I have configured only one user to read/write that share and we would like to configure such that all other users who tried to enumerate shares from a client, will not find this specific restricted share in the enum list. So we tried "access based shre enum = yes" both in the global section and share-specific section in smb,conf. But all clients were able to list using "net view". Here is part of the relevant smb.conf [Global] access based share enum = yes [RestrictShare1] access based share enum = yes read list = user1000000, write list = user1000000, guest ok = no valid users = user1000000, path = /mnt/exportfs/c761f338c84c44324bfd676a1f43c6409996afdc read only = no
This is actually working as designed - just the documentation sucks on it :-). access based share enum causes smbd to look at the share *security descriptor*, which is stored inside the share_info.tdb, not the listed permissions on the share in the smb.conf. You need to use the Windows share admin tool to set a security descriptor on the share, not the permissions in the smb.conf. The reason for this is that it's actually quite hard to determine if a user would have access to a share at enumeration time, due to things like "force user" etc. on a share definition. So currently this only checks the SD stored for the share, not the text based perms. Jeremy.
Created attachment 10455 [details] attachment-1516640-0.html Jeremy, Thanks for taking the time and explaining the behavior, appreciated. Regards. Krishna Harathi On Fri, Nov 21, 2014 at 2:59 PM, <samba-bugs@samba.org> wrote: > https://bugzilla.samba.org/show_bug.cgi?id=10937 > > Jeremy Allison <jra@samba.org> changed: > > What |Removed |Added > > ---------------------------------------------------------------------------- > Status|NEW |RESOLVED > Resolution|--- |WORKSFORME > > --- Comment #1 from Jeremy Allison <jra@samba.org> --- > This is actually working as designed - just the documentation sucks on it > :-). > > access based share enum > > causes smbd to look at the share *security descriptor*, which is stored > inside > the share_info.tdb, not the listed permissions on the share in the > smb.conf. > > You need to use the Windows share admin tool to set a security descriptor > on > the share, not the permissions in the smb.conf. > > The reason for this is that it's actually quite hard to determine if a user > would have access to a share at enumeration time, due to things like "force > user" etc. on a share definition. So currently this only checks the SD > stored > for the share, not the text based perms. > > Jeremy. > > -- > You are receiving this mail because: > You reported the bug. >