[Samba] Standalone server and POSIX ACL issues (new one)
Yvan Masson
yvan at masson-informatique.fr
Sat Aug 10 08:43:43 UTC 2019
Le 09/08/2019 à 22:32, subscriptions via samba a écrit :
> On 8/9/19 3:18 PM, Yvan Masson via samba wrote:
>> Hi list,
>>
>> For testing purpose, I am running a standalone Samba 4.9.5 on Debian
>> with the following smb.conf:
>>
>> [global]
>> server role = standalone server
>> map to guest = Bad User
>> guest account = nobody
>>
>> [test]
>> path = /home/yvan/Partage/share
>> guest ok = yes
>> writable = yes
>> inherit acls = yes
>>
>>
>> I want "bob", "alice" and guest user to have full access to all files
>> in this share, so I made /home/yvan/share with the following ACL:
>> $ getfacl share
>> # file: share
>> # owner: root
>> # group: root
>> user::rwx
>> user:bob:rwx
>> user:alice:rwx
>> user:nobody:rwx
>> group::r-x
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:bob:rwx
>> default:user:alice:rwx
>> default:user:nobody:rwx
>> default:group::---
>> default:mask::rwx
>> default:other::---
>>
>>
>> I have two issues with this setup that I could not solve after many
>> hours:
>>
>> 1. I can mount the share as guest but then can't read its content,
>> although local access works fine (for example with `$ sudo -u nobody
>> touch /home/yvan/share/foo`).
>>
>> 2. If user "bob" or "alice" creates a directory or a file, ACL mask is
>> not "rwx" but "r-x" for directories and "r--" for files (which
>> restricts effective rights). All other ACL are correct. Note that when
>> creating files or directories locally, ACL mask is properly setup to
>> "rwx".
>>
>> Any idea is really welcome !
>>
>> Best regards,
>> Yvan
>>
> Yvan,
>
> What I do is create two groups. First group has full access. The other
> group have the normal permissions besides Bob and Alice.
>
> I think it gives you better control over the users. They come and go so
> its easier to drop them from and group and add them to another.
>
You are right, using group is usually the way to go, but I sometimes
need to give access to only some users, unrelated to the groups that can
exist (for example for a particular project or application).
Yvan
More information about the samba
mailing list