[Samba] Force set group id on samba domain member
Harry Jede
walk2sun at arcor.de
Tue Jul 24 14:42:31 UTC 2018
Am Dienstag, 24. Juli 2018, 14:38:31 CEST schrieb Michal via samba:
> Samba DM config below.
> Directories with setgid:
>
> $ll /home4/group
> total 32
> drwxrws--- 7 NIS\nisadmin NIS\audio 4096 Jul 24 14:14 audio
> drwxrwx--- 2 NIS\nisadmin NIS\dok-sprava 4096 Jul 21 09:23 dok-sprava
> drwxrwx--- 2 NIS\nisadmin NIS\poj 4096 Jul 23 08:38 poj
> drwxrwx--- 2 NIS\nisadmin NIS\projekty 4096 Jul 23 09:14 projekty
>
> When user creates file/dir directly on linux, the files has correct
> group:
>
> $ mkdir /home4/group/audio/test1dir
> $ touch /home4/group/audio/test1file
> $ ll /home4/group/audio
> total 4
> drwxr-sr-x 2 NIS\test1 NIS\audio 4096 Jul 24 08:15 test1dir
> -rw-r--r-- 1 NIS\test1 NIS\audio 0 Jul 24 08:16 test1file
>
> But when the same user creates files when logged into windows:
>
> windows:
> T:\audio>mkdir test1dir2
> T:\audio>echo test > test1file2
>
> linux:
>
> $ll /home4/group/audio
> total 40
> drwxr-sr-x 2 NIS\test1 NIS\audio 4096 Jul 24 08:15 test1dir
> drwxrwsr-x+ 2 NIS\test1 NIS\domain users 4096 Jul 24 12:35
> test1dir2 -rw-r--r-- 1 NIS\test1 NIS\audio 0 Jul 24
> 08:16 test1file -rwxrwxr-x+ 1 NIS\test1 NIS\domain users 7 Jul
> 24 12:35 test1file2
>
> there is "NIS\\domain users" group instead of expected and needed
> "NIS\\audio" group.
>
> Where can be the problem?
Maybe their is no problem? Check the extented acls:
getfacl /home4/group/audio{test1dir2,test1file2}
> Thanks, Michal
>
> smb.conf on samba4 DM:
> [global]
> security = ADS
> workgroup = NIS
> realm = uhn.nemuh.cz
> winbind offline logon = yes
> winbind enum users = yes
> winbind enum groups = yes
> ..
> log file = /var/log/samba/%m.log
> log level = 1
>
> idmap config * : backend = tdb
> idmap config * : range = 10000-19999
> idmap config ad
>
> # idmap config for the NIS domain
> idmap config NIS:backend = ad
> idmap config NIS:schema_mode = rfc2307
> idmap config NIS:range = 100-9999
> idmap config NIS:unix_nss_info = yes
> username map = /usr/local/samba/etc/user.map
>
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
>
> hide unreadable = Yes
>
> root preexec = /usr/local/bin/RPE4 '%u' 'GLOBALS' '%m' '%a'
>
> ea support = yes
>
>
> # Rowland
> #Users/groups who have write access to the file can modify
> # the permissions (incl. ACL)
> #Ownership of file/dir may also be changed
> #Default: no (disable)
> dos filemode = yes
> # must set (map [hidden|archive|system|read only]) = no
> # Enabled: store DOS attributes onto user.DOSATTRIB file
> # file system must be mounted with user_xattr
> # extended attributes must be compiled into the Linux kernel
> store dos attributes = yes
> #these depend on (create mask), however, refer to (store dos
> attributes) map hidden = no
> map archive = no
> map system = no
> map read only = no
> # map “inherit” and “protected” flags in Windows ACLs into extended
> #attribute file called user.SAMBA_PAI
> map acl inherit = yes
> # Turn on unix extensions
> unix extensions = yes
> ## end Rowland
>
> [home4]
> path = /home4/
> read only = no
> root preexec = /usr/local/bin/RPE4 '%u' 'HOME4' '%m' '%a'
>
> [users]
> path=/home/
> read only = no
> root preexec = /usr/local/bin/RPE4 '%u' 'USERS' '%m' '%a'
>
> [profiles]
> path = /profiles/
> read only = no
> root preexec = /usr/local/bin/RPE4 '%u' 'PROFILES' '%m' '%a'
> browseable = No
> force create mode = 0660
> force directory mode = 0770
> csc policy = disable
> store dos attributes = yes
> vfs objects = acl_xattr
>
> [groups]
> path=/home4/group
> read only=no
> root preexec = /usr/local/bin/RPE4 '%u' 'GROUPS' '%m' '%a'
> browseable = No
> force create mode = 0660
> force directory mode = 0770
> store dos attributes = yes
> vfs objects = acl_xattr
--
Gruss
Harry Jede
More information about the samba
mailing list