FileServer LXC permissions on dataset

[LordRatner]

Hello everyone!

I'm setting up a turnkey fileserver mounted to a zpool dataset that will hold all the NAS data, such as movies. frigate recordings, personal files, etc in different shares.

What's the smartest way to handle permissions on the dataset? As I understand it, Samba just passes the samba user to the dataset to check permissions. So that means I'd have to create the same set of users on the zpool host as in the fileserver, *or* make the dataset read/write for everyone (777). Is there a way in between these two options? Just for general security I'd rather not have the dataset permissions set to 777, but I'd also rather not have to create duplicate users on the zpool host when I add family members to samba.

Ideally I'd like samba usernames and passwords used when communicating between hosts and samba, but then when samba stores or accesses the data it just uses a single permissioned user on the zpool dataset host.

Cheers

 

[Dunuin]

There is a file mapping SMB users to Linux users: https://www.linuxtopia.org/online_b...ation_guides/using_samba_book/ch06_02_10.html
You could for example create a new linux user "alice" with UID 1000 and "bob" with UID 1001. Then create SMB credentials "Alice" and map it to "alice", "Bob" and map it to "bob". Accessing a SMB share with credentials of "Bob" then would only allow to access folders UID 1001 got access to but not folders owned by UID 1000.
So you indeed could work with Linux users and groups for access management. And if you want more complex stuff SMB and ZFS also would allow to work with ACLs.

In case you are using a unprivileged LXC you will also have to work with bind-mounts and user remapping like described here: https://pve.proxmox.com/wiki/Unprivileged_LXC_containers
Otherwise a folder on the host then for example would need to be owned by UID 101001 in order to be accessible by UID 1001 inside the LXC.

 

[LordRatner]

There is a file mapping SMB users to Linux users: https://www.linuxtopia.org/online_b...ation_guides/using_samba_book/ch06_02_10.html
You could for example create a new linux user "alice" with UID 1000 and "bob" with UID 1001. Then create SMB credentials "Alice" and map it to "aliSce", "Bob" and map it to "bob". Accessing a SMB share with credentials of "Bob" then would only allow to access folders UID 1001 got access to but not folders owned by UID 1000.
So you indeed could work with Linux users and groups for access management. And if you want more complex stuff SMB and ZFS also would allow to work with ACLs.

In case you are using a unprivileged LXC you will also have to work with bind-mounts and user remapping like described here: https://pve.proxmox.com/wiki/Unprivileged_LXC_containers
Otherwise a folder on the host then for example would need to be owned by UID 101001 in order to be accessible by UID 1001 inside the LXC.

Could I map multiple SMB users to the same linux user? So if I created Samba user "Bob" with access to samba share "bob's share" (rpool/testshare/bob) and user "Alice" with access to "alice's share" (rpool/testshare/alice), and linux user "smbshare" with permissions on rpool/testshare, and mapped both Alice and Bob to linux user smbshare, then Samba would still restrict access to samba shares based on samba user permissions, but once those permissions were validated in samba, would read/write to the dataset using the smbshare user...

Am I making sense?

 

[Dunuin]

For that you got linux groups. Create a group "smbshare", make linux users "alice" and "box" members of that group and set the dataset to be owned by group "smbshare". Then both linux users "alice" and "bob" should be able to access it as well as SMB users "Alice" mapped to "alice" and "Bob" mapped to "bob".