Re: [Samba] custom permission for single user deep in tree where he has no access
On Tue, 2013-06-18 at 11:06 +0200, Coert Waagmeester wrote: On 2013/06/11 09:56 AM, Coert Waagmeester wrote: Hello all, Got samba with AD integration and extended ACL up and running. Here is what I am trying to do. share1 in smb.conf: [share1] comment = share1 path = /mnt/data/share1 public = no writable = yes printable = no valid users = @DOMAIN+group1 user1 and user2 are members of group1 user3 is not user1 creates \\server\share1\dir1\user3 user1 grants permission only on the user3 directory to user3, not on any parent directories according to what I experienced with a windows file server, user3 should be able to access this folder on: \\server\share1\dir1\user3 But I get access denied with this samba setup. Are there any configuration directives I am missing? Kind regards, Coert Waagmeester PS HERE is my smb.conf: #=== Global Settings = [global] workgroup = DOMAIN server string = DOMAIN File server # --- Logging Options - log file = /var/log/samba/log.%m max log size = 50 # --- Domain Members Options security = domain passdb backend = tdbsam realm = DOMAIN.LOCAL winbind enum users = Yes winbind enum groups = Yes ;winbind use default domain = Yes winbind nested groups = Yes winbind separator = + idmap config * : range = 6000-2 idmap config * : backend = tdb ;idmap uid = 6000-2 ;idmap gid = 6000-2 ;template primary group = Domain Users template shell = /sbin/nologin template homedir = /mnt/data/DOMAIN/home/%D/%U root preexec = /usr/local/sbin/mkhomedir.sh %D %U ; password server = NT-Server-Name # --- Printing Options - load printers = yes cups options = raw ; printcap name = /etc/printcap #obtain list of printers automatically on SystemV ; printcap name = lpstat ; printing = cups # --- Filesystem Options --- map archive = yes map hidden = yes map read only = yes map system = yes store dos attributes = yes # Share Definitions == [homes] comment = Home Directories browseable = no writable = yes create mask = 0700 directory mask = 0700 [printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = no writable = no printable = yes [share1] comment = share1 path = /mnt/data/share1 public = no writable = yes printable = no ;write list = +staff valid users = @DOMAIN+group1, DOMAIN+user3 Hello all, Found out how to solve this. On the tree to the directory where the user needs access, he needs UNIX execute permission. This works well so far, he cannot read or list anything apart from the directory in the tree where he needs rw access. That is the correct unix way of doing this. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] custom permission for single user deep in tree where he has no access
On 2013/06/11 09:56 AM, Coert Waagmeester wrote: Hello all, Got samba with AD integration and extended ACL up and running. Here is what I am trying to do. share1 in smb.conf: [share1] comment = share1 path = /mnt/data/share1 public = no writable = yes printable = no valid users = @DOMAIN+group1 user1 and user2 are members of group1 user3 is not user1 creates \\server\share1\dir1\user3 user1 grants permission only on the user3 directory to user3, not on any parent directories according to what I experienced with a windows file server, user3 should be able to access this folder on: \\server\share1\dir1\user3 But I get access denied with this samba setup. Are there any configuration directives I am missing? Kind regards, Coert Waagmeester PS HERE is my smb.conf: #=== Global Settings = [global] workgroup = DOMAIN server string = DOMAIN File server # --- Logging Options - log file = /var/log/samba/log.%m max log size = 50 # --- Domain Members Options security = domain passdb backend = tdbsam realm = DOMAIN.LOCAL winbind enum users = Yes winbind enum groups = Yes ;winbind use default domain = Yes winbind nested groups = Yes winbind separator = + idmap config * : range = 6000-2 idmap config * : backend = tdb ;idmap uid = 6000-2 ;idmap gid = 6000-2 ;template primary group = Domain Users template shell = /sbin/nologin template homedir = /mnt/data/DOMAIN/home/%D/%U root preexec = /usr/local/sbin/mkhomedir.sh %D %U ; password server = NT-Server-Name # --- Printing Options - load printers = yes cups options = raw ; printcap name = /etc/printcap #obtain list of printers automatically on SystemV ; printcap name = lpstat ; printing = cups # --- Filesystem Options --- map archive = yes map hidden = yes map read only = yes map system = yes store dos attributes = yes # Share Definitions == [homes] comment = Home Directories browseable = no writable = yes create mask = 0700 directory mask = 0700 [printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = no writable = no printable = yes [share1] comment = share1 path = /mnt/data/share1 public = no writable = yes printable = no ;write list = +staff valid users = @DOMAIN+group1, DOMAIN+user3 Hello all, Found out how to solve this. On the tree to the directory where the user needs access, he needs UNIX execute permission. This works well so far, he cannot read or list anything apart from the directory in the tree where he needs rw access. Regards, Coert Waagmeester -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] custom permission for single user deep in tree where he has no access
Hello all, Got samba with AD integration and extended ACL up and running. Here is what I am trying to do. share1 in smb.conf: [share1] comment = share1 path = /mnt/data/share1 public = no writable = yes printable = no valid users = @DOMAIN+group1 user1 and user2 are members of group1 user3 is not user1 creates \\server\share1\dir1\user3 user1 grants permission only on the user3 directory to user3, not on any parent directories according to what I experienced with a windows file server, user3 should be able to access this folder on: \\server\share1\dir1\user3 But I get access denied with this samba setup. Are there any configuration directives I am missing? Kind regards, Coert Waagmeester PS HERE is my smb.conf: #=== Global Settings = [global] workgroup = DOMAIN server string = DOMAIN File server # --- Logging Options - log file = /var/log/samba/log.%m max log size = 50 # --- Domain Members Options security = domain passdb backend = tdbsam realm = DOMAIN.LOCAL winbind enum users = Yes winbind enum groups = Yes ;winbind use default domain = Yes winbind nested groups = Yes winbind separator = + idmap config * : range = 6000-2 idmap config * : backend = tdb ;idmap uid = 6000-2 ;idmap gid = 6000-2 ;template primary group = Domain Users template shell = /sbin/nologin template homedir = /mnt/data/DOMAIN/home/%D/%U root preexec = /usr/local/sbin/mkhomedir.sh %D %U ; password server = NT-Server-Name # --- Printing Options - load printers = yes cups options = raw ; printcap name = /etc/printcap #obtain list of printers automatically on SystemV ; printcap name = lpstat ; printing = cups # --- Filesystem Options --- map archive = yes map hidden = yes map read only = yes map system = yes store dos attributes = yes # Share Definitions == [homes] comment = Home Directories browseable = no writable = yes create mask = 0700 directory mask = 0700 [printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = no writable = no printable = yes [share1] comment = share1 path = /mnt/data/share1 public = no writable = yes printable = no ;write list = +staff valid users = @DOMAIN+group1, DOMAIN+user3 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba