[Samba] Samba share and groups permissions

[Nicolas Boissé]

Hello,

I have a Fedora server, part of a domain, on which various shares are 
configured.

For one share, I want to set up permissions according to the groups to 
which the users belong. But it doesn't work. For example, I want the 
share to be accessible by group A in read-write mode, and group B in 
read-only mode. I use setfacl for this. But neither group A nor group B 
have access to the share: "Access Denied".
The only way to access it is to authorize the "Domain Users" group or 
users instead of groups.

On servers, groups are recognized (wbinfo -g), as is user group 
membership (wbinfo -r).

Below is my smb.conf file (Samba 4.19.4).

Can you tell me what's wrong? Thanks a lot!

=========

[global]

workgroup = MYDOM
realm = MYDOM.FR
security = ADS

bind interfaces only = yes
interfaces = lo eno1

log level = 3 passdb:5 auth:5
log file = /var/log/samba/%U.log
max log size = 50000

map to guest = bad uid

template shell = /bin/bash
template homedir = /home/%U

username map script = /bin/echo

idmap config * : backend = tdb
idmap config * : range = 3000-7999

idmap config MYDOM:backend = ad
idmap config MYDOM:schema_mode = rfc2307
idmap config MYDOM:range = 10000-999999
idmap config MYDOM:unix_nss_info = yes

acl allow execute always = yes

vfs objects = acl_xattr
map acl inherit = yes

unix extensions = no


[ressources]
path = /data/ressources/
browseable = no
read only = no
force create mode = 770
force directory mode = 770
csc policy = disable
follow symlinks = yes
wide links = yes
hide dot files = yes
hide files = /desktop.ini/$RECYCLE.BIN/
vfs objects = recycle
recycle:repository = /data/ressources/.recycle/%U
recycle:keeptree = yes
recycle:versions = yes
recycle:noversions = *.tmp,*.temp,*.o,*.obj,*.TMP,*.TEMP
recycle:exclude = *.tmp,*.temp,*.o,*.obj,*.TMP,*.TEMP
recycle:excludedir = /recycle,/tmp,/temp,/TMP,/TEMP