William P.N. Smith
2010-May-12 20:48 UTC
[Samba] select read/write access by user or group?
This should be simple, but I've been pounding my head against it for several hours, and I'm not getting the result I want. I'd like to be able to select shares, whether they are the root of a drive or /home/username and designate who can read and who can read/write. Does Samba have it's own groups to go with it's own users? I really can only use "security = user" in this case... I'd like to do something like give the root user read/write access to the root of the drive, give user roy read-only access to the root of the drive, and give user willie read/write access to /home/pictures, is there a way to do that with Samba or is that a Linux/groups/acl kind of thing? It seems if I have a share that someone can read, anyone can read it, is that right? There are some hints in the default smb.conf like: # A publicly accessible directory, but read only, except for people in # the "staff" group ; [public] ; comment = Public Stuff ; path = /home/samba ; public = yes ; writable = yes ; printable = no ; write list = +staff but +staff isn't documented anywhere (user or @group is, but not +staff), and adding creating a Linux group called staff and adding users to it doesn't help. Thanks in advance for any hints!
2010/5/12 William P.N. Smith <w_smith at compusmiths.com>:> It seems if I have a share that someone can read, anyone can read it, is > that right?depends; how did you configure your shares?> but +staff isn't documented anywhere (user or @group is, but not +staff), > and adding creating a Linux group called staff and adding users to it > doesn't help.+ is explained in the manual. Did you read it?> Thanks in advance for any hints!man smb.conf: valid users (S) This is a list of users that should be allowed to login to this service. Names starting with ?@?, ?+? and ?&? are interpreted using the same rules as described in the invalid users parameter. If this is empty (the default) then any user can login. If a username is in both this list and the invalid users list then access is denied for that user. The current servicename is substituted for %S. This is useful in the [homes] section. Default: valid users = # No valid users list (anyone can login) Example: valid users = greg, @pcusers HTH, Norberto
On 05/12/2010 3:48 PM, William P.N. Smith wrote:> This should be simple, but I've been pounding my head against it for > several hours, and I'm not getting the result I want. > > I'd like to be able to select shares, whether they are the root of a > drive or /home/username and designate who can read and who can > read/write. > > Does Samba have it's own groups to go with it's own users?Any defined group can be controlled via Samba.> > I really can only use "security = user" in this case... > > I'd like to do something like give the root user read/write access to > the root of the drive, give user roy read-only access to the root of > the drive, and give user willie read/write access to /home/pictures, > is there a way to do that with Samba or is that a Linux/groups/acl > kind of thing?Usually a combination of the two.> > It seems if I have a share that someone can read, anyone can read it, > is that right?That depends on posix permissions, posix acl's, and the parameters in your Samba share definition.> > There are some hints in the default smb.conf like: > # A publicly accessible directory, but read only, except for people in > # the "staff" group > ; [public] > ; comment = Public Stuff > ; path = /home/samba > ; public = yes > ; writable = yes > ; printable = no > ; write list = +staff > > but +staff isn't documented anywhere (user or @group is, but not > +staff), and adding creating a Linux group called staff and adding > users to it doesn't help."+" in front of a group defines that group as being local.> > Thanks in advance for any hints!Redefine what it is you're trying to achieve by giving us an example share and path, along with the users and groups that are to have access to that share, and whether the access is to be read-only or read-write for each user/group. Dale