[Samba] custom permission for single user deep in tree where he has no access
Coert Waagmeester
lgroups at waagmeester.co.za
Tue Jun 18 03:06:30 MDT 2013
On 2013/06/11 09:56 AM, Coert Waagmeester wrote:
> Hello all,
>
> Got samba with AD integration and extended ACL up and running.
>
> Here is what I am trying to do.
>
> share1 in smb.conf:
> [share1]
> comment = share1
> path = /mnt/data/share1
> public = no
> writable = yes
> printable = no
> valid users = @DOMAIN+group1
>
> user1 and user2 are members of group1
> user3 is not
>
> user1 creates \\server\share1\dir1\user3
> user1 grants permission only on the user3 directory to user3, not on any
> parent directories
>
> according to what I experienced with a windows file server, user3 should
> be able to access this folder on:
> \\server\share1\dir1\user3
>
> But I get access denied with this samba setup.
>
> Are there any configuration directives I am missing?
>
> Kind regards,
> Coert Waagmeester
>
> PS HERE is my smb.conf:
> #======================= Global Settings
> =====================================
> [global]
> workgroup = DOMAIN
> server string = DOMAIN File server
> # --------------------------- Logging Options -----------------------------
> log file = /var/log/samba/log.%m
> max log size = 50
> # ----------------------- Domain Members Options ------------------------
> security = domain
> passdb backend = tdbsam
> realm = DOMAIN.LOCAL
>
> winbind enum users = Yes
> winbind enum groups = Yes
> ;winbind use default domain = Yes
> winbind nested groups = Yes
> winbind separator = +
> idmap config * : range = 6000-20000
> idmap config * : backend = tdb
> ;idmap uid = 6000-20000
> ;idmap gid = 6000-20000
> ;template primary group = "Domain Users"
> template shell = /sbin/nologin
> template homedir = /mnt/data/DOMAIN/home/%D/%U
> root preexec = /usr/local/sbin/mkhomedir.sh %D %U
> ; password server = <NT-Server-Name>
> # --------------------------- Printing Options
> -----------------------------
> load printers = yes
> cups options = raw
> ; printcap name = /etc/printcap
> #obtain list of printers automatically on SystemV
> ; printcap name = lpstat
> ; printing = cups
> # --------------------------- Filesystem Options
> ---------------------------
> map archive = yes
> map hidden = yes
> map read only = yes
> map system = yes
> store dos attributes = yes
> #============================ Share Definitions
> ==============================
> [homes]
> comment = Home Directories
> browseable = no
> writable = yes
> create mask = 0700
> directory mask = 0700
> [printers]
> comment = All Printers
> path = /var/spool/samba
> browseable = no
> guest ok = no
> writable = no
> printable = yes
>
> [share1]
> comment = share1
> path = /mnt/data/share1
> public = no
> writable = yes
> printable = no
> ;write list = +staff
> valid users = @DOMAIN+group1, DOMAIN+user3
Hello all,
Found out how to solve this.
On the tree to the directory where the user needs access, he needs UNIX
execute permission.
This works well so far, he cannot read or list anything apart from the
directory in the tree where he needs rw access.
Regards,
Coert Waagmeester
More information about the samba
mailing list