| This section deals with how to configure Samba per share access control restrictions. By default, Samba sets no restrictions on the share itself. Restrictions on the share itself can be set on MS Windows NT4/200x/XP shares. This can be an effective way to limit who can connect to a share. In the absence of specific restrictions the default setting is to allow the global user Everyone - Full Control (full control, change and read). Table 12.3. File and Directory Permission Based Controls | Control Parameter | Description - Action - Notes | | create mask | Refer to the smb.conf man page. | | directory mask | The octal modes used when converting DOS modes to UNIX modes when creating UNIX directories. See also: directory security mask. | | dos filemode | Enabling this parameter allows a user who has write access to the file to modify the permissions on it. | | force create mode | This parameter specifies a set of UNIX mode bit permissions that will always be set on a file created by Samba. | | force directory mode | This parameter specifies a set of UNIX mode bit permissions that will always be set on a directory created by Samba. | | force directory security mode | Controls UNIX permission bits modified when a Windows NT client is manipulating UNIX permissions on a directory. | | force security mode | Controls UNIX permission bits modified when a Windows NT client manipulates UNIX permissions. | | hide unreadable | Prevents clients from seeing the existence of files that cannot be read. | | hide unwriteable files | Prevents clients from seeing the existence of files that cannot be written to. Unwriteable directories are shown as usual. | | nt acl support | This parameter controls whether smbd will attempt to map UNIX permissions into Windows NT access control lists. | | security mask | Controls UNIX permission bits modified when a Windows NT client is manipulating the UNIX permissions on a file. | At this time Samba does not provide a tool for configuring access control setting on the share itself. Samba does have the capacity to store and act on access control settings, but the only way to create those settings is to use either the NT4 Server Manager or the Windows 200x MMC for Computer Management. Samba stores the per share access control settings in a file called share_info.tdb . The location of this file on your system will depend on how Samba was compiled. The default location for Samba's tdb files is under /usr/local/samba/var . If the tdbdump utility has been compiled and installed on your system, then you can examine the contents of this file by executing: tdbdump share_info.tdb in the directory containing the tdb files. Table 12.4. Other Controls | Control Parameter | Description - Action - Notes | | case sensitive , default case , short preserve case | This means that all file name lookup will be done in a case sensitive manner. Files will be created with the precise file name Samba received from the MS Windows client. | | csc policy | Client Side Caching Policy - parallels MS Windows client side file caching capabilities. | | dont descend | Allows specifying a comma-delimited list of directories that the server should always show as empty. | | dos filetime resolution | This option is mainly used as a compatibility option for Visual C++ when used against Samba shares. | | dos filetimes | DOS and Windows allow users to change file time stamps if they can write to the file. POSIX semantics prevent this. This option allows DOS and Windows behavior. | | fake oplocks | Oplocks are the way that SMB clients get permission from a server to locally cache file operations. If a server grants an oplock , the client is free to assume that it is the only one accessing the file and it will aggressively cache file data. | | hide dot files , hide files , veto files | Note: MS Windows Explorer allows override of files marked as hidden so they will still be visible. | | read only | If this parameter is yes, then users of a service may not create or modify files in the service's directory. | | veto files | List of files and directories that are neither visible nor accessible. | 12.4.1 Share Permissions Management The best tool for the task is platform dependant. Choose the best tool for your environment. 12.4.1.1 Windows NT4 Workstation/Server The tool you need to use to manage share permissions on a Samba server is the NT Server Manager. Server Manager is shipped with Windows NT4 Server products but not with Windows NT4 Workstation. You can obtain the NT Server Manager for MS Windows NT4 Workstation from Microsoft see details below. I NSTRUCTIONS -
Launch the NT4 Server Manager, click on the Samba server you want to administer. From the menu select Computer , then click on Shared Directories . -
Click on the share that you wish to manage, then click the Properties tab. then click the Permissions tab. Now you can add or change access control settings as you wish. 12.4.1.2 Windows 200x/XP On MS Windows NT4/200x/XP system access control lists on the share itself are set using native tools, usually from File Manager. For example, in Windows 200x, right click on the shared folder, then select Sharing , then click on Permissions . The default Windows NT4/200x permission allows " Everyone " full control on the share. MS Windows 200x and later versions come with a tool called the Computer Management snap-in for the Microsoft Management Console (MMC). This tool is located by clicking on Control Panel -> Administrative Tools -> Computer Management . I NSTRUCTIONS -
After launching the MMC with the Computer Management snap-in, click the menu item Action , and select Connect to another computer . If you are not logged onto a domain you will be prompted to enter a domain login user identifier and a password. This will authenticate you to the domain. If you are already logged in with administrative privilege, this step is not offered . -
If the Samba server is not shown in the Select Computer box, type in the name of the target Samba server in the field Name: . Now click the on [+] next to System Tools , then on the [+] next to Shared Folders in the left panel. -
In the right panel, double-click on the share on which you wish to set access control permissions. Then click the tab Share Permissions . It is now possible to add access control entities to the shared folder. Remember to set what type of access (full control, change, read) you wish to assign for each entry. W ARNING  Be careful. If you take away all permissions from the Everyone user without removing this user, effectively no user will be able to access the share. This is a result of what is known as ACL precedence. Everyone with no access means that MaryK who is part of the group Everyone will have no access even if she is given explicit full control access. |
|
