[Samba] Group, idmap, unix_primary_group ...
gaio at sv.lnf.it
Fri Jan 31 10:30:27 UTC 2020
> For the rest... i make some experiments and give back feedback here. ;-)
Still some 'glitches', or at least samba does not behave as i expected
(or as i was (ab)used in NT mode).
Situation was used: samba in NT mode, main share in XFS with ACL
enabled, users that access a set of subfolders where ACL are mostly
'group based' (eg, group only).
In NT mode, when users create folders, create folder with group owner
their primary GID.
In AD mode, when users create folders, create folder with group owner
Share is defined as:
comment = Spazio di Lavoro Utente
volume = Work
path = /srv/work
browseable = yes
writeable = yes
map acl inherit = yes
store dos attributes = yes
vfs objects = acl_xattr
With 'unix_primary_group = yes' and setting a GID to a group different
from 'Domain Users', in UNIX users create as before files with group
owner the GID. Good.
But from Windows, files are created with group owner 'Domain Users'.
gaio at vdmsv1:/srv/work/CED$ id
uid=10000(gaio) gid=11001(sir) gruppi=11001(sir),4(adm),20(dialout),24(cdrom),25(floppy),46(plugdev),5000(BUILTIN\administrators),5001(BUILTIN\users),10513(domain users),10998(printops),10999(unixadm)
gaio at vdmsv1:/srv/work/CED$ echo ciao > ciao-posix.txt
gaio at vdmsv1:/srv/work/CED$ ls -la ciao-posix.txt
-rw-rw----+ 1 gaio sir 5 gen 31 11:03 ciao-posix.txt
gaio at vdmsv1:/srv/work/CED$ getfacl ciao-posix.txt
# file: ciao-posix.txt
# owner: gaio
# group: sir
W:\CED>echo ciao >ciao-windows.txt
gaio at vdmsv1:/srv/work/CED$ ls -la ciao-windows.txt
-rwxrwx---+ 1 gaio domain users 7 gen 31 11:07 ciao-windows.txt
gaio at vdmsv1:/srv/work/CED$ getfacl ciao-windows.txt
# file: ciao-windows.txt
# owner: gaio
# group: domain\040users
The problem came from complex ACL setup needed in some case: consider
folder A: access to group1 and group2, RO
folder A/current: access to group1 and group2, full control
folder A/archive: access to group1 full control, group2 RO
in real world: group1 and group2 work against some documents, that
after a staging period have to be 'archived', and group2 have not to
With currend setup, files and folders get created with group owner
'Domain Users' and permission 'full control', and so file are
accessible to anyone... (or at least to 'group2', parent folder
permission still apply).
All this setup, indeed, came from probably from 'old informations'...
AFAI remember well, initially on ACL there's no way to set explicitly
the mask, and mask are taken from group owner permission; so all my
folder have group owner ACL as 'rwx'.
But, if i surely i can fix permission with 'setfacl', seems to me that
i've no control on windows, and files on windows seems to get created
with group owner 'Domain Users' and mask 'rwx'.
Someone can explain to me?
There's some way to prevent windows to use 'Domain Users' as primary
group? I need to set:
acl_xattr:ignore system acls = yes
acl_xattr:default acl style = windows
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/
Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
More information about the samba