[Samba] Using Force Group with AD Group
McIntyre, Vincent (S&A, Marsfield)
Vincent.Mcintyre at csiro.au
Sun Sep 25 02:34:47 UTC 2022
On Sat, Sep 24, 2022 at 10:42:31PM +0000, Eddie Rowe via samba wrote:
>Can we use the "force group" option to specify an Active Directory
>group similar to how we can with "valid users" and "write list" on
>Linux (I saw that this is not supported at all on BSD when
>I searched the archives)? I ask because the man page for "force
>group" specifically says it is a Unix group name and prepending the
>"+" character seems to have a different purpose (the entire flow of
>the other parameters is quite different). In my limited testing if
>I set the "force group" permission to a local Linux group or trying
>to use the DOMAIN\DomainGroup results in the DOMAIN\Domain Users
>group being used in both cases. I believe I can accomplish
>something similar by setting the group +s (SGID) on the folder that
>the Samba share points to causes the files being created to have AD
>group that I would like to always use.
Question (since the manpage isn't specific about this case): did
force group = DOMAIN\Domain Group
work any different to
force group = +DOMAIN\Domain Group
for users that do (and do not) have that group as their primary?
It might help your debugging process if you add a preexec line, eg
[someshare]
preexec = /bin/sh -c 'echo \"%T someshare: user %u \(group %g, primary %G, dom %D\) coming from %m \(%M\) connected to %S \(%P\) as %U, path %p, protocol %R\" >> /tmp/connectlog.%u 2
Kind regards
Vince
More information about the samba
mailing list