[Samba] Dir ACL through windows and chmod
it at mdsdnr.ru
it at mdsdnr.ru
Wed Apr 12 08:26:15 UTC 2017
Samba-4.3.5, Debian
smb.conf
===
[global]
workgroup = WG
security = ADS
realm = WG.LOCAL
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
server string = Samba 4 Client %h
idmap config * : backend = tdb
idmap config * : range = 2000-10000
idmap config * : backend = rid
idmap config * : range = 300000-400000
# idmap config WG : backend = ad
# idmap config WG : range = 300000-400000
# idmap config WG : schema_mode = rfc2307
winbind use default domain = yes
winbind nss info = rfc2307
winbind refresh tickets = yes
# For ACL support on domain member
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
# Share Setting Globally
unix extensions = no
reset on zero vc = yes
veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
hide unreadable = yes
max log size = 1000
log level = 5 vfs:1
syslog = 5
load printers = no
printing = bsd
show add printer wizard = no
disable spoolss = yes
printcap name = /dev/null
#======================= Share Definitions =======================
[n]
comment = File share
path = /mnt/n
read only = no
valid users = @"Domain Users" @"Domain Admins" @all
admin users = admin @it
# inherit acls = yes
force create mode = 0777
directory mask = 0770
hide unreadable = yes
===
getfacl /mnt/n/01
===
# file: 01
# owner: admin
# group: g01
user::rwx
user:u01:rwx
group::rwx
group:admin:rwx
group:g01:rwx
mask::rwx
other::---
default:user::rwx
default:user:admin:rwx #effective:---
default:user:u01:rwx #effective:---
default:group::---
default:group:g01:rwx #effective:---
default:mask::---
default:other::---
===
In need folders have to be seen (and accessed) only by appropriate
domain groups. For example, there are domain groups g01, g02, g03, etc,
users in these groups have to see only "their" folders: u01 -
\\fsrv\n\01, u02 - \\fsrv\n\02, u03 - \\fsrv\n\03
This is done by "Hide unreadable = yes" in smb.conf, by granting access
(using "Security" tab in windows' folder rights) for concrete group to
concrete directory and then chmod'ing this folder to 0770. But, if then
I again modify ACLs through "Security" (for example - adding another
group access to folder) samba sets 0777 to this folder and it becomes
"visible" to all others. And I have again set 0770 on Samba server.
This seems to work, but:
- not good to windows admins, which only has to know about "Security"
tab in folder rights;
- mixing ACLs with unix rights makes a mess and seems not right way to
solve task.
What is the "right way" to do such task?
More information about the samba
mailing list