[Samba] smb.conf group syntax question
Patrick Goetz
pgoetz at math.utexas.edu
Wed Nov 3 10:19:14 UTC 2021
On 11/3/21 05:00, Rowland Penny via samba wrote:
> On Wed, 2021-11-03 at 04:48 -0500, Patrick Goetz via samba wrote:
>>
>> On 11/3/21 04:32, Rowland Penny via samba wrote:
>>> On Wed, 2021-11-03 at 04:17 -0500, Patrick Goetz via samba wrote:
>>>> I have yet to test this with winbind, but if I want to restrict
>>>> access
>>>> to a share to the security group "staff", I think I would do
>>>> this:
>>>>
>>>> [share]
>>>> comment = Share Directory
>>>> path = /data/share
>>>> guest ok = no
>>>> browseable = yes
>>>> writeable = yes
>>>> create mask = 0770
>>>> directory mask = 0770
>>>> inherit acls = yes
>>>> follow symlinks = yes
>>>> wide links = yes
>>>> valid users = @staff
>>>>
>>>> What if I want to restrict access to a group name with spaces in
>>>> it;
>>>> e.g. domain users?
>>>>
>>>> Would the syntax be
>>>>
>>>> valid users = @"domain users"
>>>
>>> No, it wouldn't
>>>
>>>> or something else?
>>>
>>> Use setfacl
>>>
>>
>> Sorry, I'm not following what you're saying. The suggestion is don't
>> set
>> a "valid users" parameter at all and just use filesystem ACLs to
>> restrict access to the share?
>
> No, not if you are referring to the standard Linux 'ugo' permissions, I
> am referring to extended acls you set with 'setfacl' and read with
> 'getfacl'
>
> Better still is to set the permissions from Windows.
>
I think we're mis-communicating. I'm trying to limit the ability to
mount the share to a particular group of users. ACLs don't come in to
play until after the share is mounted.
> Rowland
>
>
>
More information about the samba
mailing list