samba - Jun 2024 - How to give AD users group permissions on a Samba share

I have a Linux file server that is an AD Domain Member. It shares the 
following (smb.conf):

[public]
path = /public
store dos attributes = no
hide dot files = yes
readonly = no
force group = ohprs
create mask = 0660
directory mask = 2770

The "force group" lets all Windows users map this folder and create 
files and directories that all users can access and update. They are 
created with their own user ID and the specified group (ohprs). That has 
worked well for some time, but now the Boss wants his own folder. No 
problem, I created a group for him and created a folder belonging to 
that group, 'mark':

:
drwxrwsr-x? 24 ohprso??? ohprs?? 4096 2024-05-13 11:40 jane/
drwxrws---+? 2 HPRS\mark mark??? 4096 2024-05-28 00:14 mark/
drwxrws--x?? 4 ohprso??? ohprs?? 4096 2024-04-28 21:58 mfoleyOutlook/
:

He can now add files to this folder from his Windows mapped drive:

$ ls -l mark
total 8
-rwxrwx---+ 1 HPRS\mark ohprs 445 2024-05-28 00:14 testme.txt*

(Not sure why it sets the x bit since the create mask 0660 does not, but 
not important for now.)

Two problems:

1. As you can see from the example, files created in this directory are 
group 'ohprs', not 'mark' -- probably because of the group mask,
but I
had hoped the S bit on the parent directory would serve to inherit the 
group name. Apparently not. Not a huge issue since other users don't 
have rwx permission to see or update these files. But, is there a way to 
have files in this directory inherit the 'mark' group?

2. Bigger issue - the Boss wants his admin. assistant to also be able to 
see and update files in his folder. Normally, one would do a 'usermod -a 
-G' to add the assistant to group 'mark'. But, these are Domain
users
and are not in /etc/passwd. So, how can I do this?

Thanks --Mark

On Tue, 4 Jun 2024 13:22:49 -0400
Mark Foley via samba <samba at lists.samba.org> wrote:
> I have a Linux file server that is an AD Domain Member. It shares the 
> following (smb.conf):
> 
> [public]
> path = /public
> store dos attributes = no
> hide dot files = yes
> readonly = no
> force group = ohprs
> create mask = 0660
> directory mask = 2770
> 
> The "force group" lets all Windows users map this folder and
create
> files and directories that all users can access and update. They are 
> created with their own user ID and the specified group (ohprs). That
> has worked well for some time, but now the Boss wants his own folder.
> No problem, I created a group for him and created a folder belonging
> to that group, 'mark':
> 
> :
> drwxrwsr-x? 24 ohprso??? ohprs?? 4096 2024-05-13 11:40 jane/
> drwxrws---+? 2 HPRS\mark mark??? 4096 2024-05-28 00:14 mark/
> drwxrws--x?? 4 ohprso??? ohprs?? 4096 2024-04-28 21:58 mfoleyOutlook/
> :
> 
> He can now add files to this folder from his Windows mapped drive:
> 
> $ ls -l mark
> total 8
> -rwxrwx---+ 1 HPRS\mark ohprs 445 2024-05-28 00:14 testme.txt*
> 
> (Not sure why it sets the x bit since the create mask 0660 does not,
> but not important for now.)
> 
> Two problems:
> 
> 1. As you can see from the example, files created in this directory
> are group 'ohprs', not 'mark' -- probably because of the
group mask,
> but I had hoped the S bit on the parent directory would serve to
> inherit the group name. Apparently not. Not a huge issue since other
> users don't have rwx permission to see or update these files. But, is
> there a way to have files in this directory inherit the 'mark'
group?
> 
> 2. Bigger issue - the Boss wants his admin. assistant to also be able
> to see and update files in his folder. Normally, one would do a
> 'usermod -a -G' to add the assistant to group 'mark'. But,
these are
> Domain users and are not in /etc/passwd. So, how can I do this?
> 
> Thanks --Mark
I am fairly sure I have said this before, but please stop doing things
in the old NT4-style way and use vfs_acl_xattr, see here:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

To add domain users to a domain group (you are using domain groups
aren't you ?), you use 'samba-tool', see 'samba-tool
group addmembers --help' for more information.

Rowland