[Samba] smb.conf group syntax question
Rowland Penny
rpenny at samba.org
Wed Nov 3 09:32:20 UTC 2021
On Wed, 2021-11-03 at 04:17 -0500, Patrick Goetz via samba wrote:
> I have yet to test this with winbind, but if I want to restrict
> access
> to a share to the security group "staff", I think I would do this:
>
> [share]
> comment = Share Directory
> path = /data/share
> guest ok = no
> browseable = yes
> writeable = yes
> create mask = 0770
> directory mask = 0770
> inherit acls = yes
> follow symlinks = yes
> wide links = yes
> valid users = @staff
>
> What if I want to restrict access to a group name with spaces in it;
> e.g. domain users?
>
> Would the syntax be
>
> valid users = @"domain users"
No, it wouldn't
>
> or something else?
Use setfacl
>
>
> Also, I think "inherit acls = yes" is unnecessary because I have
> "vfs
> objects = acl_xattr" in the global section, but that's an aside.
You should have both in 'global'
>
> Also, I think the use of "wide links = yes" is discouraged because
> this
> creates security issues? Is it best practice to not include this?
Do you want to give your users the ability to go anywhere on your
system ? I thought not, so do not use it.
Rowland
More information about the samba
mailing list