Red Hat Summit1.8. Setting permissions on a share that uses POSIX ACLs
Optionally, to limit or grant access to a Samba share, you can set certain parameters in the share’s section in the /etc/samba/smb.conf file.
Share-based permissions manage if a user, group, or host is able to access a share. These settings do not affect file system ACLs.
Use share-based settings to restrict access to shares, for example, to deny access from specific hosts.
1.8.1. Prerequisites
- A share with POSIX ACLs has been set up.
1.8.2. Configuring user and group-based share access
User and group-based access control enables you to grant or deny access to a share for certain users and groups. For more inforation, see the smb.conf(5) man page on your system.
Prerequisites
- The Samba share on which you want to set user or group-based access exists.
Procedure
For example, to enable all members of the
Domain Usersgroup to access a share while access is denied for theuseraccount, add the following parameters to the share’s configuration:valid users = +DOMAIN\"Domain Users" invalid users = DOMAIN\userThe
invalid usersparameter has a higher priority than thevalid usersparameter. For example, if theuseraccount is a member of theDomain Usersgroup, access is denied to this account when you use the previous example.Reload the Samba configuration:
# smbcontrol all reload-config
1.8.3. Configuring host-based share access
Host-based access control enables you to grant or deny access to a share based on client’s host names, IP addresses, or IP range. For more information, see the smb.conf(5) man page on your system.
The following procedure explains how to enable the 127.0.0.1 IP address, the 192.0.2.0/24 IP range, and the client1.example.com host to access a share, and additionally deny access for the client2.example.com host:
Prerequisites
- The Samba share on which you want to set host-based access exists.
Procedure
Add the following parameters to the configuration of the share in the
/etc/samba/smb.conffile:hosts allow = 127.0.0.1 192.0.2.0/24 client1.example.com hosts deny = client2.example.comThe
hosts denyparameter has a higher priority thanhosts allow. For example, ifclient1.example.comresolves to an IP address that is listed in thehosts allowparameter, access for this host is denied.Reload the Samba configuration:
# smbcontrol all reload-config
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}