[Samba] problem with force group parameter

Andrey Zykov andrey at dce.ifmo.ru
Fri Nov 6 00:15:49 MST 2009 

But what about this:

"In Samba 2.0.5 and above this parameter has extended functionality in 
the following way. If the group name listed here has a '+' character 
prepended to it then the current user accessing the share only has the 
primary group default assigned to this group if they are already 
assigned as a member of that group. This allows an administrator to 
decide that only users who are already in a particular group will create 
files with group ownership set to that group. This gives a finer 
granularity of ownership assignment. For example, the setting |force 
group = +sys| means that only users who are already in group sys will 
have their default primary group assigned to sys when accessing this 
Samba share. All other users will retain their ordinary primary group."

http://us1.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#FORCEGROUP


Gary Dale пишет:
> Force group forces the Unix group to be whatever you force it to. It 
> has nothing to do with what group the connecting use belongs to.
>
>
> vishesh kumar wrote:
>> I also facing same issue.
>> Does it mean that we cant specify secondary group as 'force group' in 
>> group.
>>
>> On 11/5/09, Andrey Zykov <andrey at dce.ifmo.ru> wrote:
>>  
>>> Hello!
>>>
>>> I tryed to configure Debian Linux file server as Windows 2003 domain
>>> member using samba with security = ADS mode and stucked with such 
>>> problem:
>>>
>>> File server (fs) succesfully joined my domain with correct user and
>>> group mapping (i'm using idmap rid). Users from domain have their unix
>>> accounts with <DOMAIN_NAME>\ prefix, i.e for domain user "andrey" i 
>>> have
>>> local unix user: 'DOMAIN\andrey':
>>>
>>> fs:~# id DOMAIN\\andrey
>>> uid=11118(DOMAIN\andrey) gid=10513(DOMAIN\пользователи домена)
>>> группы=10513(DOMAIN\пользователи домена),10512(DOMAIN\администраторы
>>> домена),11395(DOMAIN\сотрудники),10001(BUILTIN\users),10000(BUILTIN\administrators) 
>>>
>>>
>>> as you can see, user have uid=11118, primary group
>>> gid=10513('DOMAIN\пользователи домена' - 'DOMAIN\domain users' in
>>> english) and few supplementary groups.
>>> Now i want to make a share restricted to use by users from one of
>>> supplementary groups, i.e. 11395(DOMAIN\сотрудники).
>>> I created a directory:
>>>
>>> fs:~# ls -l /home/sambashare/ | grep officepub
>>> drwxrwx---   2 DOMAIN\admin    DOMAIN\сотрудники             4096 
>>> Окт 26
>>> 20:28 officepub
>>>
>>> and checked that i can access it localy via ssh:
>>>
>>> fs:~# su DOMAIN\\andrey
>>> DOMAIN\andrey at fs:/root$ cd /home/sambashare/officepub/
>>> DOMAIN\andrey at fs:/home/sambashare/officepub$ touch file
>>> DOMAIN\andrey at fs:/home/sambashare/officepub$ rm file
>>>
>>> Next i added share definition in smb.conf with my group in 'force 
>>> group'
>>> parameter:
>>> ...
>>> [officepub]
>>>         comment = Office Public Share
>>>         path = /home/sambashare/officepub
>>>         force group = +DOMAIN\сотрудники
>>>         read only = No
>>>         browseable = No
>>>
>>> restarted samba, tried to access it via smbclient and got following 
>>> error:
>>>
>>> fs:~# smbclient '\\fs\officepub' -U DOMAIN\\andrey
>>> Enter DOMAIN\andrey's password:
>>> Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.2.5]
>>> smb: \> ls
>>> NT_STATUS_NETWORK_ACCESS_DENIED listing \*
>>>
>>>                 0 blocks of size 0. 61680 blocks available
>>> smb: \>
>>>
>>> But in the same time i have similar working share with restriction by
>>> _primary_ group:
>>>
>>> fs:~# id DOMAIN\\andrey
>>> uid=11118(DOMAIN\andrey) gid=10513(DOMAIN\пользователи домена)
>>> группы=10513(DOMAIN\пользователи домена),10512(DOMAIN\администраторы
>>> домена),11395(DOMAIN\сотрудники),10001(BUILTIN\users),10000(BUILTIN\administrators) 
>>>
>>> fs:~# ls -l /home/sambashare/ | grep pub
>>> drwxrwx---   2 DOMAIN\admin    DOMAIN\пользователи домена    4096 
>>> Ноя  4
>>> 00:00 pub
>>> fs:~# su DOMAIN\\andrey
>>> DOMAIN\andrey at fs:/root$ cd /home/sambashare/pub/
>>> DOMAIN\andrey at fs:/home/sambashare/pub$ touch file
>>> DOMAIN\andrey at fs:/home/sambashare/pub$ exit
>>> exit
>>> fs:~# smbclient '\\fs\pub' -U DOMAIN\\andrey
>>> Enter DOMAIN\andrey's password:
>>> Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.2.5]
>>> smb: \> ls
>>>   .                                   D        0  Thu Nov  5 
>>> 17:02:01 2009
>>>   ..                                  D        0  Wed Jun  3 
>>> 18:22:47 2009
>>>   file                                         0  Thu Nov  5 
>>> 17:02:01 2009
>>>
>>>                 64000 blocks of size 8192. 28337 blocks available
>>> smb: \>
>>>
>>> So i've decided that problem is in the not working (or
>>> misundertandeted?) 'force group' parameter.
>>>
>>> What did i do wrong and how to fix this?
>>>
>>> Some technical information:
>>>
>>> Distro used: Debian Lenny, kernel  2.6.26-2-amd64
>>> Samba version: 3.2.5-4lenny6
>>> Domain Controller: Windows Server 2003 R2 Enterprise Edition
>>> smb.conf: http://pastebin.ca/1658364
>>> Log file: http://pastebin.ca/1658368
>>>
>>> P.S. Sorry for my english :-)
>>>
>>> -- 
>>> Andrey Zykov
>>>
>>> e-mail: andrey at dce.ifmo.ru
>>> jabber: zblk at jabber.org.
>>>
>>>
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>     
>>
>>   
>


-- 
Andrey Zykov

e-mail: andrey at dce.ifmo.ru
jabber: zblk at jabber.org.

More information about the samba mailing list