Coert Waagmeester
2013-Jun-11 07:56 UTC
[Samba] custom permission for single user deep in tree where he has no access
Hello all, Got samba with AD integration and extended ACL up and running. Here is what I am trying to do. share1 in smb.conf: [share1] comment = share1 path = /mnt/data/share1 public = no writable = yes printable = no valid users = @DOMAIN+group1 user1 and user2 are members of group1 user3 is not user1 creates \\server\share1\dir1\user3 user1 grants permission only on the user3 directory to user3, not on any parent directories according to what I experienced with a windows file server, user3 should be able to access this folder on: \\server\share1\dir1\user3 But I get access denied with this samba setup. Are there any configuration directives I am missing? Kind regards, Coert Waagmeester PS HERE is my smb.conf: #======================= Global Settings ====================================[global] workgroup = DOMAIN server string = DOMAIN File server # --------------------------- Logging Options ----------------------------- log file = /var/log/samba/log.%m max log size = 50 # ----------------------- Domain Members Options ------------------------ security = domain passdb backend = tdbsam realm = DOMAIN.LOCAL winbind enum users = Yes winbind enum groups = Yes ;winbind use default domain = Yes winbind nested groups = Yes winbind separator = + idmap config * : range = 6000-20000 idmap config * : backend = tdb ;idmap uid = 6000-20000 ;idmap gid = 6000-20000 ;template primary group = "Domain Users" template shell = /sbin/nologin template homedir = /mnt/data/DOMAIN/home/%D/%U root preexec = /usr/local/sbin/mkhomedir.sh %D %U ; password server = <NT-Server-Name> # --------------------------- Printing Options ----------------------------- load printers = yes cups options = raw ; printcap name = /etc/printcap #obtain list of printers automatically on SystemV ; printcap name = lpstat ; printing = cups # --------------------------- Filesystem Options --------------------------- map archive = yes map hidden = yes map read only = yes map system = yes store dos attributes = yes #============================ Share Definitions =============================[homes] comment = Home Directories browseable = no writable = yes create mask = 0700 directory mask = 0700 [printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = no writable = no printable = yes [share1] comment = share1 path = /mnt/data/share1 public = no writable = yes printable = no ;write list = +staff valid users = @DOMAIN+group1, DOMAIN+user3
Coert Waagmeester
2013-Jun-18 09:06 UTC
[Samba] custom permission for single user deep in tree where he has no access
On 2013/06/11 09:56 AM, Coert Waagmeester wrote:> Hello all, > > Got samba with AD integration and extended ACL up and running. > > Here is what I am trying to do. > > share1 in smb.conf: > [share1] > comment = share1 > path = /mnt/data/share1 > public = no > writable = yes > printable = no > valid users = @DOMAIN+group1 > > user1 and user2 are members of group1 > user3 is not > > user1 creates \\server\share1\dir1\user3 > user1 grants permission only on the user3 directory to user3, not on any > parent directories > > according to what I experienced with a windows file server, user3 should > be able to access this folder on: > \\server\share1\dir1\user3 > > But I get access denied with this samba setup. > > Are there any configuration directives I am missing? > > Kind regards, > Coert Waagmeester > > PS HERE is my smb.conf: > #======================= Global Settings > ====================================> [global] > workgroup = DOMAIN > server string = DOMAIN File server > # --------------------------- Logging Options ----------------------------- > log file = /var/log/samba/log.%m > max log size = 50 > # ----------------------- Domain Members Options ------------------------ > security = domain > passdb backend = tdbsam > realm = DOMAIN.LOCAL > > winbind enum users = Yes > winbind enum groups = Yes > ;winbind use default domain = Yes > winbind nested groups = Yes > winbind separator = + > idmap config * : range = 6000-20000 > idmap config * : backend = tdb > ;idmap uid = 6000-20000 > ;idmap gid = 6000-20000 > ;template primary group = "Domain Users" > template shell = /sbin/nologin > template homedir = /mnt/data/DOMAIN/home/%D/%U > root preexec = /usr/local/sbin/mkhomedir.sh %D %U > ; password server = <NT-Server-Name> > # --------------------------- Printing Options > ----------------------------- > load printers = yes > cups options = raw > ; printcap name = /etc/printcap > #obtain list of printers automatically on SystemV > ; printcap name = lpstat > ; printing = cups > # --------------------------- Filesystem Options > --------------------------- > map archive = yes > map hidden = yes > map read only = yes > map system = yes > store dos attributes = yes > #============================ Share Definitions > =============================> [homes] > comment = Home Directories > browseable = no > writable = yes > create mask = 0700 > directory mask = 0700 > [printers] > comment = All Printers > path = /var/spool/samba > browseable = no > guest ok = no > writable = no > printable = yes > > [share1] > comment = share1 > path = /mnt/data/share1 > public = no > writable = yes > printable = no > ;write list = +staff > valid users = @DOMAIN+group1, DOMAIN+user3Hello all, Found out how to solve this. On the tree to the directory where the user needs access, he needs UNIX execute permission. This works well so far, he cannot read or list anything apart from the directory in the tree where he needs rw access. Regards, Coert Waagmeester