[Samba] Group-based access instead of user-based?

Robert Marcano robert at marcanoonline.com
Mon Sep 12 12:28:20 UTC 2022

On 9/12/22 3:39 AM, tom uijldert via samba wrote:
> Hi Rowland,
> Thanks for the tips, much appreciated. Please find my response below.
> Thanks,
>      Tom.
> -----Original Message-----
> From: Rowland Penny <rpenny at samba.org>
> Sent: 09 September 2022 17:39
>>> Joined to our domain as member server, all domain users are mapped to
>>> 1 unix account/group.
>> It would be better to recreate the group in AD (or use Domain Users which all domain members are members of), delete the Unix group and then use vfs_acl_xattr and set > the permissions either from Windows od with setfacl.
> The goal here is/was to have a directory that could be used fairly freely by all domain members of that particular group.
> This seemed to me the most simple and straightforward setup.
> The unix security setting is simple and something I more or less "get" where, frankly, the whole Windows ACL-stuff seems overly complicated. But granted, that may be my limitation.

The most simple setup I use when there are no complex ACL requirements, 
like your example, just let a group of people work freely on a share, I 
use this:

   create mask = 660
   directory mask = 770
   force group = mygroup
   valid users = @mygroup

Just plain Unix permissions, no POSIX ACLs, no Windows ACLS.

>> It would also help if you posted your smb.conf (that way we can confirm how you are running Samba).
> Please find the smb.conf attached, it is the share [volwww] that we are testing.
> For completeness sake I also included the mapping file (users.map).

More information about the samba mailing list