Onno Zweers <onno@verweij.com> wrote:> Message: 17
> Date: Mon, 28 Aug 2000 16:49:39 +0200
> To: samba@samba.org
> From: Onno Zweers <onno@verweij.com>
> Subject: Making a share visible only to members of a group
>
> Hi all (and hopefully also someone of the samba team),
>
> I want a shared directory to be visible only to the members of a group, and
> to no one else. Instead, a shared directory is either visible to everyone
> (browseable=yes) or to no-one (browseable=no). When a non-authorised user
> enters the shared directory, she gets an error message. That's good.
But
> since the user cannot use the share anyway, I want her not to see the share
> in the list.
>
> In the newsgroup comp.protocols.smb they told me it was not possible. I
> have considered using a clever "include" statement, but it seems
not
> possible to make an include depend on user ID. In the FAQ, the HowTo en the
> man pages I found no solution, and not even a mention of this problem.
[snip]
Yes, indeed this is possible. We use it all the time here. In our case,
we have something like:
-------------------------------------------------------------------------
In /etc/samba/smb.conf:
[global]
...
[homes]
...
include = /etc/samba/smb.conf.group-%G
include = /etc/samba/smb.conf.user-%U
------------------
In /etc/samba/smb.conf.group-it:
[group]
comment = /u/it/group -- Group Only Share
path = /u/it/group
writable = yes
browsable = yes
; only members may write:
write list = @it
; only members force groupness:
force group = +it
; only members may connect:
valid users = +it
; make everything group writable, DON'T let others see:
; (also set group-id bit)
force directory mode = 02770
force create mode = 0770
directory mask = 02770
create mask = 0770
[public]
comment = /u/it/public -- Publicly Readable Share
path = /u/it/public
writable = yes
browsable = yes
; only members may write:
write list = @it
; only members force groupness:
force group = +it
; only members may connect:
valid users = +it
; make everything group writable, DO let others see:
; (also set group-id bit)
force directory mode = 02775
force create mode = 0775
directory mask = 02775
create mask = 0775
-------------------------------------------------------------------------
Note that you can only use %G and %U. You can't use %g. So therefore,
you can only make this happen on the primary group. We use the second
include file to handle odd cases where we want something visible to
a small set of people that cross group boundaries. The include file
called "smb.conf.user-gaa", for instance, might then have just the
statement:
include = /etc/sambe/smb.conf.group-special
I try not to tell anyone about this because it could become a mess as
people want to create all possible combinations. This is what ACLs
are for, not this mechanism.
> Onno
> --
> Onno Zweers, automatisering mailto:onno@verweij.com
> Verweij Fashion BV http://www.verweij.com
>
--
Gary Algier, WB2FWZ gary.algier@ulticom.com +1 856 787 2758
Ulticom Inc., 1020 Briggs Rd, Mt. Laurel, NJ 08054 Fax:+1 856 866 2033
This space intentionally left blank by the censors.