Shared folders¶
A shared folder is a place where files can be accessed by a group of people using Samba (SMB/CIFS).
Shared folder are part of the File server application in the new Server Manager. The application dashboard now integrates the Samba status module, which displays shared folder usage in real time.
To create, edit and delete a shared folder go to the Shared folders page.
Requirements¶
Shared folders use ACL (Access Control List) to provide flexible permission on files and directories.
To enable ACL, the filesystem must be mounted with the acl
option.
The acl
option is already enabled on XFS
, the default CentOS filesystem,
and usually even on Ext3
and Ext4
filesystems.
Enabling ACL¶
On Ext2/3/4 filesystems, use tune2fs
command to check if acl
option is already enabled:
tune2fs -l /dev/sdXY | grep "Default mount options:"
Where sdXY
is the name of your partition, the output should look like this:
Default mount options: user_xattr acl
If the acl
option is not enabled, add the option inside the /etc/fstab
:
/dev/mapper/VolGroup-lv_root / ext4 defaults,acl 0
Or use tune2fs
to enable as default mount option:
tune2fs -o acl /dev/sdXY
Authorizations¶
If Active directory is selected as account provider, a shared folder is owned by a group of users (Owning group). Each member of the group is allowed to read the folder contents. Optionally the group can be entitled to modify the folder contents and the read permission can be extended to everyone accessing the system. This simple permission model is based on the traditional UNIX file system permissions.
Access privileges can be refined further with the ACL tab, allowing individual users and other groups to gain read and write permissions.
ACLs can also be set on individual files and directories from a Windows client, if the user has enough permissions – see section Change resource permissions from Windows clients for details.
Warning
Some ACLs settings supported by Windows clients cannot be translated to POSIX ACLs supported by NethServer, thus they will be lost when they are applied
At any time, the Reset permissions button propagates the shared folder UNIX permissions and POSIX ACLs to its contents.
If Guest access is enabled, any provided authentication credentials are considered valid.
If an LDAP account provider is selected or there is no account provider at all, any access to shared folders is considered as Guest access so that everyone is allowed to read and write its content.
Network access¶
SMB/CIFS is a widely adopted protocol that allows to share files across a computer network. The shared folder name becomes the SMB “share name”.
For instance, the SMB network addresses of the docs
share could be
\\192.168.1.1\docs
\\MYSERVER\docs
Warning
Authenticated access to shared folders is available with an Active Directory accounts provider. LDAP provider allows guest access only.
When accessing a SMB share, some user interfaces provide a single user name field. In that case, specify the user short name prefixed with the NetBIOS domain name. For instance, if the NetBIOS domain name is “DOMAIN” and the user name is “john.smith”, the domain-prefixed user name to access a SMB share is:
DOMAIN\john.smith
On the contrary, some applications provide separate input fields for the NetBIOS domain name and the user name; in that case fill in the input fields individually.
Network recycle bin¶
If the option Network recycle bin is enabled, removed files are actually moved into a special “wastebasket” directory. The Keep copies of files with the same name keeps distinct file names inside the wastebasket directory, preventing overwrites.
Hide a shared folder¶
If Browseable is enabled, the shared folder is listed publicly. This does not affect the permission to use this resource.
Home share¶
Each NethServer user has a personal shared folder that is mapped to his Unix home directory. The SMB share name correspond to the user short name. For example:
user short name
john.smith
server name
MYSERVER
server address
192.168.1.2
The SMB network address is:
\\MYSERVER\john.smith
\\192.168.1.2\john.smith
Provide John’s credentials as explained in Network access.
Tip
The Unix home directory is created the first time the user accesses it by either SMB or SFTP/SSH protocol.
Change resource permissions from Windows clients¶
When an user connects to a shared folder with a Windows client, he can change permissions on individual files and directories. Permissions are expressed by Access Control Lists (ACLs).
Warning
Some ACLs settings supported by Windows clients cannot be translated to POSIX ACLs implemented by NethServer, thus they will be lost when they are applied
Only the owner of a resource (being it either file or directory) has full control over it (read, write, change permissions). The permission to delete a resource is granted to users with write permissions on the parent directory. The only exception to this rule is described in the Administrative access section.
When a new resource is created, the owner can be defined by one of the following rules:
the owner is the user that creates the resource
the owner is inherited from the parent directory
To enforce one of those rules, go to Windows file server page and select the corresponding radio button under When a new file or directory is created in a shared folder section.
Warning
The Owning group setting of a shared folder does not affect the owner of a resource. See also the Authorizations section above
Administrative access¶
The Windows file server page allows to grant special privileges to
members of the Domain Admins
group:
extend the owner permission by enabling the Grant full control on shared folders to Domain Admins group checkbox
access other users’ home directories by enabling the Grant full control on home directories to Domain Admins group (home$ share) checkbox. To access home directories connect to the hidden share
home$
. For instance, the SMB network address is:\\MYSERVER\home$ \\192.168.1.2\home$
Auditing¶
Note
The audit module has been integrated inside the File server application of the new Server Manager.
Samba audit is a module that keeps track of all users activities on shared folders. Auditing is disabled by default and must be explicitly enabled for each folder.
Actions are logged to a file during the the day and are moved to a browseable database overnight.
By default, to avoid the database overloading, read actions like access to files and directories are saved only inside /var/log/smbaudit.log
.
To change this behavior and store read actions inside the database, access the Settings page and enable the Enable auditing of read actions.
The auditing report is available under the Audit page.
The same report is also available from the old Server Manager inside the Applications page.