On 11/3/21 05:00, Rowland Penny via samba wrote:> On Wed, 2021-11-03 at 04:48 -0500, Patrick Goetz via samba wrote:
>>
>> On 11/3/21 04:32, Rowland Penny via samba wrote:
>>> On Wed, 2021-11-03 at 04:17 -0500, Patrick Goetz via samba wrote:
>>>> I have yet to test this with winbind, but if I want to restrict
>>>> access
>>>> to a share to the security group "staff", I think I
would do
>>>> this:
>>>>
>>>> [share]
>>>>       comment = Share Directory
>>>>       path = /data/share
>>>>       guest ok = no
>>>>       browseable = yes
>>>>       writeable = yes
>>>>       create mask = 0770
>>>>       directory mask = 0770
>>>>       inherit acls = yes
>>>>       follow symlinks = yes
>>>>       wide links = yes
>>>>       valid users = @staff
>>>>
>>>> What if I want to restrict access to a group name with spaces
in
>>>> it;
>>>> e.g. domain users?
>>>>
>>>> Would the syntax be
>>>>
>>>>       valid users = @"domain users"
>>>
>>> No, it wouldn't
>>>
>>>> or something else?
>>>
>>> Use setfacl
>>>
>>
>> Sorry, I'm not following what you're saying. The suggestion is
don't
>> set
>> a "valid users" parameter at all and just use filesystem ACLs
to
>> restrict access to the share?
> 
> No, not if you are referring to the standard Linux 'ugo'
permissions, I
> am referring to extended acls you set with 'setfacl' and read with
> 'getfacl'
> 
> Better still is to set the permissions from Windows.
> 
I think we're mis-communicating. I'm trying to limit the ability to 
mount the share to a particular group of users. ACLs don't come in to 
play until after the share is mounted.
> Rowland
> 
> 
>