[Samba] howto achieve 'hide unreadable' for msdfs symlinks
Konrad Jacobi
konrad.jacobi at igp.fraunhofer.de
Tue Apr 16 14:21:29 UTC 2024
hi,
on a samba domain member file server i'm using dfs root shares with
multiple msdfs symlinks pointing to other shares (on the same server),
which works fine. These linked shares have different access rights,
therefore a user might have access to one linked share but not to another.
Is there any option to hide msdfs-symlinks to shares that a user cannot
read? (the same as 'hide unreadable = yes' does for regular files)
Windows Server does support what i need, i'm using calls like this on
windows: 'dfsutil property acl grant \\[server or namespace]\[the link]
[group|user]:RXW protect'. That's also available in dfsmgmt.msc on a
folder's properties.
I thought of the "hide unreadable" option, but it only works on files
and directories, not symlinks (no surprise as symlinks are 777).
My last idea was vfs_xattr, but it does not help either. I tried to
force xattr to symlinks via 'setfattr -h -n security.NTACL -v ...
[file]' and hoped it would be evaluated for the symlink by samba - that
doesn't seem to be the case.
As dfs-symlinks are resolved by the client, the linked share's rights
could only be checked after resolving and accessing the symlinked share
by the client. To hide the symlink from the client, the server would
have to resolve the symlink or evaluate some ACL on the symlink before
(as mentioned above).
I'd be grateful for ideas
thanks
--
M. Sc. Konrad Jacobi
Fraunhofer-Institut für Großstrukturen in der Produktionstechnik IGP
Albert-Einstein-Straße 30 │ 18059 Rostock
Tel +49 381 49682-192
Fax +49 381 49682-12
konrad.jacobi at igp.fraunhofer.de
http://www.igp.fraunhofer.de
More information about the samba
mailing list