Hello,
I'm trying to set the final permissions of my shares because we comes from
an old samba managed by IP, and I've noticed that when I create a new file
it has the default user group (Domain Users) instead the default configured
group.
I've used chown and chmod g+s to do it, and when I create a new file in
that folder from terminal it keepts the group, but when I create a new file
from SMB looks like samba ignores this flag and set the group to default
user group.
¿Is there any way to avoid this behaviour without settings the force group
option?, because Domain Users is the group of all users on domain and is
too open.
My smb.conf is:
[global]
workgroup = DOMAIN
security = ADS
realm = DOMAIN.COM
server role = member server
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
interfaces = lo br0 br0:0
bind interfaces only = yes
idmap config *:backend = tdb
idmap config *:range = 3000-7999
idmap config ACONFI:backend = rid
# idmap config ACONFI:schema_mode = rfc2307
idmap config ACONFI:range = 10000-999999
# winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
# winbind enum users  = yes
# winbind enum groups = yes
winbind offline logon = yes
# winbind cache time = 86400
winbind refresh tickets = Yes
# winbind expand groups = 4
winbind normalize names = Yes
# domain master = no
# local master = no
# vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
log level = 2
# Configuramos la papelera de reciclaje y el audit
vfs objects = recycle full_audit acl_xattr
# Papelera de reciclaje
recycle:repository = /server/share/Papelera/
recycle:keeptree = yes
recycle:versions = yes
# No recicla ficheros vacios
recycle:minsize = 1
# Excluye ficheros temporales
recycle:exclude = *.tmp, *.TMP, *.temp, *.TEMP, *.o, *.obj, ~$*, *.lock,
*.lck, *.sqlite-wal, *.bak, thumb.db
# No recicla ficheros del escaner
#recycle:exclude_dir = /server/share/Escaner/
# Audit
full_audit:prefix = %u|%I|%m|%R|%S
full_audit:success = chmod chmod_acl chown connect disconnect link mkdir
pread pwrite read removexattr rename rmdir setxattr unlink write
full_audit:failure = none
full_audit:facility = LOCAL7
full_audit:priority = NOTICE
[Laboral]
path = /server/share/Laboral
read only = no
browsable = yes
valid users = @laboral,administrator
I know that is better to remove the "valid users" option and manage by
ACLs, but I've to fix the ACLs first :P
Thanks!!
-- 
_________________________________________
      Daniel Carrasco Marín
      Ingeniería para la Innovación i2TIC, S.L.
      Tlf:  +34 911 12 32 84 Ext: 223
      www.i2tic.com
_________________________________________