[Samba] Using Force Group with AD Group

Mon Sep 26 06:32:11 UTC 2022

Hello,

force group = DOMAIN\Domain Group

Each operation on this share will now behave as if the connecting user 
has this group. So no more group-based ACL. If you want to share certain 
folders via group-permission - this gives everybody the group (even 
those that do not have them in the AD) and gives them access or denies 
it to them. Even more so this group will be the primary group of the 
user during the connection.

So everybody can access this share now because it behaves as if the user 
has this group.

force group = +DOMAIN\Domain Group

If the connecting user has this group (either directly or inherited) it 
will set this to be their _primary_ group -- it does not add any group 
to any user at all. It just changes the primary group.

All ACL-checks still work! New files and directories are created with 
this group, so other people accessing the share can open them (if you're 
using group-based permissions).

Have a nice day,
Matthias.

Am 25.09.22 um 04:34 schrieb McIntyre, Vincent (S&A, Marsfield) via samba:
> On Sat, Sep 24, 2022 at 10:42:31PM +0000, Eddie Rowe via samba wrote:
>> Can we use the "force group" option to specify an Active Directory
>> group similar to how we can with "valid users" and "write list" on
>> Linux (I saw that this is not supported at all on BSD when
>> I searched the archives)?  I ask because the man page for "force
>> group" specifically says it is a Unix group name and prepending the
>> "+" character seems to have a different purpose (the entire flow of
>> the other parameters is quite different).  In my limited testing if
>> I set the "force group" permission to a local Linux group or trying
>> to use the DOMAIN\DomainGroup results in the DOMAIN\Domain Users
>> group being used in both cases.  I believe I can accomplish
>> something similar by setting the group +s (SGID) on the folder that
>> the Samba share points to causes the files being created to have AD
>> group that I would like to always use.
> Question (since the manpage isn't specific about this case): did
>
>      force group = DOMAIN\Domain Group
>
> work any different to
>
>      force group = +DOMAIN\Domain Group
>
> for users that do (and do not) have that group as their primary?
>
>
> It might help your debugging process if you add a preexec line, eg
>
>     [someshare]
>     preexec = /bin/sh -c 'echo \"%T someshare: user %u \(group %g, primary %G, dom %D\) coming from %m \(%M\) connected to %S \(%P\) as %U, path %p, protocol %R\" >> /tmp/connectlog.%u 2
>
> Kind regards
> Vince

-- 
Matthias Kühne
Senior Webentwickler
Datenschutzbeauftragter

Ellerhold Aktiengesellschaft
Friedrich-List-Str. 4
01445 Radebeul

Telefon: +49 (0) 351 83933-61
Telefax: +49 (0) 351 83933-99

Web     www.ellerhold.de
Twitter www.twitter.com/Ellerhold_AG
Youtube www.youtube.com/user/ellerholdgruppe

Amtsgericht Dresden / HRB 23769
Vorstand: Stephan Ellerhold, Maximilian Ellerhold
Vorsitzender des Aufsichtsrates: Frank Ellerhold

---Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und um sofortiges löschen dieser E-Mail und der Anlagen.

Unsere Hinweise zum Datenschutz finden Sie hier: http://www.ellerhold.de/datenschutz/

This e-mail and its attachments are privileged and confidential. If you are not the intended recipient, please notify us and immediately delete this e-mail and its attachments.

You can find our privacy policy here: http://www.ellerhold.de/datenschutz/