How to install and setup ACL fstab in 10.04

[AfrikaDietmar]

I have been trying to figure out since several days how to setup a network with protected folders. Until I found this video:

http://www.youtube.com/watch?v=F9aLvoH4-BQ

with which i messed up my fstab, i think because its for an older ubuntu version.
On my other computer on which i'm testing i currently can't load Ubuntu anymore due to the change i made to fstab, mounting problem which i have addressed in another post.

Apart from that, all steps seemed the same in ubuntu 10.04.

Can someone please explain to me how I should set the fstab correctly in 10.04 to get ACL running ?

cheers, dietmar

[AfrikaDietmar]

anyone ?

[Morbius1]

You've got posts in three different threads discussing this problem so I've decided to basically hijack this thread to respond. I viewed the youtube howto you referenced and I think you're making this far too complicated. There is absolutely no reason to use ACL to control who has access to a remote samba share. Samba has built in functionality to address this.

Please post the output of the following commands so we can see where you are:

Code:

net usershare info
sudo net usershare info
testparm -s

EDIT: And please tell us how you want to restrict access to those shares. Do you want to require a username and password to access all restricted shares? Or do you want user1 to have access to only one share and user2 to only have access to another.

NOTE: Samba can inherently restrict who can access a given share. Depending on your requirements and what method of samba sharing ( Nautilus vs Classic ) it's either one click or adding things like this to control who has access:

One Example:

Code:

valid users = jdoe

[AfrikaDietmar]

am still stuck on this one: http://ubuntuforums.org/showthread.p...08#post9439708

once i can load my ubuntu from hard drive then the results will be more relevant i guess ?

[AfrikaDietmar]

Problem solved, i can boot my ubuntu again.

There is absolutely no reason to use ACL to control who has access to a remote samba share. Samba has built in functionality to address this.

I didn't get any satisfactory results with ACL... But i learnt a good lesson about the FSTAB.

And please tell us how you want to restrict access to those shares. Do you want to require a username and password to access all restricted shares? Or do you want user1 to have access to only one share and user2 to only have access to another.

There are 2 things i need to manage to do.
1. Restrict a main shared folder. That is simply password protect it. Whoever wants to access it in the network needs to input a password. In this way i protect my network.
2. If this is possible, inside the shared folder, add more folders, and some will be password protected for 1 specific user. In this way, not everybody can access this folder.

Question, will it also work if someone is accessing it from windows ? So far i have no problem in sharing a folder with windows. But i just don't know how to password protect it. When in Samba I changed sharing into user, a password popup was seen in windows, but whenever i gave in a password, nothing happened.

So here are the results:

net usershare info

Code:

info_fn: file /var/lib/samba/usershares/test1 is not a well formed usershare file.
info_fn: Error was Path is not a directory.
info_fn: file /var/lib/samba/usershares/test is not a well formed usershare file.
info_fn: Error was Path is not a directory.
info_fn: file /var/lib/samba/usershares/tutu is not a well formed usershare file.
info_fn: Error was Path is not a directory.
info_fn: file /var/lib/samba/usershares/networktest is not a well formed usershare file.
info_fn: Error was Path is not a directory.

sudo net usershare info
testparm -s

Code:

Load smb config files from /etc/samba/smb.conf
rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)
Processing section "[printers]"
Processing section "[print$]"
Processing section "[IM-SERVER]"
Loaded services file OK.
Server role: ROLE_STANDALONE
[global]
    workgroup = IM-NETWORK1
    server string = %h server (Samba, Ubuntu)
    security = SHARE
    map to guest = Bad User
    obey pam restrictions = Yes
    guest account = im-003
    pam password change = Yes
    passwd program = /usr/bin/passwd %u
    passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
    unix password sync = Yes
    syslog = 0
    log file = /var/log/samba/log.%m
    max log size = 1000
    dns proxy = No
    usershare allow guests = Yes
    panic action = /usr/share/samba/panic-action %d
    guest ok = Yes

[printers]
    comment = All Printers
    path = /var/spool/samba
    create mask = 0700
    printable = Yes
    browseable = No
    browsable = No

[print$]
    comment = Printer Drivers
    path = /var/lib/samba/printers

[IM-SERVER]
    path = /home/im-003/IM-SERVER
    read only = No

Hope this is useful. Catch up with you later.

[Morbius1]

First, you need to clean up something:

Code:

gksu gedit /etc/samba/smb.conf

Look for the following line:

security = SHARE

and place a # sign in front of them so it looks like this:

Code:

#security = SHARE

Then restart samba:

Code:

sudo service smbd restart

Second, Just to be clear of your requirements, you want to:

Create a restricted share
Restrict access to a given subdirectory of that share to one specific user

You would have to ask for one of the few examples where ACL's is the classic way to accomplish this.

