[Samba] How to give AD users group permissions on a Samba share
Rowland Penny
rpenny at samba.org
Thu Jun 6 18:28:25 UTC 2024
On Thu, 06 Jun 2024 13:37:34 -0400
Mark Foley via samba <samba at lists.samba.org> wrote:
>
> I have no doubt you have said this many times before, but no to me --
> at least not that I can recall. This is new territory for me. This
> share started off way-back-when as a Microsoft Sharepoint repository
> which was then migrated to a plain Samba share (I presume this is
> what you are calling "old NT4-style"). That ran for many years until
> the host was converted to a AD Domain Member about 10 years ago. All
> I did at the time was make a few minor tweaks to the smb.conf
> (removing guest ok|only, ...) and it continued to work. Now I have
> needs that apparently extend beyond what the "old-style" can support.
Basically, the old NT4-style domains relied on setting permissions in
the share part of the smb.conf file, but, by using vfs_acl_xattr, you
can set finer control from Windows and these acls are stored Extended
Attributes (EAs).
>
> So. I've followed the procedures in your referenced link. and am at
> the section titled: "Setting Share Permissions and ACLs". I am
> setting this up on a test system. Before proceeding further I have
> some questions that don't seem immediately addressed in the wiki.
>
> This section in the wiki is giving an example for setting the share to
> 'Everyone', 'Full Control' and 'Domain Users'.
>
> As I've described, all files in this folder are currently set to Unix
> group "ohprs'.
That is one of the old-overs you don't need, if set up correctly, Samba
can make the domain group 'ohprs' into the Unix group group 'ohprs'.
I created a group called 'ohprs' in my AD and:
rowland at devstation:~$ getent group ohprs
ohprs:x:13603:
So it appears to the local system as a Unix group, but if I look in
/etc/group it isn't there:
rowland at devstation:~$ grep 'ohprs' /etc/group
rowland at devstation:~$
> I want a like restriction with this vfs_acl_xattr.
> I supposed I can use group 'Domain Users' since all domain users will
> be able to access this, and I don't have to create a new group. So
> question #1: should I change all files/directories in this share to
> group 'Domain Users' before proceeding further?
You do not need to use 'Domain Users', use the Domain group 'ohprs'.
>
> mini question(s) -- can I still use the following for this share in
> smb.conf:
>
> store dos attributes = no # this one might be an issue, but I can
> explain
Why do you have that line, the default for that parameter is 'yes' and
you shouldn't need to change it.
> hide dot files = yes
Yes, you can set that.
>
> BTW, for the wiki command:
>
> # chown root:"Domain Admins" /srv/samba/Demo/
>
> I could not make that work unless I added the domain:
>
> # chown root:"hprs\Domain Admins" /srv/samba/Demo/
Ah, if you add 'winbind use default domain = yes' to global, you will
not have to add 'hprs\' (the NetBIOS domain name, aka workgroup).
Rowland
More information about the samba
mailing list