[Samba] custom permission for single user deep in tree where he has no access
Andrew Bartlett
abartlet at samba.org
Sat Jun 22 01:06:02 MDT 2013
On Tue, 2013-06-18 at 11:06 +0200, Coert Waagmeester wrote:
>
> On 2013/06/11 09:56 AM, Coert Waagmeester wrote:
> > Hello all,
> >
> > Got samba with AD integration and extended ACL up and running.
> >
> > Here is what I am trying to do.
> >
> > share1 in smb.conf:
> > [share1]
> > comment = share1
> > path = /mnt/data/share1
> > public = no
> > writable = yes
> > printable = no
> > valid users = @DOMAIN+group1
> >
> > user1 and user2 are members of group1
> > user3 is not
> >
> > user1 creates \\server\share1\dir1\user3
> > user1 grants permission only on the user3 directory to user3, not on any
> > parent directories
> >
> > according to what I experienced with a windows file server, user3 should
> > be able to access this folder on:
> > \\server\share1\dir1\user3
> >
> > But I get access denied with this samba setup.
> >
> > Are there any configuration directives I am missing?
> >
> > Kind regards,
> > Coert Waagmeester
> >
> > PS HERE is my smb.conf:
> > #======================= Global Settings
> > =====================================
> > [global]
> > workgroup = DOMAIN
> > server string = DOMAIN File server
> > # --------------------------- Logging Options -----------------------------
> > log file = /var/log/samba/log.%m
> > max log size = 50
> > # ----------------------- Domain Members Options ------------------------
> > security = domain
> > passdb backend = tdbsam
> > realm = DOMAIN.LOCAL
> >
> > winbind enum users = Yes
> > winbind enum groups = Yes
> > ;winbind use default domain = Yes
> > winbind nested groups = Yes
> > winbind separator = +
> > idmap config * : range = 6000-20000
> > idmap config * : backend = tdb
> > ;idmap uid = 6000-20000
> > ;idmap gid = 6000-20000
> > ;template primary group = "Domain Users"
> > template shell = /sbin/nologin
> > template homedir = /mnt/data/DOMAIN/home/%D/%U
> > root preexec = /usr/local/sbin/mkhomedir.sh %D %U
> > ; password server = <NT-Server-Name>
> > # --------------------------- Printing Options
> > -----------------------------
> > load printers = yes
> > cups options = raw
> > ; printcap name = /etc/printcap
> > #obtain list of printers automatically on SystemV
> > ; printcap name = lpstat
> > ; printing = cups
> > # --------------------------- Filesystem Options
> > ---------------------------
> > map archive = yes
> > map hidden = yes
> > map read only = yes
> > map system = yes
> > store dos attributes = yes
> > #============================ Share Definitions
> > ==============================
> > [homes]
> > comment = Home Directories
> > browseable = no
> > writable = yes
> > create mask = 0700
> > directory mask = 0700
> > [printers]
> > comment = All Printers
> > path = /var/spool/samba
> > browseable = no
> > guest ok = no
> > writable = no
> > printable = yes
> >
> > [share1]
> > comment = share1
> > path = /mnt/data/share1
> > public = no
> > writable = yes
> > printable = no
> > ;write list = +staff
> > valid users = @DOMAIN+group1, DOMAIN+user3
>
> Hello all,
>
> Found out how to solve this.
> On the tree to the directory where the user needs access, he needs UNIX
> execute permission.
>
> This works well so far, he cannot read or list anything apart from the
> directory in the tree where he needs rw access.
That is the correct unix way of doing this.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba
mailing list