[Samba] force group does not work

Leander S. info at netocean.de
Sun Feb 9 04:24:48 MST 2014 

Am 09.02.14 12:11, schrieb Leander S.:
> Am 09.02.14 11:56, schrieb Leander S.:
>> Hi
>>
>> Thanks for your input, but this isn't really a workarround ;/
>> At the end of the day, I want to give each share it's own
>>
>> valid users = @Groupname
>> force user  = Username(=Groupname)
>> force group = Groupname
>>
>> This makes permission management way easier, since users could just 
>> be added or removed from the  Groupname in order to get permission on 
>> the share.
>>
>> Also I don't need a cronjob, which sooner or later kills my HDDs, 
>> doing a periodic chmod -R and chown -R over all files. (This is 
>> anyway not a profeesional solution in my opinion)
>>
>>
>> My question is more likely: What am I missing in my config to make my 
>> setup work? Am I using the wrong syntax at some place, or what? This 
>> is quite frustrating ;)
>>
>>
>>
>>
>> Am 08.02.14 19:43, schrieb steve:
>>> On Sat, 2014-02-08 at 10:35 +0100, Leander S. wrote:
>>>> Hi
>>>>
>>>> I set up a samba 4.1.4 server on the latest FreeBSD RELEASE 10.
>>>> Unfortunately it doesn't seem to consider the option force group. 
>>>> After
>>>> hours ofresearch I couldn't figure out what I'm still missing. unix
>>>> extensions is set to no. Setting the debug level up to 10 also didn't
>>>> help ;(
>>>> Is this a bug or is there simply a mistake in my setup?
>>>>
>>>> When
>>>> *valid users = @Groupname*
>>>> is set, then I don't have access to the share at all anymore.
>>>>
>>>> As funny as it sounds, but
>>>> *force user* **= *MyUsername*
>>>> is working as expected.
>>>>
>>>>
>>>> id -Gn MyUsername
>>>> MyUsername Groupname
>>>>
>>>> getent group Groupname
>>>> Groupname:*:2004:MyUsername,Groupname
>>>>
>>>>
>>>> # ============= Global ============= #
>>>>
>>>>       [global]
>>>>
>>>>        # Basic server settings
>>>>        workgroup          = DOMAIN
>>>>        realm              = DOMAIN.LOCAL
>>>>        netbios name       = FILESERVER
>>>>        server role        = standalone server
>>>>
>>>>        # Password backend
>>>>        passdb backend     = samba_dsdb
>>>>
>>>>        # DNS
>>>>        dns forwarder      = 10.0.0.1
>>>>
>>>>        # Logging
>>>>        log level = 2
>>>>        max log size = 5000
>>>>
>>>>        # Charset
>>>>        unix charset       = UTF-8
>>>>        dos charset        = cp1252
>>>>
>>>>        # NTLMv2 aktivieren
>>>>        ntlm auth          = No
>>>>        lanman auth        = No
>>>>        client ntlmv2 auth = Yes
>>>>
>>>>        # Printing
>>>>        load printers = No
>>>>        printing      = BSD
>>>>        printcap name = /dev/null
>>>>
>>>>        # Default masks
>>>>        unix extensions      = No
>>> lose these for now:
>>>>        create mask          = 0770
>>>>        force create mode    = 0770
>>>>        directory mask       = 0770
>>>>        force directory mode = 0770
>>>>
>>>>        # Miscellaneous
>>>>        veto oplock files  = 
>>>> /*.doc/*.xls/*.ppt/*.mdb/*.docx/*.xlsx/*.ppt
>>>>
>>>>
>>>> # ============= Shares ============= #
>>>>
>>>>       [MyShare]
>>>>        comment     = NAS
>>>>        path        = /mnt/MyShare
>>>>        guest ok    = No
>>>>        read only   = No
>>>>        valid users = @Groupname
>>>>        forece user = MyUsername
>>>>        force group = Groupname
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Any help would be greatly appreciated ;)
>>>>
>>>> Best Regards
>>>> L.
>>>>
>>>>
>>> change this:
>>> force user = MyUsername
>>> and go for something like:
>>> chgrp Groupname /mnt/MyShare
>>> chmod g +s /mnt/MyShare
>>> maybe?
>>> Steve
>>>
>>>
>>
>
> valid users = admin
> force user  = admin
> force group = @admin
>
> Results in:
>
> *smbclient -U admin \\\\HOSTNAME-01\\DOMAIN <password>*
> Domain=[DOMAIN] OS=[Unix] Server=[Samba 4.1.4]
> tree connect failed: NT_STATUS_NO_SUCH_GROUP
>
>
> Yet it exists and is member of:
>
> *id -Gn admin*
> admin wheel
>
> *getent group admin*
> admin:*:1001
>
>
> *BUT:*
>
>
> *wbinfo -u*
> HOSTNAME-01\HOSTNAME-01$
> HOSTNAME-01\administrator
> HOSTNAME-01\krbtgt
> HOSTNAME-01\guest
> HOSTNAME-01\admin
>
> *wbinfo -g*
> HOSTNAME-01\read-only domain controllers
> HOSTNAME-01\group policy creator owners
> HOSTNAME-01\domain controllers
> HOSTNAME-01\domain computers
> HOSTNAME-01\domain admins
> HOSTNAME-01\domain guests
> HOSTNAME-01\domain users
>
>
>
> # ========================================================= #
>
> While following setup results in a valid login
>
>   valid users = admin
>   force user  = admin
>   force group = admin
>
>
> BUT
>
> ls -lach /mnt/MyShare
> [...]
> drwxrwxrwx  2 admin *wheel*     2B Feb  9 12:08 TestFolder
> [...]
>
> it seems like it falling back to wheel, which is just wrong here ;(
>
>



Sorry, reading 
http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#FORCEGROUP again 
helped a little:


      force printername (S)


    When printing from Windows NT (or later), each printer in |smb.conf|
    has two associated names which can be used by the client. The first
    is the sharename (or shortname) defined in smb.conf. This is the
    only printername available for use by Windows 9x clients. The second
    name associated with a printer can be seen when browsing to the
    "Printers" (or "Printers and Faxes") folder on the Samba server.
    This is referred to simply as the printername (not to be confused
    with the /|printer name|/ option).

    When assigning a new driver to a printer on a remote Windows
    compatible print server such as Samba, the Windows client will
    rename the printer to match the driver name just uploaded. This can
    result in confusion for users when multiple printers are bound to
    the same driver. To prevent Samba from allowing the printer's
    printername to differ from the sharename defined in smb.conf, set
    /|force printername = yes|/.

    Be aware that enabling this parameter may affect migrating printers
    from a Windows server to Samba since Windows has no way to force the
    sharename and printername to match.

    It is recommended that this parameter's value not be changed once
    the printer is in use by clients as this could cause a user not be
    able to delete printer connections from their local Printers folder.

    Default: //|force printername|/ = |no| /



So I changed it to:

   valid users = admin
   force user  = admin
   force group = +admin


and now I see following error:


Domain=[DOMAIN] OS=[Unix] Server=[Samba 4.1.4]
tree connect failed: NT_STATUS_MEMBER_NOT_IN_GROUP


But admin ist in Group admin ... so f****** what?
Where does Samba lookup those groups, that it is incapable of finding them?!

More information about the samba mailing list