[Samba] Using Force Group with AD Group

McIntyre, Vincent (S&A, Marsfield) Vincent.Mcintyre at csiro.au
Sun Sep 25 02:34:47 UTC 2022

On Sat, Sep 24, 2022 at 10:42:31PM +0000, Eddie Rowe via samba wrote:
>Can we use the "force group" option to specify an Active Directory 
>group similar to how we can with "valid users" and "write list" on 
>Linux (I saw that this is not supported at all on BSD when 
>I searched the archives)?  I ask because the man page for "force 
>group" specifically says it is a Unix group name and prepending the 
>"+" character seems to have a different purpose (the entire flow of 
>the other parameters is quite different).  In my limited testing if 
>I set the "force group" permission to a local Linux group or trying 
>to use the DOMAIN\DomainGroup results in the DOMAIN\Domain Users 
>group being used in both cases.  I believe I can accomplish 
>something similar by setting the group +s (SGID) on the folder that 
>the Samba share points to causes the files being created to have AD 
>group that I would like to always use.

Question (since the manpage isn't specific about this case): did

    force group = DOMAIN\Domain Group

work any different to

    force group = +DOMAIN\Domain Group

for users that do (and do not) have that group as their primary?

It might help your debugging process if you add a preexec line, eg

   preexec = /bin/sh -c 'echo \"%T someshare: user %u \(group %g, primary %G, dom %D\) coming from %m \(%M\) connected to %S \(%P\) as %U, path %p, protocol %R\" >> /tmp/connectlog.%u 2

Kind regards

More information about the samba mailing list