TomatoUSB

So I have a bunch of Windows machines, a router running Tomato Firmware v1.28.7500 MIPSR2Toastman-RT K26 USB Ext, and a spare 2TB drive.

I want some folders on the drive to be public (full access to anyone on the network), and some to be restricted to certain users.

Setting up a public share was amazingly easy:
Disable Auto-share all USB partitions, and add the public folder as an Additional Share.
Works great (thank you Toastman, et al)!

But I cannot for the life of me figure out how to share other folders so they are visible to, and accessible by, only certain users.

The best I've come up with is an ungainly way to give permissions to specific machines (not users).

1) Is there a way to do this per user instead of per machine?
or
2) Is there a better way to do what I'm trying to do?

Here's what I've ended up with:
The 'privileged' machines have to have static ipaddresses assigned (aargh!)
Then I can set up Samba shares with the following custom configuration:

# Allow browse + access for specific ip addresses via include files
# named -- [ipaddress].conf containing 
# browseable = yes ; hosts allow = ALL 

[NAS_Root]
path = /tmp/mnt/foo_drive
writable = yes
browseable = no
hosts deny = ALL EXCEPT 127.0.0.1
include = /tmp/mnt/foo_drive/samba/ipallowshare/root/%I.conf
force user = root

[PrivateShare]
path = /tmp/mnt/foo_drive/private_folder
writable = yes
browseable = no
hosts deny = ALL EXCEPT 127.0.0.1
include = /tmp/mnt/foo_drive/samba/ipallowshare/private_folder/%I.conf
force user = root

Then for each private share create a directory (e.g. samba/ipallowshare/private_folder) containing a text file for each ip address that has permission to access the shared folder.
Thus a bunch of identical text files named something like 192.168.1.155.conf, each containing this:

hosts allow = 192.168.1.
browseable = yes

It works, but it's per machine, not per user, and between making static ips and corresponding .conf files, it's pretty awkward to maintain.

Thoughts?

(Aside … the samba variable %u does not work with include statements, that much I figured out)

FTP is the best bet here. You can manage it easily from the GUI, without having to go in and vi those smb config files via ssh.

That said it really won't work for media. Like for say, streaming video. But for giving each person a chunk of disk space it will work.

Samba shares can go by user but I believe that could create for a difficult edit. I am by no means an expert. Would hidden samba shares be enough? What is the end goal?

The goal is to give 6-10 different (windows) users access to varying subsets of directories/folders … Everybody has access to a "public" directory tree.
Then there are a few more trees/subtrees that are available to specific users on a need-to-know basis.
And of course the boss gets to see everything :-)

Giving each user their own chunk of space wasn't in the current plan, but it might come up later.

The other piece of it was to hopefully offer just the right share up to a given set of windows credentials, so it is all pretty transparent to the user … they just have access to an appropriate mapped network drive that behaves like a local drive.

I may have to revisit FTP. The last time I tried something like this (admittedly a couple years ago) I couldn't really provide easy seamless access to an FTP server as though it was a local drive. And I don't think there was any way to grab the windows logon credentials, so the user had to logon every time.
I guess mentally I think of FTP for WAN access, [Samba] shares for LAN access. Maybe that's a rut I shouldn't be in …

So … is there an easy way to grab the user's windows credentials? That's where I thought I was going with the Samba shares, but ended up just being able to get their ip address. Which isn't really a good solution, either from a security or a maintenance perspective.

It sounds like Samba may have been a dead-end detour for me … it just looked like it was just what I wanted :-)

Can I set up FTP servers that act just like Windows LAN shares? What would the difference be from the user's perspective?

Thanks!

Edit: Actually, thinking about it, I don't think FTP is really suitable for say, opening a spreadsheet and editing it. I think I'm stuck with Samba shares. But I could easily be wrong — that's why I'm asking :-)