[Samba] Force set group id on samba domain member

Michal Michal67M at seznam.cz
Tue Jul 24 20:47:42 UTC 2018 

2018-07-24 16:42 GMT+02:00 Harry Jede <walk2sun at arcor.de>:

> Am Dienstag, 24. Juli 2018, 14:38:31 CEST schrieb Michal via samba:
>
> > Samba DM config below.
>
> > Directories with setgid:
>
> >
>
> > $ll /home4/group
>
> > total 32
>
> > drwxrws--- 7 NIS\nisadmin NIS\audio 4096 Jul 24 14:14 audio
>
> > drwxrwx--- 2 NIS\nisadmin NIS\dok-sprava 4096 Jul 21 09:23 dok-sprava
>
> > drwxrwx--- 2 NIS\nisadmin NIS\poj 4096 Jul 23 08:38 poj
>
> > drwxrwx--- 2 NIS\nisadmin NIS\projekty 4096 Jul 23 09:14 projekty
>
> >
>
> > When user creates file/dir directly on linux, the files has correct
>
> > group:
>
> >
>
> > $ mkdir /home4/group/audio/test1dir
>
> > $ touch /home4/group/audio/test1file
>
> > $ ll /home4/group/audio
>
> > total 4
>
> > drwxr-sr-x 2 NIS\test1 NIS\audio 4096 Jul 24 08:15 test1dir
>
> > -rw-r--r-- 1 NIS\test1 NIS\audio 0 Jul 24 08:16 test1file
>
> >
>
> > But when the same user creates files when logged into windows:
>
> >
>
> > windows:
>
> > T:\audio>mkdir test1dir2
>
> > T:\audio>echo test > test1file2
>
> >
>
> > linux:
>
> >
>
> > $ll /home4/group/audio
>
> > total 40
>
> > drwxr-sr-x 2 NIS\test1 NIS\audio 4096 Jul 24 08:15 test1dir
>
> > drwxrwsr-x+ 2 NIS\test1 NIS\domain users 4096 Jul 24 12:35
>
> > test1dir2 -rw-r--r-- 1 NIS\test1 NIS\audio 0 Jul 24
>
> > 08:16 test1file -rwxrwxr-x+ 1 NIS\test1 NIS\domain users 7 Jul
>
> > 24 12:35 test1file2
>
> >
>
> > there is "NIS\\domain users" group instead of expected and needed
>
> > "NIS\\audio" group.
>
> >
>
> > Where can be the problem?
>
> Maybe their is no problem? Check the extented acls:
>
>
>
> getfacl /home4/group/audio{test1dir2,test1file2}
>
>
>
>
I think there is a problem:

getfacl /home4/group/audio/test1dir2
getfacl: Removing leading '/' from absolute path names
# file: home4/group/audio/test1dir2
# owner: NIS\134test1
# group: NIS\134domain\040users
# flags: -s-
user::rwx
user:NIS\134test1:rwx
group::rwx
group:NIS\134domain\040users:rwx
mask::rwx
other::r-x
default:user::rwx
default:user:NIS\134test1:rwx
default:group::rwx
default:group:NIS\134domain\040users:rwx
default:mask::rwx
default:other::r-x

(I've already deleted testfile2.)

There is no mention of NIS\audio group at all. And there is not reason for
NIS\domain users to have any rights there (in a fact, I do not want any
other group to have any rights there).


Michal


>
>
> > Thanks, Michal
>
> >
>
> > smb.conf on samba4 DM:
>
> > [global]
>
> > security = ADS
>
> > workgroup = NIS
>
> > realm = uhn.nemuh.cz
>
> > winbind offline logon = yes
>
> > winbind enum users = yes
>
> > winbind enum groups = yes
>
> > ..
>
> > log file = /var/log/samba/%m.log
>
> > log level = 1
>
> >
>
> > idmap config * : backend = tdb
>
> > idmap config * : range = 10000-19999
>
> > idmap config ad
>
> >
>
> > # idmap config for the NIS domain
>
> > idmap config NIS:backend = ad
>
> > idmap config NIS:schema_mode = rfc2307
>
> > idmap config NIS:range = 100-9999
>
> > idmap config NIS:unix_nss_info = yes
>
> > username map = /usr/local/samba/etc/user.map
>
> >
>
> > vfs objects = acl_xattr
>
> > map acl inherit = yes
>
> > store dos attributes = yes
>
> >
>
> > hide unreadable = Yes
>
> >
>
> > root preexec = /usr/local/bin/RPE4 '%u' 'GLOBALS' '%m' '%a'
>
> >
>
> > ea support = yes
>
> >
>
> >
>
> > # Rowland
>
> > #Users/groups who have write access to the file can modify
>
> > # the permissions (incl. ACL)
>
> > #Ownership of file/dir may also be changed
>
> > #Default: no (disable)
>
> > dos filemode = yes
>
> > # must set (map [hidden|archive|system|read only]) = no
>
> > # Enabled: store DOS attributes onto user.DOSATTRIB file
>
> > # file system must be mounted with user_xattr
>
> > # extended attributes must be compiled into the Linux kernel
>
> > store dos attributes = yes
>
> > #these depend on (create mask), however, refer to (store dos
>
> > attributes) map hidden = no
>
> > map archive = no
>
> > map system = no
>
> > map read only = no
>
> > # map “inherit” and “protected” flags in Windows ACLs into extended
>
> > #attribute file called user.SAMBA_PAI
>
> > map acl inherit = yes
>
> > # Turn on unix extensions
>
> > unix extensions = yes
>
> > ## end Rowland
>
> >
>
> > [home4]
>
> > path = /home4/
>
> > read only = no
>
> > root preexec = /usr/local/bin/RPE4 '%u' 'HOME4' '%m' '%a'
>
> >
>
> > [users]
>
> > path=/home/
>
> > read only = no
>
> > root preexec = /usr/local/bin/RPE4 '%u' 'USERS' '%m' '%a'
>
> >
>
> > [profiles]
>
> > path = /profiles/
>
> > read only = no
>
> > root preexec = /usr/local/bin/RPE4 '%u' 'PROFILES' '%m' '%a'
>
> > browseable = No
>
> > force create mode = 0660
>
> > force directory mode = 0770
>
> > csc policy = disable
>
> > store dos attributes = yes
>
> > vfs objects = acl_xattr
>
> >
>
> > [groups]
>
> > path=/home4/group
>
> > read only=no
>
> > root preexec = /usr/local/bin/RPE4 '%u' 'GROUPS' '%m' '%a'
>
> > browseable = No
>
> > force create mode = 0660
>
> > force directory mode = 0770
>
> > store dos attributes = yes
>
> > vfs objects = acl_xattr
>
>
>
>
>
> --
>
>
>
> Gruss
>
> Harry Jede
>

More information about the samba mailing list