[Samba] How to give AD users group permissions on a Samba share

Rowland Penny rpenny at samba.org
Tue Jun 4 18:08:04 UTC 2024 

On Tue, 4 Jun 2024 13:22:49 -0400
Mark Foley via samba <samba at lists.samba.org> wrote:

> I have a Linux file server that is an AD Domain Member. It shares the 
> following (smb.conf):
> 
> [public]
> path = /public
> store dos attributes = no
> hide dot files = yes
> readonly = no
> force group = ohprs
> create mask = 0660
> directory mask = 2770
> 
> The "force group" lets all Windows users map this folder and create 
> files and directories that all users can access and update. They are 
> created with their own user ID and the specified group (ohprs). That
> has worked well for some time, but now the Boss wants his own folder.
> No problem, I created a group for him and created a folder belonging
> to that group, 'mark':
> 
> :
> drwxrwsr-x  24 ohprso    ohprs   4096 2024-05-13 11:40 jane/
> drwxrws---+  2 HPRS\mark mark    4096 2024-05-28 00:14 mark/
> drwxrws--x   4 ohprso    ohprs   4096 2024-04-28 21:58 mfoleyOutlook/
> :
> 
> He can now add files to this folder from his Windows mapped drive:
> 
> $ ls -l mark
> total 8
> -rwxrwx---+ 1 HPRS\mark ohprs 445 2024-05-28 00:14 testme.txt*
> 
> (Not sure why it sets the x bit since the create mask 0660 does not,
> but not important for now.)
> 
> Two problems:
> 
> 1. As you can see from the example, files created in this directory
> are group 'ohprs', not 'mark' -- probably because of the group mask,
> but I had hoped the S bit on the parent directory would serve to
> inherit the group name. Apparently not. Not a huge issue since other
> users don't have rwx permission to see or update these files. But, is
> there a way to have files in this directory inherit the 'mark' group?
> 
> 2. Bigger issue - the Boss wants his admin. assistant to also be able
> to see and update files in his folder. Normally, one would do a
> 'usermod -a -G' to add the assistant to group 'mark'. But, these are
> Domain users and are not in /etc/passwd. So, how can I do this?
> 
> Thanks --Mark

I am fairly sure I have said this before, but please stop doing things
in the old NT4-style way and use vfs_acl_xattr, see here:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

To add domain users to a domain group (you are using domain groups
aren't you ?), you use 'samba-tool', see 'samba-tool
group addmembers --help' for more information.

Rowland

More information about the samba mailing list