[Samba] unix_primary_group = yes don t work
L.P.H. van Belle
belle at bazuin.nl
Wed Feb 6 15:46:04 UTC 2019
Hai Christian,
I configured my member as shown on the wiki. ( see below )
And as you see not much different compaired to yours.
The diffence is the way of the setup and the order of the setup.
I'll see if i can make a matrix of my setup so its more ease to explain this.
[global]
log level = 1 auth_audit:3
workgroup = DOM
security = ADS
realm = REALM.DOMAIN.TLD
netbios name = HOSTNAME
interfaces = 192.168.0.11 127.0.0.1
bind interfaces only = yes
dns proxy = yes
# Add and Update TLS Key
tls enabled = yes
tls keyfile = /etc/ssl/local/private/key.pem
tls certfile = /etc/ssl/local/certs/cert.pem
tls cafile = /etc/ssl/certs/company-ca.pem
## map id's outside to domain to tdb files.
idmap config *:backend = tdb
idmap config *:range = 2000-9999
## map ids from the domain and (*) the range may not overlap !
idmap config DOM : backend = ad
idmap config DOM : schema_mode = rfc2307
idmap config DOM : range = 10000-3999999
idmap config DOM : unix_nss_info = yes
idmap config DOM : unix_primary_group = yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
# renew the kerberos ticket
winbind refresh tickets = yes
# I dont want DOM\username but username.
winbind use default domain = yes
# enable offline logins
winbind offline logon = yes
# user Administrator workaround, without it you are unable to set privileges
username map = /etc/samba/samba_usermapping
# disable usershares creating, when set empty no error log messages.
usershare path =
# Disable printing completely
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
# For Windows ACL support on member file server, enabled globaly, OBLIGATED
# For a mixed setup of rights, put this per share!
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
# Share Setting Globally
veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
hide unreadable = yes
######## SHARE DEFINITIONS ################
[profiles]
browseable = yes
path = /home/samba/profiles
read only = no
# make sure we match windows ACL for profile shares.
# Think in GPO's, special windows rights, user/group SYSTEM.
acl_xattr:ignore system acl = yes
[users]
browseable = yes
path = /home/samba/users
read only = no
[public]
browseable = yes
path = /home/samba/public
read only = no
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Christian Daré via samba
> Verzonden: woensdag 6 februari 2019 16:29
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] unix_primary_group = yes don t work
>
> I have the same conclusion
> Anybody have a conf with "unix_primary_group = yes" working ?
>
> Christian
>
> Le 06/02/2019 à 15:39, Rowland Penny via samba a écrit :
> > On Wed, 6 Feb 2019 13:25:08 +0100
> > Christian Daré via samba <samba at lists.samba.org> wrote:
> >
> >> thanks for the answer, Louis.
> >> i m talking about the userhome dir.
> >> I ve already read
> https://wiki.samba.org/index.php/User_Home_Folders
> >> and i m applying the posix acls to my share.
> >> As the users's home is shared between windows and linux, i d rather
> >> use the posix acls than the windows ones.
> >>
> >> Beside the homedir of my users have a form like /home/ first letter
> >> of name /login ( ex : /home/d/dare ) and i cant change
> that, this is
> >> why i use the [home] share , it s the simplier solution for me.
> >>
> >> Is it mandatory to use the windows acls to have the
> functionnality i
> >> m looking for ?
> >>
> > Been doing some testing on this, if a user connects via ssh
> to a Unix
> > domain member that is set up to use the users Unix group as
> its primary
> > group and creates a file, I get this:
> >
> > root at testsmb:~# ls -la /home/giduser/test.txt
> > -rw-r--r-- 1 giduser unixgroup 0 Feb 6 14:31 /home/giduser/test.txt
> >
> > However, if the user connects via SMB to a share and
> creates a file, I
> > get this:
> >
> > root at testsmb:~# ls -la /home/data/test.txt
> > -rwxrwxr-x+ 1 giduser domain users 0 Feb 6 13:48
> /home/data/test.txt
> >
> > It looks like the Samba tools ignore 'idmap config SAMDOM :
> > unix_primary_group = yes'
> >
> > Rowland
> >
> >
> >
>
> --
> UBO <http://www.univ-brest.fr>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list