Dancing The Samba (part 1) - Access Denied (
Page 7 of 8 )
Next up, group
file areas. You can create a separate directory for every group on the system,
and expose these directories as shares accessible only to members of the
respective groups. For example, consider the following extract from the
"/etc/group" file:
accounts:x:503:john,joe,sarah
admin:x:504:tom,harry
hr:x:505:tom,joe
Corresponding to these groups are sub-directories in the
/home/groups directory:
$ ls -l /home/groups
drwxrws--- 2 root accounts 4096 Sep 25 11:11 accounts
drwxrws--- 2 root admin 4096 Sep 25 11:11 admin
drwxrws--- 3 root hr 4096 Sep 25 11:14 hr
Note the sticky bit set in the group file permissions - this
is necessary to ensure that files and sub-directories created inside each group
directory are automatically masked with the group name.
These directories
can be exposed as shares, simply by adding the following section to the
"smb.conf" file:
[groups]
comment = Group file area
path = /home/groups/
writeable = yes
force create mode = 0770
force directory mode = 0770Restart the Samba daemons, and try connecting to the server.
You should see all the sub-directories under the /home/groups directory, but
should only have access to those you're a member of, as per the information in
the "/etc/group" file. So user "joe" will be able to read and write to the
"accounts" and "hr" directories, but will not even be able to view the contents
of the "admin" directory.
You can map this directory on a Windows client
to drive G:, like this:
c:\> net use g: \\olympus\groups
This type of group-based access makes it easy to set up
secure areas on the Samba file server for group-based collaborative file
sharing, and restrict access to them in a manner similar to that found in other,
commercial file server products.
/ 12 
