[Samba] Sharing Samba share with Domain User Access
Rowland Penny
rpenny at samba.org
Sun Apr 28 07:55:09 UTC 2024
On Sat, 27 Apr 2024 21:12:51 -0400
Mark Foley via samba <samba at lists.samba.org> wrote:
> I have a new Linux Domain member on a Samba DC (4.18.9). I want this
> member to be a file server, and I want all members of the "Domain
> Users" group to have g+rw access to all the files and diretories in
> that share.
>
> I also want local non-domain users to have access to these files and
> folders.
>
> I'm a bit perplexed has to how to configure this. In smb.conf I'm
> guessing:
>
> --------------------
> [public]
> comment = OHPRS main file and document repository
> path = /mnt/RAID/public
>
> force group = "Domain Users"
> # and possibly:
> force create mode = 0660
> ---------------------
>
> Yes?
NO
Use vfs_acl_xattr and set permissions from Windows, see here:
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
> For non-domain users, I could always make all files/directory o-rw,
> but if I wanted to limit that to e.g. user joe, is there something I
> could configure? In smb.conf? In /etc/group?
>
> On the DC, the users' group is 100:
>
> # getent passwd "HPRS\\mark"
> HPRS\mark:*:3000023:100:Mark Foley:/home/HPRS/mark:/bin/false
It would be, it is mapped that way in idmap.ldb from Domain Users and is
only used on a Samba AD DC.
>
> So for "joe" could I just add the following to /etc/group:
>
> users:x:100:joe
NO, if 'joe' is an AD user, he will be a member of Domain Users.
>
> A wrinkle with that is getent on the domain member has a different
> group:
>
> # getent passwd HPRS\\mark
> HPRS\mark:*:11105:10513:Mark Foley:/home/mark:/bin/bash
>
> Why would that be?
As said above, the IDs on a DC normally have no relation to anything
else, unless you use the 'ad' backend on Unix domain members and set
'idmap_ldb:use rfc2307 = yes' on the DC.
> Why wouldn't the domain member have the same
> user/group as the Domain Controller?
This is one of the reasons not to use a DC as a fileserver.
> In any case, I supposed if I
> were to use /etc/group I'd use whatever group getent on that host
> shows.
I wouldn't suggest using anything local on a Unix domain member.
Rowland
More information about the samba
mailing list