[Samba] Samba permissions

Kyle Loree kyle at caisnet.com
Tue May 27 19:58:14 GMT 2003

curtis at npc-usa.com writes:
>  Well, I thought I knew Samba permissions, but I guess I don't.
>Currently, any user that has an account on the Samba server has access 
>to the share "Accounting".
>So, let's say I have user1, user2, user3, user4
>I have added user1, user2 and user3 to the accounting group.  user4 is 
>not a member of accounting.
>On the server itself (not for Samba), I set up permissions for the 
>folder as 774 for all directories and files therein.  User/group 
>permission are set as admin.accounting
>The samba section for this share reads:
>	comment = Accounting
>	path = /home/accounting
>	read only = No
>	create mask = 0770
>	force create mode = 0770
>	security mask = 0770
>	directory mask = 0770
>	force directory mode = 0770
>	directory security mask = 0770
>	inherit permissions = Yes
>If any local user access this share, they also automatically become part 
>of the accounting group (as far as samba is concerned).
>Now, if I add a line "valid users = user1, user2, user 3" then of 
>course, just they can get in. But that doesn't seem to be the right 
>solution.  The right solution would be to permit only accounting group 
>users into the folder.  What am I doing wrong?
>Curtis Vaughan
>North Pacific Corporation
>WashTech (CWA Local 37083)
>IWW x353203
>To unsubscribe from this list go to the following URL and read the
>instructions:  http://lists.samba.org/mailman/listinfo/samba

I have a share setup to allow only a specific group.
	path = /Volumes/iRAID/projects
	public = NO
	read only = NO
	comment = Project Files
	force directory mode = 0770
	force create mode = 0770	
	valid users = @projects

the valid users = @group makes it so that the user must be in that
specific group to enter. 
It is in the smb.conf manual.
try man smb.conf or find it on your mirror of samba.org 

>> snip
valid users (S)

    This is a list of users that should be allowed to login to this
service. Names starting with '@', '+' and '&' are interpreted using the
same rules as described in the invalid users parameter.
    If this is empty (the default) then any user can login. If a username
is in both this list and the invalid users list then access is denied for
that user.
    The current servicename is substituted for %S . This is useful in the
[homes] section.
    See also invalid users
    Default: No valid users list (anyone can login)
    Example: valid users = greg, @pcusers

Kyle Loree
Rendek Communications
Kyle at caisnet.com

More information about the samba mailing list