Thanks Rowland & Miguel,
Sorry, I didn't know setting in share overrides setting in global.
So I've in the global section "vfs objects = recycle acl_xattr",
but it
doesn't work either.
getent group <GROUP_NAME> command returns the group name correctly
(DOMAIN\group_name:x:10006:).
Nicolas
Le 23/02/2024 ? 10:23, Rowland Penny via samba a ?crit?:> On Fri, 23 Feb 2024 08:13:08 +0100
> Nicolas Boiss? via samba <samba at lists.samba.org> wrote:
>
>> Hello,
>>
>> I have a Fedora server, part of a domain, on which various shares are
>> configured.
>>
>> For one share, I want to set up permissions according to the groups
>> to which the users belong. But it doesn't work. For example, I want
>> the share to be accessible by group A in read-write mode, and group B
>> in read-only mode. I use setfacl for this. But neither group A nor
>> group B have access to the share: "Access Denied".
>> The only way to access it is to authorize the "Domain Users"
group or
>> users instead of groups.
>>
>> On servers, groups are recognized (wbinfo -g), as is user group
>> membership (wbinfo -r).
> Yes, but does 'getent group <GROUP_NAME>' show anything ?
> 'wbinfo' just shows what is in AD, it is meaningless to Unix.
>
>> Below is my smb.conf file (Samba 4.19.4).
>>
>> Can you tell me what's wrong? Thanks a lot!
>>
>> ========>>
>> [global]
>>
>> workgroup = MYDOM
>> realm = MYDOM.FR
>> security = ADS
>>
>> bind interfaces only = yes
>> interfaces = lo eno1
>>
>> log level = 3 passdb:5 auth:5
>> log file = /var/log/samba/%U.log
>> max log size = 50000
>>
>> map to guest = bad uid
> Why 'bad uid' ?
> Guest access in AD is a bad idea at the best of times and if you are
> going to use it, then 'bad user' would be a better option, see
'man
> smb.conf'.
>
>> template shell = /bin/bash
>> template homedir = /home/%U
>>
>> username map script = /bin/echo
> Why '/bin/echo' ?
>
>> idmap config * : backend = tdb
>> idmap config * : range = 3000-7999
>>
>> idmap config MYDOM:backend = ad
>> idmap config MYDOM:schema_mode = rfc2307
>> idmap config MYDOM:range = 10000-999999
>> idmap config MYDOM:unix_nss_info = yes
>>
>> acl allow execute always = yes
>>
>> vfs objects = acl_xattr
>> map acl inherit = yes
>>
>> unix extensions = no
>>
>>
>> [ressources]
>> path = /data/ressources/
>> browseable = no
>> read only = no
>> force create mode = 770
>> force directory mode = 770
>> csc policy = disable
>> follow symlinks = yes
>> wide links = yes
>> hide dot files = yes
>> hide files = /desktop.ini/$RECYCLE.BIN/
>> vfs objects = recycle
> Did you know that setting 'vfs objects = recycle' in this
> share, overrides the 'vfs objects = acl_xattr' you have set in
> 'global', or to put it another way, you are only getting standard
Linux
> ugo permissions on this share, no extended ACL's.
>
> Rowland
>
>