samba - Jun 2024 - How to give AD users group permissions on a Samba share

On Tue Jun  4 14:08:30 2024 Rowland Penny <rpenny at samba.org> wrote:
> On Tue, 4 Jun 2024 13:22:49 -0400
> Mark Foley via samba <samba at lists.samba.org> wrote:
>
> > I have a Linux file server that is an AD Domain Member. It shares the 
> > following (smb.conf):
> > 
> > [public]
> > path = /public
> > store dos attributes = no
> > hide dot files = yes
> > readonly = no
> > force group = ohprs
> > create mask = 0660
> > directory mask = 2770
> > 
> > The "force group" lets all Windows users map this folder and
create
> > files and directories that all users can access and update. They are 
> > created with their own user ID and the specified group (ohprs). That
> > has worked well for some time, but now the Boss wants his own folder.
> > No problem, I created a group for him and created a folder belonging
> > to that group, 'mark':
> > 
> > :
> > drwxrwsr-x? 24 ohprso??? ohprs?? 4096 2024-05-13 11:40 jane/
> > drwxrws---+? 2 HPRS\mark mark??? 4096 2024-05-28 00:14 mark/
> > drwxrws--x?? 4 ohprso??? ohprs?? 4096 2024-04-28 21:58 mfoleyOutlook/
> > :
> > 
> > He can now add files to this folder from his Windows mapped drive:
> > 
> > $ ls -l mark
> > total 8
> > -rwxrwx---+ 1 HPRS\mark ohprs 445 2024-05-28 00:14 testme.txt*
> > 
> > (Not sure why it sets the x bit since the create mask 0660 does not,
> > but not important for now.)
> > 
> > Two problems:
> > 
> > 1. As you can see from the example, files created in this directory
> > are group 'ohprs', not 'mark' -- probably because of
the group mask,
> > but I had hoped the S bit on the parent directory would serve to
> > inherit the group name. Apparently not. Not a huge issue since other
> > users don't have rwx permission to see or update these files. But,
is
> > there a way to have files in this directory inherit the 'mark'
group?
> > 
> > 2. Bigger issue - the Boss wants his admin. assistant to also be able
> > to see and update files in his folder. Normally, one would do a
> > 'usermod -a -G' to add the assistant to group 'mark'.
But, these are
> > Domain users and are not in /etc/passwd. So, how can I do this?
> > 
> > Thanks --Mark
>
> I am fairly sure I have said this before, but please stop doing things
> in the old NT4-style way and use vfs_acl_xattr, see here:
>
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
> To add domain users to a domain group (you are using domain groups
> aren't you ?), you use 'samba-tool', see 'samba-tool
> group addmembers --help' for more information.
>
> Rowland
I have no doubt you have said this many times before, but no to me -- at least
not that I can recall.  This is new territory for me.  This share started off
way-back-when as a Microsoft Sharepoint repository which was then migrated to a
plain Samba share (I presume this is what you are calling "old
NT4-style").
That ran for many years until the host was converted to a AD Domain Member about
10 years ago.  All I did at the time was make a few minor tweaks to the smb.conf
(removing guest ok|only, ...) and it continued to work.  Now I have needs that
apparently extend beyond what the "old-style" can support. 

So. I've followed the procedures in your referenced link. and am at the
section
titled: "Setting Share Permissions and ACLs". I am setting this up on
a test
system. Before proceeding further I have some questions that don't seem
immediately addressed in the wiki.

This section in the wiki is giving an example for setting the share to
'Everyone', 'Full Control' and 'Domain Users'. 

As I've described, all files in this folder are currently set to Unix group
"ohprs'.  I want a like restriction with this vfs_acl_xattr.  I
supposed I can
use group 'Domain Users' since all domain users will be able to access
this, and
I don't have to create a new group.  So question #1: should I change all
files/directories in this share to group 'Domain Users' before
proceeding
further?

mini question(s) -- can I still use the following for this share in smb.conf:

store dos attributes = no   # this one might be an issue, but I can explain
hide dot files = yes

BTW, for the wiki command:

# chown root:"Domain Admins" /srv/samba/Demo/

I could not make that work unless I added the domain:

# chown root:"hprs\Domain Admins" /srv/samba/Demo/

Thanks --Mark

On Thu, 06 Jun 2024 13:37:34 -0400
Mark Foley via samba <samba at lists.samba.org> wrote:

> 
> I have no doubt you have said this many times before, but no to me --
> at least not that I can recall.  This is new territory for me.  This
> share started off way-back-when as a Microsoft Sharepoint repository
> which was then migrated to a plain Samba share (I presume this is
> what you are calling "old NT4-style"). That ran for many years
until
> the host was converted to a AD Domain Member about 10 years ago.  All
> I did at the time was make a few minor tweaks to the smb.conf
> (removing guest ok|only, ...) and it continued to work.  Now I have
> needs that apparently extend beyond what the "old-style" can
support.
Basically, the old NT4-style domains relied on setting permissions in
the share part of the smb.conf file, but, by using vfs_acl_xattr, you
can set finer control from Windows and these acls are stored Extended
Attributes (EAs).
> 
> So. I've followed the procedures in your referenced link. and am at
> the section titled: "Setting Share Permissions and ACLs". I am
> setting this up on a test system. Before proceeding further I have
> some questions that don't seem immediately addressed in the wiki.
> 
> This section in the wiki is giving an example for setting the share to
> 'Everyone', 'Full Control' and 'Domain Users'. 
> 
> As I've described, all files in this folder are currently set to Unix
> group "ohprs'.  
That is one of the old-overs you don't need, if set up correctly, Samba
can make the domain group 'ohprs' into the Unix group group
'ohprs'.

I created a group called 'ohprs' in my AD and:

rowland at devstation:~$ getent group ohprs
ohprs:x:13603:

So it appears to the local system as a Unix group, but if I look in
/etc/group it isn't there:

rowland at devstation:~$ grep 'ohprs' /etc/group
rowland at devstation:~$ 
> I want a like restriction with this vfs_acl_xattr.
> I supposed I can use group 'Domain Users' since all domain users
will
> be able to access this, and I don't have to create a new group.  So
> question #1: should I change all files/directories in this share to
> group 'Domain Users' before proceeding further?
You do not need to use 'Domain Users', use the Domain group
'ohprs'.
> 
> mini question(s) -- can I still use the following for this share in
> smb.conf:
> 
> store dos attributes = no   # this one might be an issue, but I can
> explain 
Why do you have that line, the default for that parameter is 'yes' and
you shouldn't need to change it.
> hide dot files = yes
Yes, you can set that.
> 
> BTW, for the wiki command:
> 
> # chown root:"Domain Admins" /srv/samba/Demo/
> 
> I could not make that work unless I added the domain:
> 
> # chown root:"hprs\Domain Admins" /srv/samba/Demo/
Ah, if you add 'winbind use default domain = yes' to global, you will
not have to add 'hprs\' (the NetBIOS domain name, aka workgroup).

Rowland