Important! This article has been tested up to Zentyal 2.2. Greater versions may work or not.

Zentyal includes the file sharing functionality since the very beginning. One of the key features is the shares: which allow you to create a shared directory where different people can work cooperatively.

The way the users cooperate can be defined with access control support in Zentyal. For instance, you can define how the users can access the share: by read-only, read and write or with administrator permissions. The latter allows the user to modify other users’ files, to do so the logged user is managed as root within the samba realm. However, this access control list (ACL) is done by share basis. This granularity is not enough for several users who need to manage access control on directories within the shares. For instance, your company has a share where one of the directories must be available as read-only to all people except for the members of the accounting department whose permission must be set to read and write. However, the accounting department members must not be able to write any other file or directory in the share. Currently, to do this you have two options:

  • Using the Windows ACL interface
  • Using the CLI tools for ACL in Linux

The former option has some drawbacks, mainly because the Windows ACL does not match one by one with the POSIX standard ACL. As described by Samba developers, Samba depicts the matching they do with an ACL given by Windows. For instance, you cannot add the delete action for a user in Linux, only in Windows. In addition to this, the deny access is not explicit in Linux, but you set up the allow permissions explicitly. If the selected option does not match with Linux ACL, then the Windows selection dialogue will return again with old values and the permission you set previously keeps empty.

The latter option requires a knowledge of command line (CLI) to manage the ACL in a more granular way which may require advanced skills reading manual pages. Here you can find a complete and detailed description of how ACL works in Linux. Take into account that for those two options, you need to have the system mounted with ACL support. Zentyal installer does this by default. However, if your filesystem does not, you just need to add acl option in /etc/fstab and reboot or remount the partition with the acl flag. You can check the ACL support using the getfacl command.

Regarding the permission set, you have to have clear the following permission layers Samba daemon will check in order:

  • Samba permission set
  • File system permission set

The former is set in the Zentyal server interface within the Access control table. There, you define the users and groups that have reading, writing or administration access in a share. The latter defines how the file system allows you to access or modify a file in the share.

When you look at the group owner of the shared files, you will see the __USERS__ group. Who belongs to that group? All the users in the domain, that is, all users you created using Zentyal server interface. Take that into account when you set up your permission set.

Let’s make an example: you have a share called “Admin” with several users with read and write permissions. In addition, you have a directory called “Protected Directory” where it should not be allowed for any person to write except for the administrator. How can you achieve this?

Firstly, set the configuration for those users and groups to read and write the share in Zentyal server interface in File Sharing –> Shares –>Access Control.

ACL by share in Zentyal

Then, log in as administrator in the share and edit the “Protected Directory” properties. In “Properties –> Security tab”, select the groups and users to not have write permissions by deselecting the permission set as image shows:

Editing ACL in Windows

Editing ACL in Windows

In Linux you may change it via command line by running the setfacl command and use getfacl command to show the current ACL for a directory:

$ getfacl ‘/home/samba/shares/Admin/Protected Directory’

# file: home/samba/shares/Admin/Protected Directory/
# owner: root
# group: __USERS__
user::rwx
user:cperez:r-x
group::r-x
group:developers:r-x
mask::rwx
other::r-x
default:user::rwx
default:user:cperez:r-x
default:group::r-x
default:group:developers:r-x
default:mask::rwx
default:other::—

So it is already done!

Finally, I want to say thank you to one of our partners in Portugal, Miguel Silva from Goris, to help us to track and debug issues with this and solve them successfully.

A post by Enrique Hernandez