<title>Share Definition Access Controls</title>
<para>
-Explain here about the smb.conf [share] Access Control parameters, Mode and Mask parameters, force user/group, valid/invalid users, etc.
+The following parameters in the &smb.conf; file sections that define a share control or affect access controls.
+Before using any of the following options please refer to the man page for &smb.conf;.
</para>
+ <sect2>
+ <title>User and Group Based Controls</title>
+
+ <para>
+ User and group based controls can prove very useful. In some situations it is distinctly desirable to affect all
+ file system operations as if a single user is doing this, the use of the <emphasis>force user</emphasis> and
+ <emphasis>force group</emphasis> behaviour will achieve this. In other situations it may be necessary to affect a
+ paranoia level of control to ensure that only particular authorised persons will be able to access a share or
+ it's contents, here the use of the <emphasis>valid users</emphasis> or the <emphasis>invalid users</emphasis> may
+ be most useful.
+ </para>
+
+ <para>
+ As always, it is highly advisable to use the least difficult to maintain and the least ambiguous method for
+ controlling access. Remember, that when you leave the scene someone else will need to provide assistance and
+ if that person finds to great a mess, or if they do not understand what you have done then there is risk of
+ Samba being removed and an alternative solution being adopted.
+ </para>
+
+ <table frame='all'><title>User and Group Based Controls</title>
+ <tgroup cols='2'>
+ <thead>
+ <row>
+ <entry align="center">Control Parameter</entry>
+ <entry align="center">Description - Action - Notes</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>admin users</entry>
+ <entry><para>
+ List of users who will be granted administrative privileges on the share.
+ They will do all file operations as the super-user (root).
+ Any user in this list will be able to do anything they like on the share,
+ irrespective of file permissions.
+ </para></entry>
+ </row>
+ <row>
+ <entry>force group</entry>
+ <entry><para>
+ Specifies a UNIX group name that will be assigned as the default primary group
+ for all users connecting to this service.
+ </para></entry>
+ </row>
+ <row>
+ <entry>force user</entry>
+ <entry><para>
+ Specifies a UNIX user name that will be assigned as the default user for all users connecting to this service.
+ This is useful for sharing files. Incorrect use can cause security problems.
+ </para></entry>
+ </row>
+ <row>
+ <entry>guest ok</entry>
+ <entry><para>
+ If this parameter is set for a service, then no password is required to connect to the service. Privileges will be
+ those of the guest account.
+ </para></entry>
+ </row>
+ <row>
+ <entry>invalid users</entry>
+ <entry><para>
+ List of users that should not be allowed to login to this service.
+ </para></entry>
+ </row>
+ <row>
+ <entry>only user</entry>
+ <entry><para>
+ Controls whether connections with usernames not in the user list will be allowed.
+ </para></entry>
+ </row>
+ <row>
+ <entry>read list</entry>
+ <entry><para>
+ List of users that are given read-only access to a service. Users in this list
+ will not be given write access, no matter what the read only option is set to.
+ </para></entry>
+ </row>
+ <row>
+ <entry>username</entry>
+ <entry><para>
+ Refer to the &smb.conf; man page for more information - this is a complex and potentially misused parameter.
+ </para></entry>
+ </row>
+ <row>
+ <entry>valid users</entry>
+ <entry><para>
+ List of users that should be allowed to login to this service.
+ </para></entry>
+ </row>
+ <row>
+ <entry>write list</entry>
+ <entry><para>
+ List of users that are given read-write access to a service.
+ </para></entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+
+ </sect2>
+
+ <sect2>
+ <title>File and Directory Permissions Based Controls</title>
+
+ <para>
+ The following file and directory permission based controls, if misused, can result in considerable difficulty to
+ diagnose the cause of mis-configuration. Use them sparingly and carefully. By gradually introducing each one by one
+ undesirable side-effects may be detected. In the event of a problem, always comment all of them out and then gradually
+ re-instroduce them in a controlled fashion.
+ </para>
+
+ <table frame='all'><title>File and Directory Permission Based Controls</title>
+ <tgroup cols='2'>
+ <thead>
+ <row>
+ <entry align="center">Control Parameter</entry>
+ <entry align="center">Description - Action - Notes</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>create mask</entry>
+ <entry><para>
+ Refer to the &smb.conf; man page.
