Mark Foley
2024-Jun-04 17:22 UTC
[Samba] How to give AD users group permissions on a Samba share
I have a Linux file server that is an AD Domain Member. It shares the following (smb.conf): [public] path = /public store dos attributes = no hide dot files = yes readonly = no force group = ohprs create mask = 0660 directory mask = 2770 The "force group" lets all Windows users map this folder and create files and directories that all users can access and update. They are created with their own user ID and the specified group (ohprs). That has worked well for some time, but now the Boss wants his own folder. No problem, I created a group for him and created a folder belonging to that group, 'mark': : drwxrwsr-x? 24 ohprso??? ohprs?? 4096 2024-05-13 11:40 jane/ drwxrws---+? 2 HPRS\mark mark??? 4096 2024-05-28 00:14 mark/ drwxrws--x?? 4 ohprso??? ohprs?? 4096 2024-04-28 21:58 mfoleyOutlook/ : He can now add files to this folder from his Windows mapped drive: $ ls -l mark total 8 -rwxrwx---+ 1 HPRS\mark ohprs 445 2024-05-28 00:14 testme.txt* (Not sure why it sets the x bit since the create mask 0660 does not, but not important for now.) Two problems: 1. As you can see from the example, files created in this directory are group 'ohprs', not 'mark' -- probably because of the group mask, but I had hoped the S bit on the parent directory would serve to inherit the group name. Apparently not. Not a huge issue since other users don't have rwx permission to see or update these files. But, is there a way to have files in this directory inherit the 'mark' group? 2. Bigger issue - the Boss wants his admin. assistant to also be able to see and update files in his folder. Normally, one would do a 'usermod -a -G' to add the assistant to group 'mark'. But, these are Domain users and are not in /etc/passwd. So, how can I do this? Thanks --Mark
Rowland Penny
2024-Jun-04 18:08 UTC
[Samba] How to give AD users group permissions on a Samba share
On Tue, 4 Jun 2024 13:22:49 -0400 Mark Foley via samba <samba at lists.samba.org> wrote:> I have a Linux file server that is an AD Domain Member. It shares the > following (smb.conf): > > [public] > path = /public > store dos attributes = no > hide dot files = yes > readonly = no > force group = ohprs > create mask = 0660 > directory mask = 2770 > > The "force group" lets all Windows users map this folder and create > files and directories that all users can access and update. They are > created with their own user ID and the specified group (ohprs). That > has worked well for some time, but now the Boss wants his own folder. > No problem, I created a group for him and created a folder belonging > to that group, 'mark': > > : > drwxrwsr-x? 24 ohprso??? ohprs?? 4096 2024-05-13 11:40 jane/ > drwxrws---+? 2 HPRS\mark mark??? 4096 2024-05-28 00:14 mark/ > drwxrws--x?? 4 ohprso??? ohprs?? 4096 2024-04-28 21:58 mfoleyOutlook/ > : > > He can now add files to this folder from his Windows mapped drive: > > $ ls -l mark > total 8 > -rwxrwx---+ 1 HPRS\mark ohprs 445 2024-05-28 00:14 testme.txt* > > (Not sure why it sets the x bit since the create mask 0660 does not, > but not important for now.) > > Two problems: > > 1. As you can see from the example, files created in this directory > are group 'ohprs', not 'mark' -- probably because of the group mask, > but I had hoped the S bit on the parent directory would serve to > inherit the group name. Apparently not. Not a huge issue since other > users don't have rwx permission to see or update these files. But, is > there a way to have files in this directory inherit the 'mark' group? > > 2. Bigger issue - the Boss wants his admin. assistant to also be able > to see and update files in his folder. Normally, one would do a > 'usermod -a -G' to add the assistant to group 'mark'. But, these are > Domain users and are not in /etc/passwd. So, how can I do this? > > Thanks --MarkI am fairly sure I have said this before, but please stop doing things in the old NT4-style way and use vfs_acl_xattr, see here: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs To add domain users to a domain group (you are using domain groups aren't you ?), you use 'samba-tool', see 'samba-tool group addmembers --help' for more information. Rowland
Reasonably Related Threads
- How to give AD users group permissions on a Samba share
- How to give AD users group permissions on a Samba share
- How to give AD users group permissions on a Samba share
- How to Samba share with mixed Active Directory 'Classic' authentication
- How to give AD users group permissions on a Samba share