Create SMB share access control lists
-
PDF of this doc site
- Cluster administration
-
Volume administration
- Logical storage management with the CLI
-
NAS storage management
- Configure NFS with the CLI
- Manage NFS with the CLI
-
Manage SMB with the CLI
- Manage file access using SMB
- Security and data encryption
- Data protection and disaster recovery
Collection of separate PDF docs
Creating your file...
Configuring share permissions by creating access control lists (ACLs) for SMB shares enables you to control the level of access to a share for users and groups.
You can configure share-level ACLs by using local or domain Windows user or group names or UNIX user or group names.
Before creating a new ACL, you should delete the default share ACL Everyone / Full Control
, which poses a security risk.
In workgroup mode, the local domain name is the SMB server name.
-
Delete the default share ACL:`vserver cifs share access-control delete -vserver <vserver_name> -share <share_name> -user-or-group Everyone`
-
Configure the new ACL:
If you want to configure ACLs by using a… Enter the command… Windows user
vserver cifs share access-control create -vserver <vserver_name> -share <share_name> -user-group-type windows -user-or-group <Windows_domain_name\user_name> -permission <access_right>
Windows group
vserver cifs share access-control create -vserver <vserver_name> -share <share_name> -user-group-type windows -user-or-group <Windows_domain_name\group_name> -permission <access_right>
UNIX user
vserver cifs share access-control create -vserver <vserver_name> -share <share_name> -user-group-type <unix-user> -user-or-group <UNIX_user_name> -permission <access_right>
UNIX group
vserver cifs share access-control create -vserver <vserver_name> -share <share_name> -user-group-type <unix-group> -user-or-group <UNIX_group_name> -permission <access_right>
-
Verify that the ACL applied to the share is correct by using the
vserver cifs share access-control show
command.
The following command gives Change
permissions to the “Sales Team” Windows group for the “sales” share on the "`vs1.example.com` "SVM:
cluster1::> vserver cifs share access-control create -vserver vs1.example.com -share sales -user-or-group "DOMAIN\Sales Team" -permission Change cluster1::> vserver cifs share access-control show -vserver vs1.example.com Share User/Group User/Group Access Vserver Name Name Type Permission ---------------- ----------- -------------------- --------- ----------- vs1.example.com c$ BUILTIN\Administrators windows Full_Control vs1.example.com sales DOMAIN\Sales Team windows Change
The following command gives Read
permission to the "engineering" UNIX group for the "eng" share on the "vs2.example.com" SVM:
cluster1::> vserver cifs share access-control create -vserver vs2.example.com -share eng -user-group-type unix-group -user-or-group engineering -permission Read cluster1::> vserver cifs share access-control show -vserver vs2.example.com Share User/Group User/Group Access Vserver Name Name Type Permission ---------------- ----------- ------------------- ----------- ----------- vs2.example.com c$ BUILTIN\Administrators windows Full_Control vs2.example.com eng engineering unix-group Read
The following commands give Change
permission to the local Windows group named "Tiger Team" and Full_Control
permission to the local Windows user named "Sue Chang" for the "datavol5" share on the "vs1" SVM:
cluster1::> vserver cifs share access-control create -vserver vs1 -share datavol5 -user-group-type windows -user-or-group "Tiger Team" -permission Change cluster1::> vserver cifs share access-control create -vserver vs1 -share datavol5 -user-group-type windows -user-or-group "Sue Chang" -permission Full_Control cluster1::> vserver cifs share access-control show -vserver vs1 Share User/Group User/Group Access Vserver Name Name Type Permission -------------- ----------- --------------------------- ----------- ----------- vs1 c$ BUILTIN\Administrators windows Full_Control vs1 datavol5 Tiger Team windows Change vs1 datavol5 Sue Chang windows Full_Control