红帽全球峰会1.7. Setting up a Samba file share that uses POSIX ACLs
As a Linux service, Samba supports shares with POSIX ACLs. They enable you to manage permissions locally on the Samba server using utilities, such as chmod. If the share is stored on a file system that supports extended attributes, you can define ACLs with multiple users and groups.
If you need to use fine-granular Windows ACLs instead, see Setting up a share that uses Windows ACLs.
Parts of this section were adopted from the Setting up a Share Using POSIX ACLs documentation published in the Samba Wiki. License: CC BY 4.0. Authors and contributors: See the history tab on the Wiki page.
1.7.1. Adding a share that uses POSIX ACLs
You can create a share named example that provides the content of the /srv/samba/example/ directory and uses POSIX ACLs.
Prerequisites
Samba has been set up in one of the following modes:
Procedure
Create the directory if it does not exist. For example:
# mkdir -p /srv/samba/example/If you run SELinux in
enforcingmode, set thesamba_share_tcontext on the directory:# semanage fcontext -a -t samba_share_t "/srv/samba/example(/.*)?" # restorecon -Rv /srv/samba/example/Set file system ACLs on the directory. For details, see:
Add the example share to the
/etc/samba/smb.conffile. For example, to add the share write-enabled:[example] path = /srv/samba/example/ read only = no注意Regardless of the file system ACLs; if you do not set
read only = no, Samba shares the directory in read-only mode.Verify the
/etc/samba/smb.conffile:# testparmOpen the required ports and reload the firewall configuration using the
firewall-cmdutility:# firewall-cmd --permanent --add-service=samba # firewall-cmd --reloadRestart the
smbservice:# systemctl restart smb
The standard ACLs on Linux support setting permissions for one owner, one group, and for all other undefined users. You can use the chown, chgrp, and chmod utility to update the ACLs. For more information, refer to the chown(1) and chmod(1) man pages on your system. If you require precise control, then you use the more complex POSIX ACLs, see
Setting extended ACLs on a Samba share that uses POSIX ACLs.
The following procedure sets the owner of the /srv/samba/example/ directory to the root user, grants read and write permissions to the Domain Users group, and denies access to all other users.
Prerequisites
- The Samba share on which you want to set the ACLs exists.
Procedure
Run the following command to initialize the process:
# chown root:"Domain Users" /srv/samba/example/ # chmod 2770 /srv/samba/example/注意Enabling the set-group-ID (SGID) bit on a directory automatically sets the default group for all new files and subdirectories to that of the directory group, instead of the usual behavior of setting it to the primary group of the user who created the new directory entry.
If the file system the shared directory is stored on supports extended ACLs, you can use them to set complex permissions. Extended ACLs can contain permissions for multiple users and groups.
Extended POSIX ACLs enable you to configure complex ACLs with multiple users and groups. However, you can only set the following permissions:
- No access
- Read access
- Write access
- Full control
If you require the fine-granular Windows permissions, such as Create folder / append data, configure the share to use Windows ACLs. See Setting up a share that uses Windows ACLs.
The following procedure shows how to enable extended ACLs on a share. Additionally, it contains an example about setting extended ACLs.
Prerequisites
- The Samba share on which you want to set the ACLs exists.
Procedure
Enable the following parameter in the share’s section in the
/etc/samba/smb.conffile to enable ACL inheritance of extended ACLs:inherit acls = yesFor details, see the parameter description in the
smb.conf(5) man page.Restart the
smbservice:# systemctl restart smb- Set the ACLs on the directory. For example:
例 1.2. Setting Extended ACLs
The following procedure sets read, write, and execute permissions for the Domain Admins group, read, and execute permissions for the Domain Users group, and deny access to everyone else on the /srv/samba/example/ directory:
Disable auto-granting permissions to the primary group of user accounts:
# setfacl -m group::--- /srv/samba/example/ # setfacl -m default:group::--- /srv/samba/example/The primary group of the directory is additionally mapped to the dynamic
CREATOR GROUPprincipal. When you use extended POSIX ACLs on a Samba share, this principal is automatically added and you cannot remove it.Set the permissions on the directory:
Grant read, write, and execute permissions to the
Domain Adminsgroup:# setfacl -m group:"DOMAIN\Domain Admins":rwx /srv/samba/example/Grant read and execute permissions to the
Domain Usersgroup:# setfacl -m group:"DOMAIN\Domain Users":r-x /srv/samba/example/Set permissions for the
otherACL entry to deny access to users that do not match the other ACL entries:# setfacl -R -m other::--- /srv/samba/example/
These settings apply only to this directory. In Windows, these ACLs are mapped to the
This folder onlymode.To enable the permissions set in the previous step to be inherited by new file system objects created in this directory:
# setfacl -m default:group:"DOMAIN\Domain Admins":rwx /srv/samba/example/ # setfacl -m default:group:"DOMAIN\Domain Users":r-x /srv/samba/example/ # setfacl -m default:other::--- /srv/samba/example/With these settings, the
This folder onlymode for the principals is now set toThis folder, subfolders, and files.
Samba maps the permissions set in the procedure to the following Windows ACLs:
| Principal | Access | Applies to |
|---|---|---|
| Domain\Domain Admins | Full control | This folder, subfolders, and files |
| Domain\Domain Users | Read & execute | This folder, subfolders, and files |
|
| None | This folder, subfolders, and files |
| owner (Unix User\owner) [b] | Full control | This folder only |
| primary_group (Unix User\primary_group) [c] | None | This folder only |
| Full control | Subfolders and files only | |
| None | Subfolders and files only | |
[a]
Samba maps the permissions for this principal from the other ACL entry.
[b]
Samba maps the owner of the directory to this entry.
[c]
Samba maps the primary group of the directory to this entry.
[d]
On new file system objects, the creator inherits automatically the permissions of this principal.
[e]
Configuring or removing these principals from the ACLs not supported on shares that use POSIX ACLs.
[f]
On new file system objects, the creator’s primary group inherits automatically the permissions of this principal.
| ||
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}