samba permission file folders access

salimshahzad · 02-18-2010, 03:00 AM

dear gurus hello good day

i do have 1 folder for samba share
/share/apps

this folder i want to give permission 2 kind of people

1) above samba share, give full access to 3 ips
192.168.0.1
192.168.0.2
192.168.0.3

2)above samba share, give read+execute(cant delete document any) access to 3 ips
192.168.0.11
192.168.0.21
192.168.0.31

how can we achieve best advise

regards
salim

ddaemonunics · 02-18-2010, 03:45 AM

Don't have much experienced with samba..but I think you should do access restrictions ACL for files based on user/group id and not IP.

deadeyes · 02-19-2010, 06:41 AM

Quote:

Originally Posted by salimshahzad

dear gurus hello good day

i do have 1 folder for samba share
/share/apps

this folder i want to give permission 2 kind of people

1) above samba share, give full access to 3 ips
192.168.0.1
192.168.0.2
192.168.0.3

2)above samba share, give read+execute(cant delete document any) access to 3 ips
192.168.0.11
192.168.0.21
192.168.0.31

how can we achieve best advise

regards
salim

This is not directly achievable.
As you can choose wether to allow an IP/hosts/network to use a share, this is host based. While write permissions should be user based permissions.
So maybe you can create 2 shares with the same path and give one group more access rights then others. (I dont know if this is actually possible, but if you try, please report if it works)

ACLs are a way for user based permissions. Not host based.
So then you can say: usera can write to share1. userb can read from share1.
So in this case this won't help.

What you might do is creating users in a different group based on the networks they are in (this is static of course).
So it depends on what you really want.

salimshahzad · 02-20-2010, 02:06 AM

thanks in response i feel more clarification or guideline needed such case

salimshahzad · 02-20-2010, 08:27 AM

dear gurus can someone give me practical example of this, i need 2 king of permission 1 is full access and other is read+exceute. it can be by ip by userid or by group. as i am beginner try to find such example cant find it so far

see below my smb.conf file

[global]
workgroup = test
server string = sa1
hosts allow = 192.168.0.1 192.168.0.2 192.168.0.3
log file = /var/log/samba/%m.log
security = user
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

[test_share]
comment = test_share
path = /var/opt/test_share
browseable = yes
writable = yes
public = yes
read only = no

deadeyes · 02-21-2010, 01:33 PM

Quote:

Originally Posted by salimshahzad

dear gurus can someone give me practical example of this, i need 2 king of permission 1 is full access and other is read+exceute. it can be by ip by userid or by group. as i am beginner try to find such example cant find it so far

see below my smb.conf file

[global]
workgroup = test
server string = sa1
hosts allow = 192.168.0.1 192.168.0.2 192.168.0.3
log file = /var/log/samba/%m.log
security = user
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

[test_share]
comment = test_share
path = /var/opt/test_share
browseable = yes
writable = yes
public = yes
read only = no

Try something like this:

Code:

[sharegroup]
        comment = test of thread
        path = /srv/sharegroup
        browseable = no
        writeable = no
        write list = @writegroup
        valid users = @accessgroup

Create the group writegroup and accessgroup

Code:

groupadd -g 200 writegroup
groupadd -g 201 accessgroup

The users you want should be added to either accessgroup (for read only) or accessgroup and writegroup (if you want to give the user read write access)

Code:

usermod -a -G accessgroup readonlyuser,writeuser
usermod -a -G writegroup writeuser

You also need appropriate permissions on the directory:

Code:

chgrp accessgroup /srv/sharegroup
chown 770 /srv/sharegroup

So then you should supply each user with credentials depending on what network they are.