The Samba wiki contains more information about POSIX ACLs on file shares. Review the smb.conf option inherit acls and enable it if necessary. Adopt the previous example by creating another share that uses ACLs to grant access to all group members, without Samba enforcing any specific ownership and permissions. Linux uses Extended POSIX ACLs, which are managed by getfacl and setfacl. More complex than classic Unix permissions, Access Control Lists (ACLs) allow you to set individual permissions for specific users and groups. Now configure the share to enforce that all files belong to the same group (maybe create an accounting group in your AD and add the users) and that all files are writable by the group. If you would like to practice, create a file share for your accounting department and grant several users access to it. An easy way to force a standard owner and permissions is to use the smb.conf options create mask / create mode, directory mask / directory mode, force create mode, force directory mode, force user, and force group / group, which manage the ownership and permissions of files stored in a share independent from the connecting user. When multiple users access the same share, they might end up creating files they can not mutually access, due to the files’ different owners and permissions assigned to the owning user and group only. Thanks to ID mapping on the file server, each domain user has an equivalent in the Linux file server’s user database.
When accessing a share, Samba uses the identity of the user connected to the share to perform operations on the Linux file system. The simplest form of these permissions are the classic file ownership and permissions, as managed by chown and chmod. Once a user passes this hurdle, the access to a specific file is subject to file system permissions. First of all, Samba uses the read list and write list options in smb.conf to determine which users have which kind of access in general. These permissions are managed in multiple layers. Once a user is connected, access to the individual files requires further permissions. Remember the notation of users mapped from your domain as well as the ability to specify groups in these options. Try to configure a share to allow or reject connections from specific users and test that the users are connected or rejected as expected. The smb.conf options valid users and invalid users are the initial doorman deciding who can connect. Let’s first of all determine who can connect to the share at all. Within each file share, the path option specifies what part of the server’s file system is accessible through the share.
The name of the share is the section name surrounded by square brackets.
Usually, each share is a dedicated section in the smb.conf file. To get started, let’s review how shares are declared. This week’s posting is all about the file server’s share configuration. The lab also contains a file server as a domain member. In the previous posts we set up a virtual lab, installed Samba, and set up an Active Directory domain.
#Smbconf review series
This blog posting is the third in a series that will help you to prepare for the new version 3.0 of the LPIC-3 Mixed Environments exam.
0 kommentar(er)
