[Samba] Using filegroup for access control within a share

Rowland penny rpenny at samba.org
Wed Feb 10 09:20:40 UTC 2016 

On 10/02/16 07:44, Trond Hasle Amundsen wrote:
> On Tue, 2016-02-09 at 15:17 -0800, Jeremy Allison wrote:
>> On Mon, Feb 08, 2016 at 01:54:33PM +0100, Trond Hasle Amundsen wrote:
>>> Hi,
>>>
>>> I have an issue with using a UNIX filegroup for access control within a
>>> share. The situation is like this:
>>>
>>> Given a share "test" which exports "/test" to a NIS netgroup "foo", I
>>> want to limit access to the directory "/test/restricted" to a specific
>>> filegroup "bar". All members of the filegroup "bar" are also members of
>>> the netgroup "foo".
>>>
>>> This works fine with Samba 3.x, but not with Samba 4.x. When setting
>>> owner/group to root/bar on "/test/restricted" and mode=770, access is
>>> denied for all users.
>>>
>>> What can I do to make this work with Samba 4.x? Or is this simply not
>>> possible anymore?
>> More details and smb.conf on exactly how you've set this up please !
> Thanks Jeremy, the (slightly sanitized) smb.conf is below. Let me know
> if more information is needed, or if there is something you'd like me to
> try.
>
> [global]
>          auto services = homes
>          load printers = yes
>          print command = /usr/bin/ppr -r -P%p -J@%m -Xprint_errors=false
> -u%u@%M -Xsmbclient=true -Xusepstitle=true %s
>          printing = bsd
>          lpq command = /usr/bin/ppq -P%p
>          lpq cache time = 30
>          socket options = SO_KEEPALIVE TCP_NODELAY
>          deadtime = 60
>          unix charset = UTF8
>          unix extensions = no
>          wide links = yes
>          follow symlinks = yes
>          max protocol = SMB3
>          security = ads
>          client ntlmv2 auth = yes
>          lanman auth = no
>          ntlm auth = no
>          server schannel = yes
>          client signing = auto
>          password server = *
>          realm = EXAMPLE.COM
>          workgroup = EXAMPLE
>          disable netbios = yes
>          hostname lookups = yes
>          syslog = 0
>          time server = yes
>          domain logons = no
>
> [homes]
>          comment = Home
>          veto files = /.rsrc/
>          delete veto files = yes
>          nt acl support = no
>          inherit permissions = yes
>          guest ok = no
>          invalid users = root
>          browsable = no
>          read only = no
>          strict locking = no
>
> [test]
>          path = /test
>          create mode = 0774
>          directory mode = 0775
>          browseable = yes
>          public = no
>          guest ok = no
>          read only = no
>          invalid users = root
>          valid users = @foo
>          veto files = /.??*/
>
>
> The directory /test contains:
>
> -rwxrwxr-x. 1 root foo     0 Dec  9 16:26 file1.txt
> -rwxrwxr-x. 1 root foo     0 Dec  9 16:26 file2.txt
> drwxrwx---. 2 root bar    36 Dec  9 16:32 restricted
>
> The group "foo" is both filegroup and netgroup, containing the same
> members. Samba version used is 4.2.3 (rhel7.2).
>
> Regards,

Are you using sssd or nlscd instead of winbind ?

Rowland

More information about the samba mailing list