So for the longest time I’ve been trying to control which group sees which share, confusingly thinking that “Access based enumeration” works on the filesystem permissions.
Only recently by mistake did i notice that share ACLs are a different entity altogether and those are what the aforementioned option works on. Or at least it should? Because it doesn’t.
So let’s take it from the top, this is what my parameters are
I have a dataset with unix permissions 770 owner root:media (a custom group i made, UID 5000). I create a smb share out of that, no preset, select " Browsable to Network Clients" and “Access Based Share Enumeration”
The media group is selected to be part of samba authentication. Now I edit the share ACLs (not filesystem ACLs!) and set them as such:
everyone@ - READ - DENIED
group - media - FULL - ALLOWED
Now, with these, i expect that this share will only appear to users who are part of the media group. But this is not the case, the share appears browseable in macos to any user, it’s just that users not in the media group cannot access it in any way
Are my assumptions just wrong, am I missing a step here or is this just not possible to achieve?
I would leave the “share-rights” just alone to read all.
Do proper permissions on the files if possible with ACLs.
If you don’t them(the users) to lock them each other out then don’t grant them rights which can tinkert with the owenership.
I ususally (well, with an AD/Ldap behind) only one group/share. additional admin users just in case (which won’t be using those shares intheir day-to-day work.
I could make some screenshots but not right now. Best i could give you are the getfacl outputs.
Generally you should never set denied ACEs on Everyone because they will take precedence. Not related to what you’re seeing, but for some reason we periodically have users do this.
Clients may cache netshareenum responses and so you may not be seeing an up-to-date browse list.
A redacted netshareenum response has zero impact on client ability to access a share.
Share ACL is evaluated precisely once per SMB tree connection. If you’re making broad changes, make sure to restart the SMB server to force clients to make new connections.
If you want to validate netshareenum responses cleanly then you can use rpcclient.
Sample rpcclient call (substitute relevant username to see their browse list):
But in my case this would be what I want - correct? In the case of a share that would be browseable to only a specific group?
Edit: OH! Precedence like it would override any allow?
I was using smbclient on my end, but this is even better
Yeah, I understand that. This would be done by filesystem ACLs
Is there a command where I can query samba for the share ACL? This info is not stored in samba conf directly but in some tdb.
You do have a couple of different settings in your samba config. I presume based on your output that you have “Apple SMB2/3 protocol extension” enabled? Don’t know if that causes any changes in behaviour.
EDIT: also try restarting samba, just in case there was an error in reloading the config.
Oh. Your user is a member of the builtin_administrators group. That group has root-level permissions on SMB shares always. You should only do testing with non-administrator accounts, and definitely not assign out those permissions unnecessarily.
Btw I just found a bug in the UI - disabling a share from the sharelist does nothing, it goes back to enabled after a UI refresh. And disabling from the share properties sticks, but also doesn’t work from the samba side, testparm still has the share