbd
smbd -D
nmbd -D

as root after the above steps.

Now, after a few minutes all users should see testuser_home on their Network Neighbourhood in XP. If anybody clicks on it, Windows will ask for their username and password. Anybody who typed in the username and password you allocated above in the smbpasswd step will have access to /home/testuser, anybody who does not will be refused. Note that usernames and passwords in this step is case sensitive, even though the user is in Windows, which is case insensitive.

The reason you were not able to supply the correct username and password that you refer to in your post above, when just setting security = user in smb.conf, was that the usernames and passwords did not exist at that time (so, logically, it was impossible to specify one correctly to get access to any share).

The smbpasswd step and the change in the smb.conf should have fixed that.

Now, repeat for all your users, with different names.

To have more than one person access a certain share, merely change the smb.conf definition for that share to that below, after adding that user in the usual way, if he is not already a Samba user:

[TESTUSER_HOME]
path = /home/stefan
strict locking = no
blocking locks = yes
fake oplocks = yes
guest ok = no
writeable = yes
create mode = 0777
directory mode = 0777
browseable = yes
public = no
username = testuser anotheruser yetanotheruser
read list = testuser anotheruser
write list = testuser yetanotheruser
valid users = testuser anotheruser yetanotheruser

I. e. when samba is restarted after changing the share defintion to the above, anotheruser will have read-only access, while yetanotheruser will only be able to write (i. e. save) files in the testuser_home share, not see what is in there. The needed combinations should be obvious to attain what you want.

Hope this helped,