McIntyre, Vincent (S&A, Marsfield)
2022-Sep-25 02:34 UTC
[Samba] Using Force Group with AD Group
On Sat, Sep 24, 2022 at 10:42:31PM +0000, Eddie Rowe via samba wrote:>Can we use the "force group" option to specify an Active Directory >group similar to how we can with "valid users" and "write list" on >Linux (I saw that this is not supported at all on BSD when >I searched the archives)? I ask because the man page for "force >group" specifically says it is a Unix group name and prepending the >"+" character seems to have a different purpose (the entire flow of >the other parameters is quite different). In my limited testing if >I set the "force group" permission to a local Linux group or trying >to use the DOMAIN\DomainGroup results in the DOMAIN\Domain Users >group being used in both cases. I believe I can accomplish >something similar by setting the group +s (SGID) on the folder that >the Samba share points to causes the files being created to have AD >group that I would like to always use.Question (since the manpage isn't specific about this case): did force group = DOMAIN\Domain Group work any different to force group = +DOMAIN\Domain Group for users that do (and do not) have that group as their primary? It might help your debugging process if you add a preexec line, eg [someshare] preexec = /bin/sh -c 'echo \"%T someshare: user %u \(group %g, primary %G, dom %D\) coming from %m \(%M\) connected to %S \(%P\) as %U, path %p, protocol %R\" >> /tmp/connectlog.%u 2 Kind regards Vince
Matthias Kühne | Ellerhold AG
2022-Sep-26 06:32 UTC
[Samba] Using Force Group with AD Group
Hello, force group = DOMAIN\Domain Group Each operation on this share will now behave as if the connecting user has this group. So no more group-based ACL. If you want to share certain folders via group-permission - this gives everybody the group (even those that do not have them in the AD) and gives them access or denies it to them. Even more so this group will be the primary group of the user during the connection. So everybody can access this share now because it behaves as if the user has this group. force group = +DOMAIN\Domain Group If the connecting user has this group (either directly or inherited) it will set this to be their _primary_ group -- it does not add any group to any user at all. It just changes the primary group. All ACL-checks still work! New files and directories are created with this group, so other people accessing the share can open them (if you're using group-based permissions). Have a nice day, Matthias. Am 25.09.22 um 04:34 schrieb McIntyre, Vincent (S&A, Marsfield) via samba:> On Sat, Sep 24, 2022 at 10:42:31PM +0000, Eddie Rowe via samba wrote: >> Can we use the "force group" option to specify an Active Directory >> group similar to how we can with "valid users" and "write list" on >> Linux (I saw that this is not supported at all on BSD when >> I searched the archives)? I ask because the man page for "force >> group" specifically says it is a Unix group name and prepending the >> "+" character seems to have a different purpose (the entire flow of >> the other parameters is quite different). In my limited testing if >> I set the "force group" permission to a local Linux group or trying >> to use the DOMAIN\DomainGroup results in the DOMAIN\Domain Users >> group being used in both cases. I believe I can accomplish >> something similar by setting the group +s (SGID) on the folder that >> the Samba share points to causes the files being created to have AD >> group that I would like to always use. > Question (since the manpage isn't specific about this case): did > > force group = DOMAIN\Domain Group > > work any different to > > force group = +DOMAIN\Domain Group > > for users that do (and do not) have that group as their primary? > > > It might help your debugging process if you add a preexec line, eg > > [someshare] > preexec = /bin/sh -c 'echo \"%T someshare: user %u \(group %g, primary %G, dom %D\) coming from %m \(%M\) connected to %S \(%P\) as %U, path %p, protocol %R\" >> /tmp/connectlog.%u 2 > > Kind regards > Vince-- Matthias K?hne Senior Webentwickler Datenschutzbeauftragter Ellerhold Aktiengesellschaft Friedrich-List-Str. 4 01445 Radebeul Telefon: +49 (0) 351 83933-61 Telefax: +49 (0) 351 83933-99 Web www.ellerhold.de Twitter www.twitter.com/Ellerhold_AG Youtube www.youtube.com/user/ellerholdgruppe Amtsgericht Dresden / HRB 23769 Vorstand: Stephan Ellerhold, Maximilian Ellerhold Vorsitzender des Aufsichtsrates: Frank Ellerhold ---Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und um sofortiges l?schen dieser E-Mail und der Anlagen. Unsere Hinweise zum Datenschutz finden Sie hier: http://www.ellerhold.de/datenschutz/ This e-mail and its attachments are privileged and confidential. If you are not the intended recipient, please notify us and immediately delete this e-mail and its attachments. You can find our privacy policy here: http://www.ellerhold.de/datenschutz/