How to Restrict Client Host Access to a CIFS Share (sharemgr)

This procedure describes how to use the sharemgr command to restrict access to a share group based on a client's host address. This feature is known as host-based access control.

A client host is permitted to have only one of the following types of access to a share:

• Read-only access

• Read-write access

• No access

For more information about access lists, see the sharemgr(1M) man page.

1. Become superuser, assume an equivalent role, obtain the solaris.smf.value.smb and solaris.smf.manage.smb RBAC authorizations, or use the “SMB Management” RBAC profile, which is part of the “File System Management” profile.

   Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. To configure a role with the Primary Administrator profile, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

2. Determine the kind of access you want to grant for each client host.

3. Restrict access by particular hosts to a share group.

   # sharemgr set -P smb -p ro=hostname[:hostname] group-name # sharemgr set -P smb -p rw=hostname[:hostname] group-name # sharemgr set -P smb -p none=hostname[:hostname] group-name

   hostname can be a host name, a netgroup, or an IP address. group-name is the share group.

   You can specify the host access policy by combining the access settings in a single command. For example, the following command specifies how particular hosts can access the nw-sales share group. mercury and venus have read-write access, mars has read-only access, and neptune has no access.

   # sharemgr set -P smb -p rw=mercury:venus -p ro=mars -p none=neptune nw-sales