Q&A: Can you explain permission configuration for Shares?

Question

Can you explain permission configuration for shares?

Answer

Here it is, kudos @Moritz_Bunkus:

By default a share won’t do anything special regarding permissions for files & folders inside that share. This means that a file created by user A will only be writable by user A but not by user B. It might be readable by user B depending on the share’s settings. This is the “safe by default” route.

You generally have two options if you want to grant a group of users the same type of access to a set of files & folders:

Same permissions on all files & directories for all users connecting to a share

If you have a share where all users accessing the share shall have the same type of access to all of the files, you can configure the share to map the user & group credentials of the connecting user to a well-known user and/or group. These settings are called “force user” and “force group” in the share’s settings in the Univention Management Console (edit the share & go to “Advanced Settings” → “Samba options”).

Together with that setting you should also use the “force file mode” and “force directory mode” settings from “Advanced Settings” → “Samba Extended Permissions”.

A typical use case would be a share solely for the HR department. You’ll probably want to restrict the users allowed to connect to the share by setting the “allowed users” option to a group name, e.g. @HR. Then set to “force group” to HR, too, and adjust “force file mode” and “force directory mode” so that the group always has all rights.

The drawback is that you cannot make exceptions for any of the files & directories in that share. If you have one or more files which should be restricted further, you either have to move them to a different share with different settings, or you must abandon this approach altogether and chose the following method:

Managing extended permissions from Windows

If you have a share where certain files & directories should be available to one group while other files & directories need different permissions from the first set of files & directories, you’ll have to use ACLs (access control lists). The easiest way to manage those is from a Windows machine joined into the domain.

Before you can start, though, you’ll have to configure the share to allow NT ACLs in the Univention Management Console. Edit the share, go to “Advanced Settings” → “Samba Permissions” and enable the “NT ACL support” option.

Then log in on Windows as a domain user with domain admin privileges (it can be administrator, but any member of the Domain Admins group will do). Connect to your file server, go into the share, right-click on folders & files and use Window’s built-in ACL management facilities. Google for how to edit file & directory permissions/ACLs with Windows if you’re unsure how to do that.

This approach is the right one for shares where mixed content with mixed security requirements exists.

The obvious drawback compared to the first method is that it isn’t instantly obvious how has access to what.

Mastodon