[Samba] Secondary Unix Groups
Samuel Taylor Liston
sam.liston at utah.edu
Tue Mar 9 22:43:47 UTC 2021
Rowland,
Thanks for replying. We bind to our campus AD for samba auth. For auth to the server otherwise we are using sssd.
Users are able to mount the share. In this space ‘other’ perms are removed and if the users’ primary group is not the group owning the directory they cannot access it. This lack of permission only occurs when accessing through a samba mount. If the user tries to access this same directory directly one the server they can access them through having secondary group membership.
I have included my global.smb.conf and one example of a share in smb.conf
global.smb.conf
[global]
workgroup = AD
server string = CottonWood (%L) Server
netbios name = chpcvip01
security = ADS
passdb backend = tdbsam
allow trusted domains = no
encrypt passwords = yes
realm = AD.UTAH.EDU
local master = no
preferred master = no
wins support = no
wins proxy = no
dns proxy = no
load printers = no
printcap name = /dev/null
disable spoolss = yes
lanman auth = yes
client plaintext auth = yes
client lanman auth = yes
restrict anonymous = 2
log level = 3
syslog = 3
smb.conf
[global]
log file = /var/log/samba/%m-ctdb.log
encrypt passwords = yes
include = /etc/samba/global.smb.conf
[chpc-group1]
comment = chpc-group1 cw10-3 share
# Hide the secret cluster files
veto files = /.clumanager/.rgmanager/
browsable = yes
writable = yes
path = /mnt/chpc-group1
create mask = 0644
directory mask = 0755
guest ok = no
nt acl support = yes
Sam Liston (sam.liston at utah.edu)
==========================================
Center for High Performance Computing - Univ. of Utah
155 S. 1452 E. Rm 405
Salt Lake City, Utah 84112 (801)232-6932
==========================================
> On Mar 9, 2021, at 3:20 PM, Rowland penny via samba <samba at lists.samba.org> wrote:
>
> On 09/03/2021 21:47, Samuel Taylor Liston via samba wrote:
>> This may be a topic already covered somewhere, but I’m not finding much from Google searches. Sometime between version 4.7.1-6 and 4.10.4-11 were secondary unix groups no longer respected by samba? Looked through the man page, but didn’t find much by way of configuration options to enable this. Hoping to find a way to have secondary unix groups respected.
>> Thanks,
>
>
> We need more context to really comment on this, how are you running Samba ? As a Unix domain member, a DC, or something else ?
>
> What I can say is, your user must have logged in before you can rely on a true list of of groups the user is a member of.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list