[Samba] Secondary Unix Groups

Samuel Taylor Liston sam.liston at utah.edu
Tue Mar 9 22:43:47 UTC 2021

	Thanks for replying.  We bind to our campus AD for samba auth.  For auth to the server otherwise we are using sssd.  
	Users are able to mount the share.  In this space ‘other’ perms are removed and if the users’ primary group is not the group owning the directory they cannot access it.  This lack of permission only occurs when accessing through a samba mount.  If the user tries to access this same directory directly one the server they can access them through having secondary group membership.
	I have included my global.smb.conf and one example of a share in smb.conf
        workgroup = AD
        server string = CottonWood (%L) Server
	netbios name = chpcvip01
        security = ADS
        passdb backend = tdbsam
	allow trusted domains = no
        encrypt passwords = yes
        realm = AD.UTAH.EDU
        local master = no
        preferred master = no
        wins support = no
        wins proxy = no
        dns proxy = no
        load printers = no
        printcap name = /dev/null
        disable spoolss = yes
        lanman auth = yes
        client plaintext auth = yes
        client lanman auth = yes
	restrict anonymous = 2
	log level = 3
	syslog = 3

        log file = /var/log/samba/%m-ctdb.log
        encrypt passwords = yes
        include = /etc/samba/global.smb.conf
       comment = chpc-group1 cw10-3 share
       # Hide the secret cluster files
       veto files = /.clumanager/.rgmanager/
       browsable = yes
       writable = yes
       path = /mnt/chpc-group1
       create mask = 0644
       directory mask = 0755
       guest ok = no
       nt acl support = yes
Sam Liston (sam.liston at utah.edu)
Center for High Performance Computing - Univ. of Utah
155 S. 1452 E. Rm 405
Salt Lake City, Utah 84112 (801)232-6932

> On Mar 9, 2021, at 3:20 PM, Rowland penny via samba <samba at lists.samba.org> wrote:
> On 09/03/2021 21:47, Samuel Taylor Liston via samba wrote:
>> This may be a topic already covered somewhere, but I’m not finding much from Google searches.  Sometime between version 4.7.1-6 and 4.10.4-11 were secondary unix groups no longer respected by samba?  Looked through the man page, but didn’t find much by way of configuration options to enable this.  Hoping to find a way to have secondary unix groups respected.
>> Thanks,
> We need more context to really comment on this, how are you running Samba ? As a Unix domain member, a DC, or something else ?
> What I can say is, your user must have logged in before you can rely on a true list of of groups the user is a member of.
> Rowland
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list