How specify different user/permissions for Samba share

mfoley · 11-06-2022, 10:44 AM

I am running Samba on a Linux server as the Active Directory / Domain Controller. One of the other servers on the LAN is an A/D Domain member. This server, we'll call it NAS, shares a directory. "public" that other Windows workstations in the domain can mount using their Active Directory credentials. The smb.conf settings are:

Code:

domain master = no
prefered master = no

realm = MYDOM.LOCAL
workgroup = MYDOM
usershare allow guests = Yes
usershare max shares = 10
security = ADS
template shell = /bin/bash

client min protocol = SMB2
client max protocol = SMB3

idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config HPRS:backend = ad
idmap config HPRS:schema_mode = rfc2307
idmap config HPRS:range = 10000-10099

winbind enum groups = Yes
winbind enum users = Yes
winbind nss info = rfc2307
winbind offline logon = Yes
winbind refresh tickets = Yes
winbind use default domain = Yes

[public]
comment = main file and document repository
path = /mnt/RAID/public

# for the following settings see: https://www.samba.org/samba/docs/using_samba/ch08.html
hide dot files = yes

readonly = no
locking = yes
public = yes 
printable = no   
create mask = 0660
force user = myuser
force group = mygroup
force create mode = 0660
directory mask = 2771

This has been working fine for years. All users have access to [public] using their active directory credentials. But now I need to change things so some subdirectories are accessible by only certain users -- also via their A/D Credentials. For example, in this shared folder, /mnt/RAID/public, I have a subdirectory, 'Staff' with:

Code:

rwxrwsr-x 17 myuser mygroup  20480 2022-11-04 08:17 boris/
drwxrwsr-x 29 myuser mygroup  16384 2022-10-31 13:25 karloff/
drwxrwsr-x 39 myuser mygroup  12288 2022-10-19 11:32 charming/
drwxrwsr-x 22 myuser mygroup   8192 2022-11-02 16:15 delila/

I would like to have directories boris and karloff accessible by by either user boris and/or user karloff, and directory delila accessible only by user delila. Anyone can access directory charming, but user charming can not access any of the other directories.

How would I set this up with Samba on the NAS server? Do I have to move the /mnt/RAID/public/Staff folder completely out of the .../public folder? I'd rather not have to do that.

ferrari · 11-06-2022, 12:11 PM

I think setting the appropriate permissions with the appropriate users and groups defined, (or if using ACLs, the 'setfacl' command) for each of the sub-directories will be required here...
https://www.linuxquestions.org/quest...6/#post4551491

This may be of value to you...
https://wiki.samba.org/index.php/Set...g_Windows_ACLs

mfoley · 11-07-2022, 04:43 PM

Setting ACLs seems complicated, but I'm experimenting. Currently, on one of the folders I have:

Code:

# getfacl /mnt/RAID/public/Staff/carl
getfacl: Removing leading '/' from absolute path names
# file: mnt/RAID/public/Staff/carl
# owner: myuser
# group: mygroup
# flags: -s-
user::rwx
group::rwx
other::r-x

So I guess I need to figure out how to only allow user 'carl' to access this folder.

Meanwhile. I tried the 'veto files' config in smb.conf and that worked. Is there a way to "undo" the veto for specific users?