|
94.
|
|
|
Traditional Linux file permissions do not map well to Windows NT Access Control Lists (ACLs). Fortunately POSIX ACLs are available on Ubuntu servers providing more fine grained control. For example, to enable ACLs on <filename>/srv</filename> an EXT3 filesystem, edit <filename>/etc/fstab</filename> adding the <emphasis>acl</emphasis> option:
|
|
|
|
(no translation yet)
|
|
|
|
Located in
serverguide/C/windows-networking.xml:586(para)
|
|
95.
|
|
|
![](/@@/translation-newline)
UUID=66bcdd2e-8861-4fb0-b7e4-e61c569fe17d /srv ext3 noatime,relatime,acl 0 1
|
|
|
represents a line break.
Start a new line in the equivalent position in the translation.
|
|
|
|
(no translation yet)
|
|
|
|
Located in
serverguide/C/windows-networking.xml:593(programlisting)
|
|
98.
|
|
|
The above example assumes <filename>/srv</filename> on a separate partition. If <filename>/srv</filename>, or wherever you have configured your share path, is part of the <filename>/</filename> partition a reboot may be required.
|
|
|
|
(no translation yet)
|
|
|
|
Located in
serverguide/C/windows-networking.xml:606(para)
|
|
99.
|
|
|
To match the Samba configuration above the <emphasis>sysadmin</emphasis> group will be given read, write, and execute permissions to <filename>/srv/samba/share</filename>, the <emphasis>qa</emphasis> group will be given read and execute permissions, and the files will be owned by the username <emphasis>melissa</emphasis>. Enter the following in a terminal:
|
|
|
|
(no translation yet)
|
|
|
|
Located in
serverguide/C/windows-networking.xml:613(para)
|
|
103.
|
|
|
The <application>setfacl</application> command above gives <emphasis>execute</emphasis> permissions to all files in the <filename>/srv/samba/share</filename> directory, which you may or may not want.
|
|
|
|
(no translation yet)
|
|
|
|
Located in
serverguide/C/windows-networking.xml:627(para)
|
|
104.
|
|
|
Now from a Windows client you should notice the new file permissions are implemented. See the <application>acl</application> and <application>setfacl</application> man pages for more information on POSIX ACLs.
|
|
|
|
(no translation yet)
|
|
|
|
Located in
serverguide/C/windows-networking.xml:633(para)
|
|
106.
|
|
|
Ubuntu comes with the <application>AppArmor</application> security module, which provides mandatory access controls. The default AppArmor profile for Samba will need to be adapted to your configuration. For more details on using AppArmor see <xref linkend="apparmor"/>.
|
|
|
|
(no translation yet)
|
|
|
|
Located in
serverguide/C/windows-networking.xml:643(para)
|
|
107.
|
|
|
There are default AppArmor profiles for <filename>/usr/sbin/smbd</filename> and <filename>/usr/sbin/nmbd</filename>, the Samba daemon binaries, as part of the <application>apparmor-profiles</application> packages. To install the package, from a terminal prompt enter:
|
|
|
|
(no translation yet)
|
|
|
|
Located in
serverguide/C/windows-networking.xml:649(para)
|
|
110.
|
|
|
By default the profiles for <application>smbd</application> and <application>nmbd</application> are in <emphasis>complain</emphasis> mode allowing Samba to work without modifying the profile, and only logging errors. To place the <application>smbd</application> profile into <emphasis>enforce</emphasis> mode, and have Samba work as expected, the profile will need to be modified to reflect any directories that are shared.
|
|
|
|
(no translation yet)
|
|
|
|
Located in
serverguide/C/windows-networking.xml:665(para)
|
|
111.
|
|
|
Edit <filename>/etc/apparmor.d/usr.sbin.smbd</filename> adding information for <emphasis>[share]</emphasis> from the file server example:
|
|
|
|
(no translation yet)
|
|
|
|
Located in
serverguide/C/windows-networking.xml:672(para)
|