Samba User permissions

permissionssamba

I m trying to setup custom User permissions for a certain user on my samba server. What i try to achieve is to login with mentioned user, lets say its name is user1, and only access two folders folder1, and folder2(with rwx permissions). The share contains plenty of other folders,which he should NOT see them.
All my samba users are part of a group, lets say its called staff.

My global config is this :

[global]
log file = /var/log/samba/log.%m  
load printers = no  
socket options = TCP_NODELAY  
full_auditrefix = %u|%T|%m|%S  
full_audit:facility = local5  
interfaces = 192.168.0.20/255.255.255.0  
passdb backend = tdbsam  
allow hosts = 127. 192.168.0. 192.168.3.   
unix extensions = no  
cups options = raw  
vfs objects = full_audit  
full_audit:success = connect disconnect mkdir rmdir write sendfile rename unlink chmod fchmod chown fchown  
full_auditriority = notice  
workgroup = MYSERVER  
full_audit:failure = connect  
use sendfile = yes  
security = user  
max log size = 50

The shared directory config :

[share]  
writeable = yes  
path = /home/share
vfs object = full_audit  
comment = Linux  
valid users = user1,user2,user3  
create mode = 0660  
directory mode = 0770

With this configuration user1 can login and see all the files and folders. (which is not my purpose)

If i erase user1 from the staff group, and set the mentioned folder1, folder2 with the permissions of 777, the user wont have permission to access the server. I just tested it.

So my question is how can i provide for the user accessibility to the share, but restriction to those folders only?

The mentioned shares permissions are:

drwxrwxr-- 28 root staff 4.0K Jan 30 16:22 share

Best Answer

I found one helpful link hope this can help you with your issue. https://www.samba.org/samba/docs/using_samba/ch09.html

Br.

Related Solutions

Samba Permissions – I’m going to throw it!

This might help. I do something similar, but only one share is open to the group's users. Other shares are read-only except for a single maintainer user. The [global] section of my smb.conf is almost identical to yours, except I don't use the force create/directory mode directives (in my case, they'd interfere with the other shares).

Here's the share definition:

[shared stuff]
        comment = blah, blah, etc
        path = /path/to/share
        write list = @sambagroup
        force group = +sambagroup
        read only = yes
        directory mask = 0775
        create mask = 0664
        guest ok = yes
        invalid users = root
        case sensitive = True
        default case = lower
        preserve case = yes
        short preserve case = yes

The important stuff here are these:

read only = yes -- by default, read only.
guest ok = yes -- guests can browse.
write list = @sambagroup -- Authenticated members of sambagroup can write.
force group = +sambagroup -- The + means that the force only applies to existing members of sambagroup. They're already the only ones who can write. I think, without the +, guest is given sambagroup credentials, which is not wanted (particularly with the write list directive above).
directory mask = 0775
create mask = 0664

These do exactly what you want yours to do: "drwxrwxr-x" on directories, "rwxrwxr-x" on files, and newly created files are owned by the user and sambagroup. The maintainers of the other shares get the same permissions as everyone else when working in shared stuff, and permissions & groups are normal when they work in the other shares.

My smb.conf has been working with only minor tweaks through several different versions of Samba, and currently is used with Samba 3.2.5. I never had it running on Ubuntu 8.04, but it ran on Ubuntu 7.04 for a long time before getting migrated to a recent Debian Lenny install.

Samba – Setting Primary Group of File or Directory from Windows

Windows does not have the "Primary Group" concept at all. In other words, domain users simply have "Domain Users" as their primary group, probably because it is the first group to be returned to Samba.

That said, Windows has a means to specify a "Primary Group" for Unix compatibility; basically you had to set a specific AD schema attribute.

If you really want to set a primary group for your Windows users, the you had to do the following:

install SFU (service for Unix)
in the AD Users and Computer panel, you can now double-click on a User and on the "UNIX Attributes" tab you can select a custom "Primary Group/GID".

Some more information can be obtained here and here

Related Topic