On 11/3/21 05:00, Rowland Penny via samba wrote:> On Wed, 2021-11-03 at 04:48 -0500, Patrick Goetz via samba wrote:
>>
>> On 11/3/21 04:32, Rowland Penny via samba wrote:
>>> On Wed, 2021-11-03 at 04:17 -0500, Patrick Goetz via samba wrote:
>>>> I have yet to test this with winbind, but if I want to restrict
>>>> access
>>>> to a share to the security group "staff", I think I
would do
>>>> this:
>>>>
>>>> [share]
>>>> comment = Share Directory
>>>> path = /data/share
>>>> guest ok = no
>>>> browseable = yes
>>>> writeable = yes
>>>> create mask = 0770
>>>> directory mask = 0770
>>>> inherit acls = yes
>>>> follow symlinks = yes
>>>> wide links = yes
>>>> valid users = @staff
>>>>
>>>> What if I want to restrict access to a group name with spaces
in
>>>> it;
>>>> e.g. domain users?
>>>>
>>>> Would the syntax be
>>>>
>>>> valid users = @"domain users"
>>>
>>> No, it wouldn't
>>>
>>>> or something else?
>>>
>>> Use setfacl
>>>
>>
>> Sorry, I'm not following what you're saying. The suggestion is
don't
>> set
>> a "valid users" parameter at all and just use filesystem ACLs
to
>> restrict access to the share?
>
> No, not if you are referring to the standard Linux 'ugo'
permissions, I
> am referring to extended acls you set with 'setfacl' and read with
> 'getfacl'
>
> Better still is to set the permissions from Windows.
>
I think we're mis-communicating. I'm trying to limit the ability to
mount the share to a particular group of users. ACLs don't come in to
play until after the share is mounted.
> Rowland
>
>
>