+ </para></entry>
+ </row>
+ <row>
+ <entry>directory mask</entry>
+ <entry><para>
+ The octal modes used when converting DOS modes to UNIX modes when creating UNIX directories.
+ See also: directory security mask.
+ </para></entry></row>
+ <row>
+ <entry>dos filemode</entry>
+ <entry><para>
+ Enabling this parameter allows a user who has write access to the file to modify the permissions on it.
+ </para></entry>
+ </row>
+ <row>
+ <entry>force create mode</entry>
+ <entry><para>
+ This parameter specifies a set of UNIX mode bit permissions that will always be set on a file created by Samba.
+ </para></entry>
+ </row>
+ <row>
+ <entry>force directory mode</entry>
+ <entry><para>
+ This parameter specifies a set of UNIX mode bit permissions that will always be set on a directory created by Samba.
+ </para></entry>
+ </row>
+ <row>
+ <entry>force directory security mode</entry>
+ <entry><para>
+ Controls UNIX permission bits modified when a Windows NT client is manipulating UNIX permissions on a directory
+ </para></entry>
+ </row>
+ <row>
+ <entry>force security mode</entry>
+ <entry><para>
+ Controls UNIX permission bits modified when a Windows NT client manipulates UNIX permissions.
+ </para></entry>
+ </row>
+ <row>
+ <entry>hide unreadable</entry>
+ <entry><para>
+ Prevents clients from seeing the existance of files that cannot be read.
+ </para></entry>
+ </row>
+ <row>
+ <entry>hide unwriteable files</entry>
+ <entry><para>
+ Prevents clients from seeing the existance of files that cannot be written to. Unwriteable directories are shown as usual.
+ </para></entry>
+ </row>
+ <row>
+ <entry>nt acl support</entry>
+ <entry><para>
+ This parameter controls whether smbd will attempt to map UNIX permissions into Windows NT access control lists.
+ </para></entry>
+ </row>
+ <row>
+ <entry>security mask</entry>
+ <entry><para>
+ Controls UNIX permission bits modified when a Windows NT client is manipulating the UNIX permissions on a file.
+ </para></entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+
+ </sect2>
+
+ <sect2>
+ <title>Miscellaneous Controls</title>
+
+ <para>
+ The following are documented because of the prevalence of administrators creating inadvertant barriers to file
+ access by not understanding the full implications of &smb.conf; file settings.
+ </para>
+
+ <table frame='all'><title>Other Controls</title>
+ <tgroup cols='2'>
+ <thead>
+ <row>
+ <entry align="center">Control Parameter</entry>
+ <entry align="center">Description - Action - Notes</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>case sensitive, default case, short preserve case</entry>
+ <entry><para>
+ This means that all file name lookup will be done in a case sensitive manner.
+ Files will be created with the precise filename Samba received from the MS Windows client.
+ </para></entry>
+ </row>
+ <row>
+ <entry>csc policy</entry>
+ <entry><para>
+ Client Side Caching Policy - parallels MS Windows client side file caching capabilities.
+ </para></entry>
+ </row>
+ <row>
+ <entry>dont descend</entry>
+ <entry><para>
+ Allows to specify a comma-delimited list of directories that the server should always show as empty.
+ </para></entry>
+ </row>
+ <row>
+ <entry>dos filetime resolution</entry>
+ <entry><para>
+ This option is mainly used as a compatibility option for Visual C++ when used against Samba shares.
+ </para></entry>
+ </row>
+ <row>
+ <entry>dos filetimes</entry>
+ <entry><para>
+ DOS and Windows allows users to change file time stamps if they can write to the file. POSIX semantics prevent this.
+ This options allows DOS and Windows behaviour.
+ </para></entry>
+ </row>
+ <row>
+ <entry>fake oplocks</entry>
+ <entry><para>
+ Oplocks are the way that SMB clients get permission from a server to locally cache file operations. If a server grants an
+ oplock then the client is free to assume that it is the only one accessing the file and it will aggressively cache file data.
+ </para></entry>
+ </row>
+ <row>
+ <entry>hide dot files, hide files, veto files</entry>
+ <entry><para>
+ Note: MS Windows Explorer allows over-ride of files marked as hidden so they will still be visible.