Since ACL's didn't work out for you so well I suggest the following as an example.

I am going to create a directory that I want to share and a subdirectory that I will restrict access to only one user:

Code:

sudo mkdir /home/Shared
sudo mkdir /home/Shared/User1

I'm going to set the permissions on those directories to enable samba to allow remote access:

Code:

sudo chmod 0777 /home/Shared
sudo chmod 0700 /home/Shared/User1

I'm going to set ownership of the subdirectory to user1:

Code:

sudo chown user1 /home/Shared/User1

Now I'm going to create a share for /home/Shared:

Code:

[Shared]
    path = /home/Shared
    inherit permissions = yes
    writeable = yes
    valid users = user1, user2, user3, user4

This will allow user1/2/3/4 to access /home/Shared only after submitting a valid username and password.
Only user1 will be allowed access to /home/Shared/User1.

You will of course need to set up user1/2/3/4 on the server and also set up samba passwords for those users.

If you need it, the following procedure will create a user1/2/3/4 account on the server that have no local server login capabilities so they will only be used for samba purposes:

Code:

sudo useradd -s /bin/true user1
sudo smbpasswd -a user1

The first command will create a local server user and the second will add AND enable a samba password for that user.

[AfrikaDietmar]

Code:

#security = SHARE

That did the trick for my shared folder to require password to access it.
(Thats a big step!)

I verified and my ACL is working.

I tried for several hours a lot of things. But it just doesn't want to accept me to password connect to another subfolder of the main shared folder. I always get the access denied message.

I have created 2 users with local server login who i have also created as samba users with password.

So its not possible then to have a sub folder in main shared folder password protected ? (i mean with a different password)

Else if its not possible to make a protected subfolder with a different password of a different user. How could i make another shared folder accessible with a different password work at root level ? I tried it, but it didn't work.

When i access the computer on a whole, as a server, where i have to input my password in the network to access it, it shows me the folders it has which are shared. And any of those, if password protected for a different user, dont work. Access denied message.

[Morbius1]

Sorry didn't follow that at all.

You keep using the word password to describe how you're getting access. You need a username and password to access those shares.

If you want user1 to only access /home/Shared/User1 and nothing else in /home/Shared then it would be best to create another shared directory: /home/Shared2 and limit access to only user1. Just remember to set the linux permissions to enable samba to allow remote access.

[AfrikaDietmar]

You keep using the word password to describe how you're getting access. You need a username and password to access those shares.

Exactly.

i have one shared folder here:
home/user1/shared1

And i tried the following 3 additional combinations:
1. Like this
home/user1/shared2

2. Like this
home/user1/shared1/shared2 (Where i assign shared2 to another owner)

3. Like this where i directly put the shared folder in another linux user folder
home/user2/shared1

I then access the workgroup, where i have to input a login and password.
Its like the global access.
Then i can see all folders which are shared. Wether its inside a folder or in home or in anothers users account. That is for instance above in user2. I believe because i use only one samba config file where i have inputed all details for all folders.


If I password protect shared2, or assign it to another user, when i click on it, computer says, access denied, or that i cannot make 2 connections.

even if i use this structure:
home/user1/shared1
home/user1/shared1/shared2 (Where i assign shared2 to another owner)
home/user2/shared1


You get my point ?

[Morbius1]

That didn't help I'm afraid. There are just some things about your description that I'm not personally familiar with:

I then access the workgroup, where i have to input a login and password.

I'm not familiar with any configuration that requires authentication to access at a workgroup level. Perhaps if you had subnets, where part of a domain, or where using Active Directory then that would be true, but that's beyond me I'm afraid.

Where i assign shared2 to another owner

Don't know what that means. You did a chown on shared2 and now you have shared2 owned by user2 located within shared1 which is owned by user1?

If I password protect shared2

"password protect"? You mean you encrypted shared2? Or do you mean you turned off guest access?

When a remote user tries to access a share that requires authentication he will be asked for a username and password. From that point on that will be the only way the server will see him. If you're trying to require two different usernames and passwords in one session then that won't work.

If you're trying to access home/user1/shared1/shared2 such that all users will have to authenticate to gain access to shared1 and one among them will have exclusive access to shared2 then I would suggest my earlier post ( #6 ).

If you're trying to access home/user1/shared1/shared2 such that a remote user has access to shared2 but no access to shared1 then I would suggest you you make shared2 a separate share at the same level as shared1. So you would have two shares:

/home/user1/shared1
/home/user1/shared2

For shared1 you would have a share defined like this:

Code:

[shared1]
    path = /home/user1/shared1
    writeable = yes
    valid users = user1, user2, user4

For shared2 you would have a share defined like this:

Code:

[shared2]
    path = /home/user1/shared2
    writeable = yes
    valid users = user3