[Samba] Force set group id on samba domain member
Michal
Michal67M at seznam.cz
Tue Jul 24 12:38:31 UTC 2018
Samba DM config below.
Directories with setgid:
$ll /home4/group
total 32
drwxrws--- 7 NIS\nisadmin NIS\audio 4096 Jul 24 14:14 audio
drwxrwx--- 2 NIS\nisadmin NIS\dok-sprava 4096 Jul 21 09:23 dok-sprava
drwxrwx--- 2 NIS\nisadmin NIS\poj 4096 Jul 23 08:38 poj
drwxrwx--- 2 NIS\nisadmin NIS\projekty 4096 Jul 23 09:14 projekty
When user creates file/dir directly on linux, the files has correct
group:
$ mkdir /home4/group/audio/test1dir
$ touch /home4/group/audio/test1file
$ ll /home4/group/audio
total 4
drwxr-sr-x 2 NIS\test1 NIS\audio 4096 Jul 24 08:15 test1dir
-rw-r--r-- 1 NIS\test1 NIS\audio 0 Jul 24 08:16 test1file
But when the same user creates files when logged into windows:
windows:
T:\audio>mkdir test1dir2
T:\audio>echo test > test1file2
linux:
$ll /home4/group/audio
total 40
drwxr-sr-x 2 NIS\test1 NIS\audio 4096 Jul 24 08:15 test1dir
drwxrwsr-x+ 2 NIS\test1 NIS\domain users 4096 Jul 24 12:35 test1dir2
-rw-r--r-- 1 NIS\test1 NIS\audio 0 Jul 24 08:16 test1file
-rwxrwxr-x+ 1 NIS\test1 NIS\domain users 7 Jul 24 12:35 test1file2
there is "NIS\\domain users" group instead of expected and needed
"NIS\\audio" group.
Where can be the problem?
Thanks, Michal
smb.conf on samba4 DM:
[global]
security = ADS
workgroup = NIS
realm = uhn.nemuh.cz
winbind offline logon = yes
winbind enum users = yes
winbind enum groups = yes
..
log file = /var/log/samba/%m.log
log level = 1
idmap config * : backend = tdb
idmap config * : range = 10000-19999
idmap config ad
# idmap config for the NIS domain
idmap config NIS:backend = ad
idmap config NIS:schema_mode = rfc2307
idmap config NIS:range = 100-9999
idmap config NIS:unix_nss_info = yes
username map = /usr/local/samba/etc/user.map
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
hide unreadable = Yes
root preexec = /usr/local/bin/RPE4 '%u' 'GLOBALS' '%m' '%a'
ea support = yes
# Rowland
#Users/groups who have write access to the file can modify
# the permissions (incl. ACL)
#Ownership of file/dir may also be changed
#Default: no (disable)
dos filemode = yes
# must set (map [hidden|archive|system|read only]) = no
# Enabled: store DOS attributes onto user.DOSATTRIB file
# file system must be mounted with user_xattr
# extended attributes must be compiled into the Linux kernel
store dos attributes = yes
#these depend on (create mask), however, refer to (store dos attributes)
map hidden = no
map archive = no
map system = no
map read only = no
# map “inherit” and “protected” flags in Windows ACLs into extended
#attribute file called user.SAMBA_PAI
map acl inherit = yes
# Turn on unix extensions
unix extensions = yes
## end Rowland
[home4]
path = /home4/
read only = no
root preexec = /usr/local/bin/RPE4 '%u' 'HOME4' '%m' '%a'
[users]
path=/home/
read only = no
root preexec = /usr/local/bin/RPE4 '%u' 'USERS' '%m' '%a'
[profiles]
path = /profiles/
read only = no
root preexec = /usr/local/bin/RPE4 '%u' 'PROFILES' '%m' '%a'
browseable = No
force create mode = 0660
force directory mode = 0770
csc policy = disable
store dos attributes = yes
vfs objects = acl_xattr
[groups]
path=/home4/group
read only=no
root preexec = /usr/local/bin/RPE4 '%u' 'GROUPS' '%m' '%a'
browseable = No
force create mode = 0660
force directory mode = 0770
store dos attributes = yes
vfs objects = acl_xattr
More information about the samba
mailing list