I’m a bit puzzled by this: someone who no longer works at our company told our client before leaving that what I’m about to describe is feasible, but I’m at a loss for how.
Our client is getting an smb share as read-only from one of their partners. I have absolutely no control over this. This share is mounted on one of our file servers at /mnt/share.
My task is to set up a share from /mnt/share to the clients active directory users, which i have done sucessfully, but I also need to set permissions on certain sensitive subfolders that should be accessible by only certain active directory groups. (for example, only users in the Accounting group should be able to read the "Accounting" subfolder)
According to all documentation I’ve read, this is impossible because the files "on disk" are read-only (since they are really just a mounted smb share). Attempts to set permissions anyway have been met with no feedback.
The file server is RHEL 7.x (it is in the correct AD realm) and I also have Admin access to Active Directory.
To summarize:
Partner SMB share (read only) —–> File server | SMB share ——-[This is where I need to set permissions]——-> user machines.
2
Answers
I've had confirmation from a seasoned veteran that what i'm trying to do cannot be done. Since the "disk" that i'm sharing is mounted read-only, neither linux nor windows will let me apply permissions to specific folders inside the share, unless this was done from the original share, which i cannot control.
the only access control i've managed to apply was by pointing compmgmt.msc to the linux share server, and managing the "share access" security options to only allow a certain group to access the entire share.
• Since the SMB share itself has read-only permissions on the RHEL 7.X file server, they define the on-disk permissions set for that share on the file server as well as the other network resources that access it. Thus, as the file server has authority of the SMB share and only read-only access has been defined on it for all other users that access it, so even if you try to map it on other systems that run Windows, it will only be a read-only folder without any other permissions on it.
Hence, to set file and folder level ACL permissions on it, you will have to enable read, write, and execute permissions to all the users on that share and then map it on a Windows system by logging in it with AD administrator credentials and set custom permissions accordingly in its directory as per the requirement. In this way, you would be able to assign the correct permissions to a user/group or a resource on a file/folder or a directory in that share.
Thus, to change the permissions of the ‘/mnt/share’ on RHEL 7.X file server, please execute the below command in the terminal by logging as the root user.
Browse to the SMB share on linux terminal and run ‘ls -dl’, it will show all the permissions set for the share. Then run ‘chmod a=rwx’, this will set ‘Read, write and execute’ permissions on the share to all the users. Then, run ‘ls -l’ again on the terminal to check the newly modified permissions on the share. It should display as ‘drwxrwxrwx’ which means the permissions have been set correctly.
Please refer the below link for more reference: –
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_basic_system_settings/assembly_managing-file-permissions_configuring-basic-system-settings