On 11/3/21 04:32, Rowland Penny via samba wrote:> On Wed, 2021-11-03 at 04:17 -0500, Patrick Goetz via samba wrote:
>> I have yet to test this with winbind, but if I want to restrict
>> access
>> to a share to the security group "staff", I think I would do
this:
>>
>> [share]
>> comment = Share Directory
>> path = /data/share
>> guest ok = no
>> browseable = yes
>> writeable = yes
>> create mask = 0770
>> directory mask = 0770
>> inherit acls = yes
>> follow symlinks = yes
>> wide links = yes
>> valid users = @staff
>>
>> What if I want to restrict access to a group name with spaces in it;
>> e.g. domain users?
>>
>> Would the syntax be
>>
>> valid users = @"domain users"
>
> No, it wouldn't
>
>>
>> or something else?
>
> Use setfacl
>
Sorry, I'm not following what you're saying. The suggestion is don't
set
a "valid users" parameter at all and just use filesystem ACLs to
restrict access to the share?
>>
>>
>> Also, I think "inherit acls = yes" is unnecessary because I
have
>> "vfs
>> objects = acl_xattr" in the global section, but that's an
aside.
>
> You should have both in 'global'
>
>>
>> Also, I think the use of "wide links = yes" is discouraged
because
>> this
>> creates security issues? Is it best practice to not include this?
>
> Do you want to give your users the ability to go anywhere on your
> system ? I thought not, so do not use it.
>
> Rowland
>
>
>