+ </para></entry>
+ </row>
+ <row>
+ <entry>read only</entry>
+ <entry><para>
+ If this parameter is yes, then users of a service may not create or modify files in the service's directory.
+ </para></entry>
+ </row>
+ <row>
+ <entry>veto files</entry>
+ <entry><para>
+ List of files and directories that are neither visible nor accessible.
+ </para></entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+
+ </sect2>
+
</sect1>
<sect1>
<title>MS Windows Access Control Lists and Unix Interoperability</title>
<sect2>
- <title>Viewing and changing UNIX permissions using the NT
- security dialogs</title>
+ <title>Managing UNIX permissions Using NT Security Dialogs</title>
<para>Windows NT clients can use their native security settings
dialog box to view and modify the underlying UNIX permissions.</para>
</sect2>
<sect2>
- <title>How to view file security on a Samba share</title>
+ <title>Viewing File Security on a Samba Share</title>
<para>From an NT4/2000/XP client, single-click with the right
mouse button on any file or directory in a Samba mounted
</sect2>
<sect2>
- <title>Viewing file or directory permissions</title>
+ <title>Viewing File or Directory Permissions</title>
<para>The third button is the <command>"Permissions"</command>
button. Clicking on this brings up a dialog box that shows both
<title>Common Errors</title>
<para>
-Stuff from mailing lists here
+File, Directory and Share access problems are very common on the mailing list. The following
+are examples taken from the mailing list in recent times.
</para>
+
+ <sect2>
+ <title>Users can not write to a public share</title>
+
+ <para>
+ We are facing some troubles with file / directory permissions. I can log on the domain as admin user(root),
+ and theres a public share, on which everyone needs to have permission to create / modify files, but only
+ root can change the file, no one else can. We need to constantly go to server to
+ <command>chgrp -R users *</command> and <command>chown -R nobody *</command> to allow others users to change the file.
+ </para>
+
+ <para>
+ There are many ways to solve this problem, here are a few hints:
+ </para>
+
+ <procedure>
+ <title>Example Solution:</title>
+ <step>
+ <para>
+ Go to the top of the directory that is shared
+ </para>
+ </step>
+
+ <step>
+ <para>
+ Set the ownership to what ever public owner and group you want
+ <programlisting>
+ find 'directory_name' -type d -exec chown user.group {}\;
+ find 'directory_name' -type d -exec chmod 6775 'directory_name'
+ find 'directory_name' -type f -exec chmod 0775 {} \;
+ find 'directory_name' -type f -exec chown user.group {}\;
+ </programlisting>
+ </para>
+
+ <para>
+ Note: The above will set the 'sticky bit' on all directories. Read your
+ Unix/Linux man page on what that does. It causes the OS to assign to all
+ files created in the directories the ownership of the directory.
+ </para>
+
+ <para>
+ <programlisting>
+ Directory is: /foodbar
+ chown jack.engr /foodbar
+
+ Note: This is the same as doing:
+ chown jack /foodbar
+ chgrp engr /foodbar
+
+ Now do:
+ chmod 6775 /foodbar
+ ls -al /foodbar/..
+
+ You should see:
+ drwsrwsr-x 2 jack engr 48 2003-02-04 09:55 foodbar
+
+ Now do:
+ su - jill
+ cd /foodbar
+ touch Afile
+ ls -al
+ </programlisting>
+ </para>
+
+ <para>
+ You should see that the file 'Afile' created by Jill will have ownership
+ and permissions of Jack, as follows:
+ <programlisting>
+ -rw-r--r-- 1 jack engr 0 2003-02-04 09:57 Afile
+ </programlisting>
+ </para>
+ </step>
+
+ <step>
+ <para>
+ Now in your smb.conf for the share add:
+ <programlisting>
+ force create mode = 0775
+ force direcrtory mode = 6775
+ </programlisting>
+ </para>
+
+ <para>
+ Note: The above are only needed IF your users are NOT members of the group
+ you have used. ie: Within the OS do not have write permission on the directory.
+ </para>
+
+ <para>
+ An alternative is to set in the smb.conf entry for the share:
+ <programlisting>
+ force user = jack
+ force group = engr
+ </programlisting>
+ </para>
+ </step>
+ </procedure>
+ </sect2>
+
+
</sect1>
</chapter>