[Samba] problem with force group parameter
Gary Dale
garydale at rogers.com
Thu Nov 5 22:09:06 MST 2009
Force group forces the Unix group to be whatever you force it to. It has
nothing to do with what group the connecting use belongs to.
vishesh kumar wrote:
> I also facing same issue.
> Does it mean that we cant specify secondary group as 'force group' in group.
>
> On 11/5/09, Andrey Zykov <andrey at dce.ifmo.ru> wrote:
>
>> Hello!
>>
>> I tryed to configure Debian Linux file server as Windows 2003 domain
>> member using samba with security = ADS mode and stucked with such problem:
>>
>> File server (fs) succesfully joined my domain with correct user and
>> group mapping (i'm using idmap rid). Users from domain have their unix
>> accounts with <DOMAIN_NAME>\ prefix, i.e for domain user "andrey" i have
>> local unix user: 'DOMAIN\andrey':
>>
>> fs:~# id DOMAIN\\andrey
>> uid=11118(DOMAIN\andrey) gid=10513(DOMAIN\пользователи домена)
>> группы=10513(DOMAIN\пользователи домена),10512(DOMAIN\администраторы
>> домена),11395(DOMAIN\сотрудники),10001(BUILTIN\users),10000(BUILTIN\administrators)
>>
>> as you can see, user have uid=11118, primary group
>> gid=10513('DOMAIN\пользователи домена' - 'DOMAIN\domain users' in
>> english) and few supplementary groups.
>> Now i want to make a share restricted to use by users from one of
>> supplementary groups, i.e. 11395(DOMAIN\сотрудники).
>> I created a directory:
>>
>> fs:~# ls -l /home/sambashare/ | grep officepub
>> drwxrwx--- 2 DOMAIN\admin DOMAIN\сотрудники 4096 Окт 26
>> 20:28 officepub
>>
>> and checked that i can access it localy via ssh:
>>
>> fs:~# su DOMAIN\\andrey
>> DOMAIN\andrey at fs:/root$ cd /home/sambashare/officepub/
>> DOMAIN\andrey at fs:/home/sambashare/officepub$ touch file
>> DOMAIN\andrey at fs:/home/sambashare/officepub$ rm file
>>
>> Next i added share definition in smb.conf with my group in 'force group'
>> parameter:
>> ...
>> [officepub]
>> comment = Office Public Share
>> path = /home/sambashare/officepub
>> force group = +DOMAIN\сотрудники
>> read only = No
>> browseable = No
>>
>> restarted samba, tried to access it via smbclient and got following error:
>>
>> fs:~# smbclient '\\fs\officepub' -U DOMAIN\\andrey
>> Enter DOMAIN\andrey's password:
>> Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.2.5]
>> smb: \> ls
>> NT_STATUS_NETWORK_ACCESS_DENIED listing \*
>>
>> 0 blocks of size 0. 61680 blocks available
>> smb: \>
>>
>> But in the same time i have similar working share with restriction by
>> _primary_ group:
>>
>> fs:~# id DOMAIN\\andrey
>> uid=11118(DOMAIN\andrey) gid=10513(DOMAIN\пользователи домена)
>> группы=10513(DOMAIN\пользователи домена),10512(DOMAIN\администраторы
>> домена),11395(DOMAIN\сотрудники),10001(BUILTIN\users),10000(BUILTIN\administrators)
>> fs:~# ls -l /home/sambashare/ | grep pub
>> drwxrwx--- 2 DOMAIN\admin DOMAIN\пользователи домена 4096 Ноя 4
>> 00:00 pub
>> fs:~# su DOMAIN\\andrey
>> DOMAIN\andrey at fs:/root$ cd /home/sambashare/pub/
>> DOMAIN\andrey at fs:/home/sambashare/pub$ touch file
>> DOMAIN\andrey at fs:/home/sambashare/pub$ exit
>> exit
>> fs:~# smbclient '\\fs\pub' -U DOMAIN\\andrey
>> Enter DOMAIN\andrey's password:
>> Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.2.5]
>> smb: \> ls
>> . D 0 Thu Nov 5 17:02:01 2009
>> .. D 0 Wed Jun 3 18:22:47 2009
>> file 0 Thu Nov 5 17:02:01 2009
>>
>> 64000 blocks of size 8192. 28337 blocks available
>> smb: \>
>>
>> So i've decided that problem is in the not working (or
>> misundertandeted?) 'force group' parameter.
>>
>> What did i do wrong and how to fix this?
>>
>> Some technical information:
>>
>> Distro used: Debian Lenny, kernel 2.6.26-2-amd64
>> Samba version: 3.2.5-4lenny6
>> Domain Controller: Windows Server 2003 R2 Enterprise Edition
>> smb.conf: http://pastebin.ca/1658364
>> Log file: http://pastebin.ca/1658368
>>
>> P.S. Sorry for my english :-)
>>
>> --
>> Andrey Zykov
>>
>> e-mail: andrey at dce.ifmo.ru
>> jabber: zblk at jabber.org.
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
>
More information about the samba
mailing list