[Samba] custom permission for single user deep in tree where he has no access

Andrew Bartlett abartlet at samba.org
Sat Jun 22 01:06:02 MDT 2013


On Tue, 2013-06-18 at 11:06 +0200, Coert Waagmeester wrote:
> 
> On 2013/06/11 09:56 AM, Coert Waagmeester wrote:
> > Hello all,
> >
> > Got samba with AD integration and extended ACL up and running.
> >
> > Here is what I am trying to do.
> >
> > share1 in smb.conf:
> >          [share1]
> >          comment = share1
> >          path = /mnt/data/share1
> >          public = no
> >          writable = yes
> >          printable = no
> >          valid users = @DOMAIN+group1
> >
> > user1 and user2 are members of group1
> > user3 is not
> >
> > user1 creates \\server\share1\dir1\user3
> > user1 grants permission only on the user3 directory to user3, not on any
> > parent directories
> >
> > according to what I experienced with a windows file server, user3 should
> > be able to access this folder on:
> > \\server\share1\dir1\user3
> >
> > But I get access denied with this samba setup.
> >
> > Are there any configuration directives I am missing?
> >
> > Kind regards,
> > Coert Waagmeester
> >
> > PS HERE is my smb.conf:
> > #======================= Global Settings
> > =====================================
> > [global]
> >          workgroup = DOMAIN
> >          server string = DOMAIN File server
> > # --------------------------- Logging Options -----------------------------
> >          log file = /var/log/samba/log.%m
> >          max log size = 50
> > # ----------------------- Domain Members Options ------------------------
> >          security = domain
> >          passdb backend = tdbsam
> >          realm = DOMAIN.LOCAL
> >
> >          winbind enum users = Yes
> >          winbind enum groups = Yes
> >          ;winbind use default domain = Yes
> >          winbind nested groups = Yes
> >          winbind separator = +
> >          idmap config * : range = 6000-20000
> >          idmap config * : backend = tdb
> >          ;idmap uid = 6000-20000
> >          ;idmap gid = 6000-20000
> >          ;template primary group = "Domain Users"
> >          template shell = /sbin/nologin
> >          template homedir = /mnt/data/DOMAIN/home/%D/%U
> >          root preexec = /usr/local/sbin/mkhomedir.sh %D %U
> > ;       password server = <NT-Server-Name>
> > # --------------------------- Printing Options
> > -----------------------------
> >          load printers = yes
> >          cups options = raw
> > ;       printcap name = /etc/printcap
> >          #obtain list of printers automatically on SystemV
> > ;       printcap name = lpstat
> > ;       printing = cups
> > # --------------------------- Filesystem Options
> > ---------------------------
> >         map archive = yes
> >         map hidden = yes
> >         map read only = yes
> >         map system = yes
> >         store dos attributes = yes
> > #============================ Share Definitions
> > ==============================
> > [homes]
> >          comment = Home Directories
> >          browseable = no
> >          writable = yes
> >          create mask = 0700
> >          directory mask = 0700
> > [printers]
> >          comment = All Printers
> >          path = /var/spool/samba
> >          browseable = no
> >          guest ok = no
> >          writable = no
> >          printable = yes
> >
> > [share1]
> >          comment = share1
> >          path = /mnt/data/share1
> >          public = no
> >          writable = yes
> >          printable = no
> >          ;write list = +staff
> >          valid users = @DOMAIN+group1, DOMAIN+user3
> 
> Hello all,
> 
> Found out how to solve this.
> On the tree to the directory where the user needs access, he needs UNIX 
> execute permission.
> 
> This works well so far, he cannot read or list anything apart from the 
> directory in the tree where he needs rw access.

That is the correct unix way of doing this.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org




More information about the samba mailing list