This procedure describes how to use the ZFS file system sharesmb property to restrict access to a share based on a client's host address. This feature is known as host-based access control.
A client host is permitted to have only one of the following types of access to a share:
For more information about access lists, see the sharemgr(1M) man page.
Become superuser, assume an equivalent role, obtain the solaris.smf.value.smb and solaris.smf.manage.smb RBAC authorizations, or use the “SMB Management” RBAC profile, which is part of the “File System Management” profile.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. To configure a role with the Primary Administrator profile, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
Determine the kind of access you want to grant for each client host.
Restrict access by particular hosts to a dataset.
# zfs set sharesmb=ro=hostname[:hostname] dataset # zfs set sharesmb=rw=hostname[:hostname] dataset # zfs set sharesmb=none=hostname[:hostname] dataset
hostname can be a host name, a netgroup, or an IP address. dataset is the name of the dataset.
You can specify the host access policy by combining the access settings in a single command. For example, the following command specifies how particular hosts can access files/acme.sales.logs. mercury and venus have read-write access, mars has read-only access, and neptune has no access.
# zfs set sharesmb=rw=mercury:venus,ro=mars,none=neptune files/acme.sales.logs
Ensure that your existing dataset property values are not lost when changing the sharesmb property for that dataset. If you previously set sharesmb property values, specify them all again along with the new value on the zfs set command line. If the existing property values are not specified again, the values are lost or reset to default values, if appropriate.