On Tue, 2013-06-18 at 11:06 +0200, Coert Waagmeester wrote: > > On 2013/06/11 09:56 AM, Coert Waagmeester wrote: > > Hello all, > > > > Got samba with AD integration and extended ACL up and running. > > > > Here is what I am trying to do. > > > > share1 in smb.conf: > > [share1] > > comment = share1 > > path = /mnt/data/share1 > > public = no > > writable = yes > > printable = no > > valid users = @DOMAIN+group1 > > > > user1 and user2 are members of group1 > > user3 is not > > > > user1 creates \\server\share1\dir1\user3 > > user1 grants permission only on the user3 directory to user3, not on any > > parent directories > > > > according to what I experienced with a windows file server, user3 should > > be able to access this folder on: > > \\server\share1\dir1\user3 > > > > But I get access denied with this samba setup. > > > > Are there any configuration directives I am missing? > > > > Kind regards, > > Coert Waagmeester > > > > PS HERE is my smb.conf: > > #======================= Global Settings > > ===================================== > > [global] > > workgroup = DOMAIN > > server string = DOMAIN File server > > # --------------------------- Logging Options ----------------------------- > > log file = /var/log/samba/log.%m > > max log size = 50 > > # ----------------------- Domain Members Options ------------------------ > > security = domain > > passdb backend = tdbsam > > realm = DOMAIN.LOCAL > > > > winbind enum users = Yes > > winbind enum groups = Yes > > ;winbind use default domain = Yes > > winbind nested groups = Yes > > winbind separator = + > > idmap config * : range = 6000-20000 > > idmap config * : backend = tdb > > ;idmap uid = 6000-20000 > > ;idmap gid = 6000-20000 > > ;template primary group = "Domain Users" > > template shell = /sbin/nologin > > template homedir = /mnt/data/DOMAIN/home/%D/%U > > root preexec = /usr/local/sbin/mkhomedir.sh %D %U > > ; password server = <NT-Server-Name> > > # --------------------------- Printing Options > > ----------------------------- > > load printers = yes > > cups options = raw > > ; printcap name = /etc/printcap > > #obtain list of printers automatically on SystemV > > ; printcap name = lpstat > > ; printing = cups > > # --------------------------- Filesystem Options > > --------------------------- > > map archive = yes > > map hidden = yes > > map read only = yes > > map system = yes > > store dos attributes = yes > > #============================ Share Definitions > > ============================== > > [homes] > > comment = Home Directories > > browseable = no > > writable = yes > > create mask = 0700 > > directory mask = 0700 > > [printers] > > comment = All Printers > > path = /var/spool/samba > > browseable = no > > guest ok = no > > writable = no > > printable = yes > > > > [share1] > > comment = share1 > > path = /mnt/data/share1 > > public = no > > writable = yes > > printable = no > > ;write list = +staff > > valid users = @DOMAIN+group1, DOMAIN+user3 > > Hello all, > > Found out how to solve this. > On the tree to the directory where the user needs access, he needs UNIX > execute permission. > > This works well so far, he cannot read or list anything apart from the > directory in the tree where he needs rw access.
That is the correct unix way of doing this. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba