How to Restrict Client Host Access to an SMB Share (zfs)

This procedure describes how to use the ZFS file system's share property to restrict access to a share based on a client's host address. This feature is known as host-based access control.

A client host is permitted to have only one of the following types of access to a share:

• Read-only access

• Read-write access

• No access

For more information about the access control mechanisms that are used for shares, see Host-Based Access Control to SMB Shares.

This procedure shows how to use the zfs command to restrict client host access, but you can also use the share command for other file system types. See the share(8) man page.

For information about access lists, see the share_smb(8) man page.

1. Become an administrator.

   For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

2. Determine the type of access you want to grant for each client host.
3. Restrict access by particular hosts to a share.

   $ zfs share -o share.smb=on -o share.smb.ro=hostname[:hostname] pool/dataset%share-name
   $ zfs share -o share.smb=on -o share.smb.rw=hostname[:hostname] pool/dataset%share-name
   $ zfs share -o share.smb=on -o share.smb.none="" pool/dataset%share-name

   hostname

   A host name, a netgroup, or an IP address

   pool/dataset%share-name

   Name of the dataset and share being shared

   You can specify the host access policy by combining the access settings in a single command.

Example 3-9 Setting Host Access Policy by Using a Single Command

The following command specifies how particular hosts can access the acme.sales.logs share. The mercury and venus hosts have read-write access, mars has read-only access, and neptune has no access.

$ zfs share -o share.smb=on -o share.smb.rw=mercury:venus,ro=mars,none="*" \
tank/sales/logs%acme.sales.logs