[Samba] Samba directory level security
Good morning all, We are moving our web server from novell to unix (solaris) and will be using samba to allow users to edit web pages. Our samba instance authenticates using ADS and the users do not necessarily have accounts on the server itself. We are attempting to allow users to map a single samba share but only see the directories they have read access to (see configuration below). Any suggestions? We have /www (main share) /www/dir1 /www/dir2 /www/dir3 everyone should map to /www group should see something like dir1 dir2 dir3 group2 dir1 dir2 [www] path = /www read only = yes browseable = no guest ok = no write list= @Domain\All_Editors public = no force user=web hide unreadable=yes [dir1] path = /www/dir1 read only = no browseable = no guest ok = no write list= @Domain\DIR1_Editors public = no force user=web hide unreadable=yes --Dale --- Dale Poulter Automation Coordinator Library Information Technology Services Vanderbilt University Suite 700 110 21st Avenue South Nashville, TN 37240 (615)343-5388 (615)343-8834 (fax) (615)207-9705 (cell) dale.poul...@vanderbilt.edumailto:dale.poul...@vanderbilt.edu -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba directory level security
Is the use of ACLs a possibility? Iv'e explained to someone yesterday how to use ACLs in Samba with ADS. It works very well for us and we are doing exactly what you want except that we only share out the root (www directory in your instance) and control everything using ACLs. Robert LeBlanc Life Sciences Undergraduate Education Computer Support Brigham Young University On Tue, Oct 6, 2009 at 7:03 AM, Poulter, Dale dale.poul...@vanderbilt.eduwrote: Good morning all, We are moving our web server from novell to unix (solaris) and will be using samba to allow users to edit web pages. Our samba instance authenticates using ADS and the users do not necessarily have accounts on the server itself. We are attempting to allow users to map a single samba share but only see the directories they have read access to (see configuration below). Any suggestions? We have /www (main share) /www/dir1 /www/dir2 /www/dir3 everyone should map to /www group should see something like dir1 dir2 dir3 group2 dir1 dir2 [www] path = /www read only = yes browseable = no guest ok = no write list= @Domain\All_Editors public = no force user=web hide unreadable=yes [dir1] path = /www/dir1 read only = no browseable = no guest ok = no write list= @Domain\DIR1_Editors public = no force user=web hide unreadable=yes --Dale --- Dale Poulter Automation Coordinator Library Information Technology Services Vanderbilt University Suite 700 110 21st Avenue South Nashville, TN 37240 (615)343-5388 (615)343-8834 (fax) (615)207-9705 (cell) dale.poul...@vanderbilt.edumailto:dale.poul...@vanderbilt.edu -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba directory level security
Robert, ACLs may be possible. Do I understand correctly that you only have the one share and you still force the user to be the webserver user? From: Robert LeBlanc [mailto:rob...@leblancnet.us] Sent: Tuesday, October 06, 2009 9:12 AM To: Poulter, Dale Cc: samba@lists.samba.org Subject: Re: [Samba] Samba directory level security Is the use of ACLs a possibility? Iv'e explained to someone yesterday how to use ACLs in Samba with ADS. It works very well for us and we are doing exactly what you want except that we only share out the root (www directory in your instance) and control everything using ACLs. Robert LeBlanc Life Sciences Undergraduate Education Computer Support Brigham Young University On Tue, Oct 6, 2009 at 7:03 AM, Poulter, Dale dale.poul...@vanderbilt.edumailto:dale.poul...@vanderbilt.edu wrote: Good morning all, We are moving our web server from novell to unix (solaris) and will be using samba to allow users to edit web pages. Our samba instance authenticates using ADS and the users do not necessarily have accounts on the server itself. We are attempting to allow users to map a single samba share but only see the directories they have read access to (see configuration below). Any suggestions? We have /www (main share) /www/dir1 /www/dir2 /www/dir3 everyone should map to /www group should see something like dir1 dir2 dir3 group2 dir1 dir2 [www] path = /www read only = yes browseable = no guest ok = no write list= @Domain\All_Editors public = no force user=web hide unreadable=yes [dir1] path = /www/dir1 read only = no browseable = no guest ok = no write list= @Domain\DIR1_Editors public = no force user=web hide unreadable=yes --Dale --- Dale Poulter Automation Coordinator Library Information Technology Services Vanderbilt University Suite 700 110 21st Avenue South Nashville, TN 37240 (615)343-5388 (615)343-8834 (fax) (615)207-9705 (cell) dale.poul...@vanderbilt.edumailto:dale.poul...@vanderbilt.edumailto:dale.poul...@vanderbilt.edumailto:dale.poul...@vanderbilt.edu -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba directory level security
We don't use the force user/group option at all. Whoever writes the file will be the owner. If another user or group should have access to the file, we specify that using the default ACL option. Another reason for this is that we can enforce user and group quotas on the Samba share. On 10/6/09, Poulter, Dale dale.poul...@vanderbilt.edu wrote: Robert, ACLs may be possible. Do I understand correctly that you only have the one share and you still force the user to be the webserver user? From: Robert LeBlanc [mailto:rob...@leblancnet.us] Sent: Tuesday, October 06, 2009 9:12 AM To: Poulter, Dale Cc: samba@lists.samba.org Subject: Re: [Samba] Samba directory level security Is the use of ACLs a possibility? Iv'e explained to someone yesterday how to use ACLs in Samba with ADS. It works very well for us and we are doing exactly what you want except that we only share out the root (www directory in your instance) and control everything using ACLs. Robert LeBlanc Life Sciences Undergraduate Education Computer Support Brigham Young University On Tue, Oct 6, 2009 at 7:03 AM, Poulter, Dale dale.poul...@vanderbilt.edumailto:dale.poul...@vanderbilt.edu wrote: Good morning all, We are moving our web server from novell to unix (solaris) and will be using samba to allow users to edit web pages. Our samba instance authenticates using ADS and the users do not necessarily have accounts on the server itself. We are attempting to allow users to map a single samba share but only see the directories they have read access to (see configuration below). Any suggestions? We have /www (main share) /www/dir1 /www/dir2 /www/dir3 everyone should map to /www group should see something like dir1 dir2 dir3 group2 dir1 dir2 [www] path = /www read only = yes browseable = no guest ok = no write list= @Domain\All_Editors public = no force user=web hide unreadable=yes [dir1] path = /www/dir1 read only = no browseable = no guest ok = no write list= @Domain\DIR1_Editors public = no force user=web hide unreadable=yes --Dale --- Dale Poulter Automation Coordinator Library Information Technology Services Vanderbilt University Suite 700 110 21st Avenue South Nashville, TN 37240 (615)343-5388 (615)343-8834 (fax) (615)207-9705 (cell) dale.poul...@vanderbilt.edumailto:dale.poul...@vanderbilt.edumailto:dale.poul...@vanderbilt.edumailto:dale.poul...@vanderbilt.edu -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Robert LeBlanc Life Sciences Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba directory level security
We don't use the force user/group option at all. Whoever writes the file will be the owner. If another user or group should have access to the file, we specify that using the default ACL option. Another reason for this is that we can enforce user and group quotas on the Samba share. This is the same way I use samba in my department at work. I have no force user or group lines in any of my configuration files. Proper linux ACLs are used to control the access. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
