[Samba] Samba directory level security

Robert LeBlanc robert at leblancnet.us
Tue Oct 6 14:33:34 MDT 2009


We don't use the force user/group option at all. Whoever writes the
file will be the owner. If another user or group should have access to
the file, we specify that using the default ACL option. Another reason
for this is that we can enforce user and group quotas on the Samba
share.

On 10/6/09, Poulter,   Dale <dale.poulter at vanderbilt.edu> wrote:
> Robert,
>
> ACLs may be possible.  Do I understand correctly that you only have the one
> share and you still force the user to be the webserver user?
>
> From: Robert LeBlanc [mailto:robert at leblancnet.us]
> Sent: Tuesday, October 06, 2009 9:12 AM
> To: Poulter, Dale
> Cc: samba at lists.samba.org
> Subject: Re: [Samba] Samba directory level security
>
> Is the use of ACLs a possibility? Iv'e explained to someone yesterday how to
> use ACLs in Samba with ADS. It works very well for us and we are doing
> exactly what you want except that we only share out the root (www directory
> in your instance) and control everything using ACLs.
>
> Robert LeBlanc
> Life Sciences & Undergraduate Education Computer Support
> Brigham Young University
>
> On Tue, Oct 6, 2009 at 7:03 AM, Poulter, Dale
> <dale.poulter at vanderbilt.edu<mailto:dale.poulter at vanderbilt.edu>> wrote:
> Good morning all,
>
> We are moving our web server from novell to unix (solaris) and will be using
> samba to allow users to edit web pages.  Our samba instance authenticates
> using ADS and the users do not necessarily have accounts on the server
> itself.  We are attempting to allow users to map a single samba share but
> only see the directories they have read access to (see configuration below).
>  Any suggestions?
>
>
> We have
>
> /www (main share)
> /www/dir1
> /www/dir2
> /www/dir3
>
> everyone should map to /www
>
> group should see something like
> dir1
> dir2
> dir3
>
> group2
> dir1
> dir2
>
>
> [www]
>       path = /www
>       read only = yes
>       browseable = no
>       guest ok = no
>       write list= @Domain\All_Editors
>       public = no
>       force user=web
>       hide unreadable=yes
> [dir1]
>       path = /www/dir1
>       read only = no
>       browseable = no
>       guest ok = no
>       write list= @Domain\DIR1_Editors
>       public = no
>       force user=web
>       hide unreadable=yes
>
> --Dale
>
> ---------------------------------------
> Dale Poulter
> Automation Coordinator
> Library Information Technology Services
> Vanderbilt University
> Suite 700
> 110 21st Avenue South
> Nashville, TN  37240
> (615)343-5388
> (615)343-8834 (fax)
> (615)207-9705 (cell)
> dale.poulter at vanderbilt.edu<mailto:dale.poulter at vanderbilt.edu><mailto:dale.poulter at vanderbilt.edu<mailto:dale.poulter at vanderbilt.edu>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>


-- 

Robert LeBlanc
Life Sciences & Undergraduate Education Computer Support
Brigham Young University


More information about the samba mailing list