Recipe 23.9. Controlling Share Access with Access Control Lists

23.9.1 Problem

You would like to limit who can access a particular Samba share, either by username or group name.

23.9.2 Solution

Use the valid users directive in smb.conf, as follows:

[share1]

   path = /sharedstuff

   comment = testfiles

   read only = No

   valid users = andrew  foober  dana

Unix groups are indicated by a plus sign (+):

   valid users = +sambausers

The groups must exist on the server, in /etc/group. They are ordinary Linux groups; you don't need to create special Samba groups.

You may also exclude users or groups, using invalid users:

   invalid users = root  +wheel  +bannedusers

Remember to restart Samba after changing smb.conf.

23.9.3 Discussion

If you have no network information services (NIS) groups, use the plus sign to tell Samba to look only for Unix groups.

Using @ (for example, @bannedusers) tells Samba to first search the NIS database, then Unix.

To use only NIS groups, use the ampersand: &bannedusers.

23.9.4 See Also

• smb.conf(5)