On Wed, 2021-11-03 at 04:17 -0500, Patrick Goetz via samba
wrote:> I have yet to test this with winbind, but if I want to restrict
> access
> to a share to the security group "staff", I think I would do
this:
>
> [share]
> comment = Share Directory
> path = /data/share
> guest ok = no
> browseable = yes
> writeable = yes
> create mask = 0770
> directory mask = 0770
> inherit acls = yes
> follow symlinks = yes
> wide links = yes
> valid users = @staff
>
> What if I want to restrict access to a group name with spaces in it;
> e.g. domain users?
>
> Would the syntax be
>
> valid users = @"domain users"
No, it wouldn't
>
> or something else?
Use setfacl
>
>
> Also, I think "inherit acls = yes" is unnecessary because I have
> "vfs
> objects = acl_xattr" in the global section, but that's an aside.
You should have both in 'global'
>
> Also, I think the use of "wide links = yes" is discouraged
because
> this
> creates security issues? Is it best practice to not include this?
Do you want to give your users the ability to go anywhere on your
system ? I thought not, so do not use it.
Rowland