Samba Server Make Multiple User Permissions Profiles
Yes, Samba can support ACLs nowadays. it takes a few lines in the globals section, and a list of allowed and denied ACLs per share. some adjustment may be needed to your underlying filesystem permissions to support them though, since ext filesystems don't do ACLs by default.
heres a tutorial: http://aisalen.wordpress.com/2007/08/10/acls-on-samba/
and a general reference for the SMB.conf file: http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html
Edit: try changing your share configuration like this. note that OS groups require an '@' in front, and that write list does not imply read priv, so put both groups in the read list.
add these to globals:
invalid users = root
valid users = @smbusers, @smbusers_RO
create mask = 02775
directory mask = 02770
[SAMBA]
comment = Debian File Server With Read Write
invalid users=nobody,nobody
valid users=@smbusr,@smbusr_RO
path = /samba
browseable = yes
guest ok = no
read list = @smbusr,@smbusr_RO
write list = @smbusr
writeable=yes
also run 'sudo testparm -s' to check your config file integrity.
in terms of filesystem permissions, you can chown -R your files to be owned by 'root:smbusers', so that your group permission controls who can write, and your other permission can control who can read (smb will make sure that read permissions are only granted to 'smbusers_RO'). then I recommend using SetGID so that all new folders created in the share are owned by :smbusers and all your smbusers will have access to them.
chown -R root:smbusers /samba
chmod -R 2775 /samba
Comments
-
Scriptonaut over 1 year
I have a Samba file server running, and I was wondering how I could make multiple user accounts that have different permissions. For example, at the moment I have a user, smbusr, but when I ssh to the share, I can read, write, execute, and even navigate out of the samba directory and do stuff on the actual computer. This is bad because I want to be able to give out my IP so friends/family can use the server, but I don't want them to be able to do just anything.
I want to lock the user in the samba share directory(and all the sub directories). Eventually I would like several profiles such as (smbusr_R, smbusr_RW, smbguest_R, smbguest_RW).
I also have a second question related to this, is SSH the best method to connect from other unix machines? What about VPN? Or simply mounting like this:
mount -t ext3 -o user=username //ipaddr/share /mnt/mountpointIs that mounting command above the same thing as a vpn? This is really confusing me.
Thanks for the help guys, let me know if you need to see any files, or need anymore information.
EDIT: Here is my samba share definition:
[SAMBA] path = /samba browseable = yes guest ok = no read list = smbusr_RO write list = smbusrEDIT2: Here is my entire smb.conf file:
-
Scriptonaut over 11 yearsI changed it so now there are only two accounts, smbusr and smbusr_RO. I put my share definition in the main post, does that look alright? I'm having permissions confusion now. What should I put for my create mask and directory mask if I want nobody besides root to be able to change permissions? Who should I make the owner of my samba share, and what group should I make it? Thanks
-
Frank Thomas over 11 yearsadd smbuser to readlist as well. do your filesystem permissions give both groups the appropriate permissions as well?
-
Scriptonaut over 11 yearsI added my smb.conf file to the main post, could you look at it to see if there's anything preventing access? I'm not quite sure what you mean by my filesystem permissions. I can't seem to even log in as root. Are there things I can try to do in case it is the filesystem permissions?
-
Frank Thomas over 11 yearssee edits above
-
Scriptonaut over 11 yearsWhat does the preceding 2 in the permissions mean? I'll try to implement this, thanks a lot :) Also, why do I put the smbusr and smbusr_RO groups rather than the users themselves?
-
Frank Thomas over 11 yearsFirst off, I've been assuming smbusr is a group. is that not the case? if so you should really consider creating a group, adding whatever users you like to it and then replacing all refs to smbusr above to the group name. sorry for the confusion. the 2 indicates SetGid. when set on a directory, SetGid causes all newly created sub-directories to use the same group owner as the parent. otherwise the default owner is user:user and only that user would be able to access the folder, just all the group members. pubs.opengroup.org/onlinepubs/009695399/functions/setgid.html
-
Scriptonaut over 11 yearsI'm totally open to doing a group if it's better. What would be the advantages? Would it be merely that I could have multiple accounts under the same group? Ah, I get it. Is the group smbusers already made for me? Is it already set up? Would there be any disadvantage by doing: chmod -R 2770 /samba
-
Scriptonaut over 11 yearsAlso, at the moment write permissions are revoked once I go into a samba subdirectory I can write in samba, but even if I'm logged in as smbusr, I can't write in the sub dirs.
-
Frank Thomas over 11 yearswho is the owner/group on the folder? perhaps using setGID and setting up groups is more of a pain than your needs require. using samba to control your readonly restriction should work. I usually like to lock down the filesystem to match, but its not strictly required for only two users. as for 2770, did you create a group or use smbusers? are both users members? also who is the owner of \samba? the short of it is, to use 2770, both users would have to be either the owner, or in the owner-group. if not, smbuserRO would have to use the 'other' permissions (4 or 5).
-
Scriptonaut over 11 yearsAlright, I have it mostly figured out. I made a group smbusers, and my global settings look just like the ones in your main comment(except I also added my local account(scroty) to the invalid users). My [SAMBA] profile looks just like yours. The only thing I did different at this point is that for chmod I used 02770.
-
Scriptonaut over 11 yearsHere's my current problem(s). I'm able to mount the drive for smbusr, I can read and write in every folder/subfolder just like I intended. However, I can't seem to mount the drive using smbusr_RO. It just pops up another box and asks me to re enter my credentials. My second problem is, when I mount the drive in linux, I can't cd to the mount location without becoming root. Other than that everything works. Could you give me an email or other way to contact you so I can send you the IP address of the server? If you're willing, I'd like you to try to break in and see if I have any weak spots.
-
Frank Thomas over 11 yearsyou can reach me temporarily at [email protected] . please send the output of these commands: 'ls -al /samba', 'members smbusers' (you may have to install 'members'), 'testparm -s', 'groups smbuser', 'groups smbuser_RO'. that should be sufficient to get a good view of the problem.
-
Frank Thomas over 11 yearsI've responded to your email, but if you don't recieve it, check your spam filter. anyway, I'm happy to help at your pace, so let me know once you've run smbpasswd for smbuser_RO, and we'll pick up from there. Cheers.
