[Samba] using AD groups in "username map"

Marco Gaiarin gaio at sv.lnf.it
Wed Feb 21 12:20:55 UTC 2018 

Mandi! Rowland Penny via samba
  In chel di` si favelave...

> I thought something similar as well, but I was logged into a win7
> machine as 'rowland', who is a member of 'Unix Admins' and couldn't
> add a user permissions to the share. Using getfacl to change
> 'group:unix\040admins:---' to 'group:unix\040admins:rwx' allowed me to
> add user permissions.

I've setup for that a brute-force bash script that, simply, ''santize''
(POSIX) ACLs, particulary, set group permission to 7, disable everyone
access (eg other=0), disable special unix permissione (sticky, ...).

In script comment, i've make a note that seems that POSIX ACL mask get
default value from group permission, but, can be set differently.
So, you can loosen permission to POSIX group, or set explicitly the
mask

'setfacl' manpage seems to explain better:

       To help the user ensure these rules, setfacl creates entries from existing entries under the following conditions:

       *   If an ACL contains named user or named group entries, and no mask entry exists, a mask entry containing the same permissions as the group entry is created.
           Unless the -n option is given, the permissions of the mask entry are further adjusted to include the union of all permissions affected by the  mask  entry.
           (See the -n option description).

       *   If  a  Default ACL entry is created, and the Default ACL contains no owner, owning group, or others entry, a copy of the ACL owner, owning group, or others
           entry is added to the Default ACL.

       *   If a Default ACL contains named user entries or named group entries, and no mask entry exists, a mask entry containing the same permissions as the  default
           Default ACL's group entry is added. Unless the -n option is given, the permissions of the mask entry are further adjusted to inclu de the union of all per‐
           missions affected by the mask entry. (See the -n option description).

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

More information about the samba mailing list