samba - Sep 2022 - Using Force Group with AD Group

Can we use the "force group" option to specify an Active Directory
group similar to how we can with "valid users" and "write
list" on Linux (I saw that this is not supported at all on BSD when I
searched the archives)?  I ask because the man page for "force group"
specifically says it is a Unix group name and prepending the "+"
character seems to have a different purpose (the entire flow of the other
parameters is quite different).  In my limited testing if I set the "force
group" permission to a local Linux group or trying to use the
DOMAIN\DomainGroup results in the DOMAIN\Domain Users group being used in both
cases.  I believe I can accomplish something similar by setting the group +s
(SGID) on the folder that the Samba share points to causes the files being
created to have AD group that I would like to always use.

On Sat, Sep 24, 2022 at 10:42:31PM +0000, Eddie Rowe via samba
wrote:
>Can we use the "force group" option to specify an Active Directory
>group similar to how we can with "valid users" and "write
list" on
>Linux (I saw that this is not supported at all on BSD when 
>I searched the archives)?  I ask because the man page for "force 
>group" specifically says it is a Unix group name and prepending the 
>"+" character seems to have a different purpose (the entire flow
of
>the other parameters is quite different).  In my limited testing if 
>I set the "force group" permission to a local Linux group or
trying
>to use the DOMAIN\DomainGroup results in the DOMAIN\Domain Users 
>group being used in both cases.  I believe I can accomplish 
>something similar by setting the group +s (SGID) on the folder that 
>the Samba share points to causes the files being created to have AD 
>group that I would like to always use.
Question (since the manpage isn't specific about this case): did

    force group = DOMAIN\Domain Group

work any different to

    force group = +DOMAIN\Domain Group

for users that do (and do not) have that group as their primary?


It might help your debugging process if you add a preexec line, eg

   [someshare]
   preexec = /bin/sh -c 'echo \"%T someshare: user %u \(group %g,
primary %G, dom %D\) coming from %m \(%M\) connected to %S \(%P\) as %U, path
%p, protocol %R\" >> /tmp/connectlog.%u 2

Kind regards
Vince