Hey everyone! I'm looking for some guidance on best practices for managing Samba shares, especially when it comes to setting permissions for multiple Active Directory (AD) groups. Here are a few specific questions I have:
1. Is it better to manage access controls at the smb.conf configuration level or through Access Control Lists (ACLs)?
2. If I decide to manage access via smb.conf, is it okay to set folder and file permissions to 777, or does that compromise security?
3. With ACLs, when I need to add a new AD group, should I simply modify the ACL and then reapply those permissions to all files and folders? This seems inefficient, especially since we have around 50 million files on one of our servers.
4. Lastly, how do folks usually manage Samba without a graphical user interface? Is adjusting these settings manually common practice?
For reference, I'm running on RHEL 9 with a Ceph storage backend. Thanks in advance for your help!
2 Answers
I recommend creating specific groups for each share, like read-only, read-write, and admin groups. For instance, if your share is named 'SAMPLE', you could have groups named 'SHARE-SAMPLE-RO', 'SHARE-SAMPLE-RW', and 'SHARE-SAMPLE-ADMIN'. The admin group can manage user access without cluttering things up. Also, avoid nesting groups; it makes permission tracking a nightmare. Keep it simple: more groups might mean more work initially, but it pays off in clearer access levels!
Thanks for this advice! Just one more question: what kind of permissions should I set (like chmod) for those shared folders? Is 755 good enough, and should 'root' remain the owner?
When it comes to setting permissions, I really advise against using 777 as it opens up too many vulnerabilities. Instead, aim for something like 755 or even 770 depending on your needs. You generally don’t need to mess with ACLs for basic usage, just ensure the groups are set properly, and your file ownership is correct. It makes everything more straightforward!
Appreciate the insight! So sticking with 755 for the shared folders should keep things secure, right?
Exactly! Keeping permissions tight while allowing the right group access is key. You should totally avoid giving root ownership over shares unless absolutely necessary.
I came from somewhere where they didn't do this, and once I saw it in action elsewhere, I realized how beneficial it was to have things organized this way—even if it means creating lots of groups!