[Samba] Newbie question - force file permission to user's secondary groups.

Liutauras Adomaitis liutauras.adomaitis at gmail.com
Wed May 20 07:30:00 GMT 2009

On Mon, May 18, 2009 at 2:24 PM, Conta Falsa 337
<contafalsa337 at gmail.com> wrote:
> I read http://us1.samba.org/samba/docs/man/manpages-3/smb.conf.5.html the
> part regarding "group" or "force group" directive, and it's not clear to me
> if I can have more than one instance of this directive, since I need the
> group to be forced depending on which share the user is creating the file.
>  An example:
>   user: james
>   first share: projectX (he is a member of the group projectX)
>   second share: projectY (he is a member of the group projectY)
>  James is a member of both groups, since I don't use PDC (Vista clients),
> the first time the user tries to access the shared folder, he will be asked
> for the password, say he first opens /projectX, then he will be forced do
> group projectX, but what if he opens projectY and tries to write there?

To my knowledge - then user connects to server he is asked to submit
user and password (if security = user), then server authenticates user
and gives him a token with rights for further connections. So it
doesn't matter which share you are accessing, you are accessing server
with the token you got from first authentication.

>   - Is it possible to have "force group" on the shares section, so each
> share has one?
yes it is and that is were I use it.

>   - Will the user be asked for the password again,if he opens the second
> share (without rebooting Windows)? The "change" of the primary group will
> happen transparently, or the user would have to disconnect, and then open
> the /projectY (therefore having to type his username/password again)?

As I said - token is your rights to the server. It is valid until you
logoff (maybe command "net use * /d" on workstation may help to forget
token without logoff, but I'm not sure). User is asked for a password
once to get a token (if security = user in smb.conf).
force group directive is working on samba server file system, it does
not effect user membership. I think setting force group on share can
even be set to group the user does not belong to (again - not sure,
but you can test). This directive will force all files and folders
created on the share to be owned by group specified in force group

You set force group directive to make sure all files in that share are
created with appropriate group.

>  thanks for your time.
> 2009/5/15 Liutauras Adomaitis <liutauras.adomaitis at gmail.com>
>> On Fri, May 15, 2009 at 4:27 PM, Conta Falsa 337
>> <contafalsa337 at gmail.com> wrote:
>> > samba version is  3.0.28a-1ubuntu4.7
>> > --
>> >
>> > I created users on both samba and the linux system, and created 3 groups
>> > on
>> > the system. Each of these groups own a specific directory, the directory
>> > on
>> > the filesystem belongs to root.groupfoo. On my smb.conf I gave each of
>> > these
>> > groups write access to its directory (@groupfoo to the share /groupfoo).
>> > So
>> > now every linux user belonging to groupfoo can write there. The problem
>> > is,
>> > groupfoo is not the user's primary group, so the file is created with
>> > permission user1.user1, and not user1.groupfoo, therefore, other users
>> > belonging to groupfoo cannot edit or delete that file. I read smb.conf
>> > manual, but found no option to enforce that if the top directory belongs
>> > to
>> > root.groupfoo all files created under there will belong to
>> > "userxyz.groupfoo", so I set on the filesystem each of those 3
>> > directories
>> > to be setgid, so now every file created under, say, /groupbar (belongs
>> > to
>> > root.groupbar), has this permission: userabc.groupbar. I would like that
>> > the
>> > file/directory created belongs to the user executing the operation, and
>> > to
>> > the toplevel group owning that share, since a user can belong to 2 or
>> > all of
>> > those 3 groups mentioned, knowing that every user does not have any of
>> > those
>> > 3 groups as primary group.
>> >
>> >  Is this the right approach  or did I misunderstood the manual and I
>> > should
>> > do this only on smb.conf and not have to enforce it on the filesystem?
>> >
>> Sounds to me this is a force group directive which should take care of
>> this.
>> Liutauras
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list