Hallo:
One way can be using ACL:
1- When you configure Samba, in smb.conf, put:
Quote:
...
create mask = 0700
directory mask = 0700
inherit permissions = Yes
inherit acls = Yes
map acl inherit = Yes
...
[data]
comment = Share for data on the server....
path = /data
volume = data
Reload samba
# service smb reload
|
2- Enable ACL in the partition (if ext3, ext4) by modifying /etc/fstab
Quote:
Ex: For a partition /data
/dev/sdb1 /data ext4 acl,user_xattr
Remount the partition with:
mount -o remount /data ( or the partition we are going to use with ACL).
|
3- Assign permissions to folder and directories. Some samples (PLEASE, ARE SAMPLES, SO BE CAREFUL)
Quote:
- Allow whole access to user root and nothing to group and others
chown -R root: /data
chmod -R 700 /data
- Allow "folder1" and its content access for read to all users of domain.
setfacl -R -m g:"Domain Users":rx /data/folder1
setfacl -R -d -m g:"Domain Users":rx /data/folder1
- Allow "folder2" and its content access to all users of DA group "group2" for rw.
setfacl -R -m g:group2:rwx /data/folder2
setfacl -R -d -m g:group2:rwx /data/folder2
- Allow shared "/data" and its content whole access to a user of AD called "Administrator".
setfacl -R -m u:administrator:rwx /data
setfacl -R -d -m u:administrator:rwx /data
- See current ACL for folder1
getfacl /data/folder1
- Delete all ACL for folder2 and its content.
setfacl -R -b /data/folder2
|
The first line of each sample, applies to existing data. The second (with -d option), means default, what is going to be applied to new file/folders.
Is important to know that ACL are used for Samba Shares and Local access. So if a user connects to the machine using ssh, telnet, ... the same security is used.
In this way, what you really do is assigning permissions to the folders/files and say samba to use that security.
When I say "group" and "user" of domain, is possible that you have to put the domain of the user/group depending of the configuration of samba. So really, previous commands should be:
Quote:
setfacl -R -d -m g:DOMAIN\\group2:rx /data/folder2
|
with "DOMAIN" the name of the domain in AD.
Another way for changing permissions, is to use explorer from a Windows Client (if the users has the necessary rights, of course) as if it were a Windows Share.
Regards