[Samba] Samba share and groups permissions
Rowland Penny
rpenny at samba.org
Fri Feb 23 09:23:14 UTC 2024
On Fri, 23 Feb 2024 08:13:08 +0100
Nicolas Boissé via samba <samba at lists.samba.org> wrote:
> Hello,
>
> I have a Fedora server, part of a domain, on which various shares are
> configured.
>
> For one share, I want to set up permissions according to the groups
> to which the users belong. But it doesn't work. For example, I want
> the share to be accessible by group A in read-write mode, and group B
> in read-only mode. I use setfacl for this. But neither group A nor
> group B have access to the share: "Access Denied".
> The only way to access it is to authorize the "Domain Users" group or
> users instead of groups.
>
> On servers, groups are recognized (wbinfo -g), as is user group
> membership (wbinfo -r).
Yes, but does 'getent group <GROUP_NAME>' show anything ?
'wbinfo' just shows what is in AD, it is meaningless to Unix.
>
> Below is my smb.conf file (Samba 4.19.4).
>
> Can you tell me what's wrong? Thanks a lot!
>
> =========
>
> [global]
>
> workgroup = MYDOM
> realm = MYDOM.FR
> security = ADS
>
> bind interfaces only = yes
> interfaces = lo eno1
>
> log level = 3 passdb:5 auth:5
> log file = /var/log/samba/%U.log
> max log size = 50000
>
> map to guest = bad uid
Why 'bad uid' ?
Guest access in AD is a bad idea at the best of times and if you are
going to use it, then 'bad user' would be a better option, see 'man
smb.conf'.
>
> template shell = /bin/bash
> template homedir = /home/%U
>
> username map script = /bin/echo
Why '/bin/echo' ?
>
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
>
> idmap config MYDOM:backend = ad
> idmap config MYDOM:schema_mode = rfc2307
> idmap config MYDOM:range = 10000-999999
> idmap config MYDOM:unix_nss_info = yes
>
> acl allow execute always = yes
>
> vfs objects = acl_xattr
> map acl inherit = yes
>
> unix extensions = no
>
>
> [ressources]
> path = /data/ressources/
> browseable = no
> read only = no
> force create mode = 770
> force directory mode = 770
> csc policy = disable
> follow symlinks = yes
> wide links = yes
> hide dot files = yes
> hide files = /desktop.ini/$RECYCLE.BIN/
> vfs objects = recycle
Did you know that setting 'vfs objects = recycle' in this
share, overrides the 'vfs objects = acl_xattr' you have set in
'global', or to put it another way, you are only getting standard Linux
ugo permissions on this share, no extended ACL's.
Rowland
More information about the samba
mailing list