[Samba] Grant only one AD group to samba share ?

Newman, John W John.newman at viaoncology.com
Mon May 21 14:42:52 MDT 2012 

OK, I definitely am missing something.  the group IDs do seem to work somewhat, but perhaps I just have the wrong syntax.  I keep going back to these two lines that he put there a long time ago:


winbind separator = \\
winbind use default domain = yes


I see others using & or % or @ ...


wbinfo -Y $(wbinfo -n "`wbinfo -g | grep Group`" | cut -d " " -f 1)
10005

so the SID mapping is somehow happening.  It's weird though as each time I call that with a different group name, the 10000 number just goes up by one.  Like it is making up the unix IDs as it goes and perhaps something isn't set right.   Shouldn't all of the AD groups be tied to a unix ID automatically, and not just making them up one at a time?

Anyway, I'm not sure if that relates to my real problem here or not.  I understand the nix security model pretty well ... windows not so much  .. and bringing windows permissions into a nix machine, not at all!!  :D   This was all set up by another dev who is no longer in our department, I am trying to make sense of it and enhance it.  

Steve's suggestion below is probably correct to set the permissions on the share how I need, but what am I missing to get that chgrp command to work right?

Thanks

-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of Newman, John W
Sent: Monday, May 21, 2012 15:43
To: 'steve'; samba at lists.samba.org
Subject: Re: [Samba] Grant only one AD group to samba share ?

Thanks for the suggestion, but .. that doesn't work ...


chgrp My\ Group /media/share
chgrp: invalid group: `My Group'


"My Group" is a windows AD group, not a local linux group.  The machine is "joined" to the windows domain through "net ads join", but I don't think the security is that tightly integrated.  I don't have windows groups mapped to linux groups I've created or anything like that.    chgrp is expecting a linux group.  Right?

Probably I am missing something, or you guys need more information.  Any thoughts?


-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of steve
Sent: Monday, May 21, 2012 11:57
To: samba at lists.samba.org
Subject: Re: [Samba] Grant only one AD group to samba share ?

On 05/21/2012 05:20 PM, Newman, John W wrote:
> All,
>
> On my ubuntu linux machine here, I already have samba set up and 
> configured with winbind to perform authentication against the local windows domain controller. Thankfully that part is all working fine - that was supposed to be the hard part. The issue I have now is: I need to grant members of a certain AD group access to share (this was supposed to be easy, but is not working) sanity check of winbind (sample output):
> $ wbinfo -g
> MYDOMAIN\domain admins
> MYDOMAIN\domain users
> MYDOMAIN\my group
> MYDOMAIN\my group2
> Looks good. I need to grant all users in "my group" access to the share, all others shouldn't even see it.
>
> [share]
>    comment = Testing
>    path = /media/share
>    guest ok = no
>    read only = yes
>    valid users = @"MYDOMAIN\My Group"
>    browseable = no
>    locking = no
> If I put guest ok = yes, everything works fine. If I turn it to no, I get an authentication prompt. Answering it with invalid credentials comes back with "invalid user name or bad password", vs valid credentials says "access denied". So I know that the authentication with the domain controller is working fine, but limiting access to that group only is not.
>
> The group name has a space in it which probably isn't helping. I have tried many different combinations, but nothing seems to work. What is the proper syntax for this? We have winbind separator=\ earlier in tthinkhe config file -- is that part of the problem maybe?
>    valid users = @"MYDOMAIN\My Group"
>    valid users = "@MYDOMAIN\My Group"
>    valid users = "MYDOMAIN\My Group"
> etc
> nothing seems to work. My methodology for testing this is fine as soon as i put guest ok =yes, the share still works.   What's the right syntax for valid users= "My Domain\My Group"?    Any thoughts?
> Thanks,
> John
Hi
You don't really need smb.conf to get group only entry.

Just have smb.conf with:

[share]
   comment = Testing
   path = /media/share

    read only = No

chgrp My\ Group /media/share
chmod 0770 /media/share
chmod g+s /media/share
setfacl -d -Rm g::rw /media/share

Now, only members of My Group can get into the share, no matter what you have in smb.conf. Once inside, any files created therein become group rw for My Group members.

HTH
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list