[Samba] freebsd samba sharing problem hiding folder based upon membership

Andrew Walker walker.aj325 at gmail.com
Wed Apr 28 10:58:16 UTC 2021


On Wed, Apr 28, 2021 at 4:39 AM Rowland penny via samba <
samba at lists.samba.org> wrote:

> On 28/04/2021 09:08, Peter Boos via samba wrote:
> > Hello
> >
> > On a Freebsd system with samba.
> >
> > How to set a shared directory so that only the users who are allowed to
> read or modify, can see only that particular directory in which they have
> those rights
> > So they cannot see other folders listed on this level of the directory.
> ea each user get a different list of folders shown based upon their group
> memberships.
> >
> > There is a directory tree shared, for each subfolder a group modifiers
> and readers, has been made with a group-name based upon their folder.
> >
> > users can be member of some subfolders in the reader or modifier role,
> and should not see folder listed where they don't have access to.
> >
> >
> > Under windows this is possible (List permissions).
> > Under Freebsd I had mixed results, usually users see all folders (which
> i dont want) but can dive only into the folders they have permissions on.
> > Sometimes I added a new user to the root of the share and from that
> moment on, he saw only his folder + all new folders made after the share
> was given.
>

Here's a simple example of how to set up ACLs to do this on FreeBSD:

root at homenas[/mnt/dozer/ISO]# getfacl ACLEXAMPLE
# file: ACLEXAMPLE
# owner: root
# group: wheel
      user:isouser:rwxpDdaARWcCos:-------:allow
   group:SMBADMINS:rwxpDdaARWcCos:fd----I:allow
            owner@:rwxpDdaARWcCos:fd----I:allow
            group@:rwxpDdaARWcCos:fd----I:allow
         everyone@:--------------:fd----I:allow

^^^ in above example isouser has "full control" on a directory. Inheritance
flags are not set, and so this ACL entry (the top one) will not be
inherited when new objects are created in ACLEXAMPLE.

root at homenas[/mnt/dozer/ISO]# getfacl ACLEXAMPLE/TESTDIR
# file: ACLEXAMPLE/TESTDIR
# owner: root
# group: wheel
   group:SMBADMINS:rwxpDdaARWcCos:fd----I:allow
            owner@:rwxpDdaARWcCos:fd----I:allow
            group@:rwxpDdaARWcCos:fd----I:allow
         everyone@:--------------:fd----I:allow

^^^ here we see the inherited ACL on ACL/TESTDIR.

root at homenas[/mnt/dozer/ISO]# smbclient //127.0.0.1/ISO_SHARE -U isouser
Enter WORKGROUP\isouser's password:
Try "help" to get a list of possible commands.
smb: \> cd ACLEXAMPLE\
smb: \ACLEXAMPLE\> ls
  .                                   D        0  Thu Apr 22 05:01:07 2021
  ..                                  D        0  Mon Apr 26 10:39:26 2021

4123957985 blocks of size 1024. 4105723303 blocks available

^^^ authenticate to share and list directory as "isouser". User can't see
"TESTDIR".

root at homenas[/mnt/dozer/ISO]# smbclient //127.0.0.1/ISO_SHARE -U smbuser
Enter WORKGROUP\smbuser's password:
Try "help" to get a list of possible commands.
smb: \> cd ACLEXAMPLE\
smb: \ACLEXAMPLE\> ls
  .                                   D        0  Thu Apr 22 05:01:07 2021
  ..                                  D        0  Mon Apr 26 10:39:26 2021
  TESTDIR                             D        0  Thu Apr 22 05:01:07 2021

4123957788 blocks of size 1024. 4105723106 blocks available

^^^ authenticate to share and list directory as admin user. User can see
"TESTDIR".

The above example doesn't give precisely what you want, but it should give
you a rough formula on how you can make ABE work within a Samba share on
FreeBSD. From a practical standpoint, I recommend using smbclient to verify
access.


More information about the samba mailing list