Force group forces the Unix group to be whatever you force it to. It has
nothing to do with what group the connecting use belongs to.
vishesh kumar wrote:
I also facing same issue.
Does it mean that we cant specify secondary group as 'force group' in group.
On 11/5/09, Andrey Zykov <[email protected]> wrote:
Hello!
I tryed to configure Debian Linux file server as Windows 2003 domain
member using samba with security = ADS mode and stucked with such problem:
File server (fs) succesfully joined my domain with correct user and
group mapping (i'm using idmap rid). Users from domain have their unix
accounts with <DOMAIN_NAME>\ prefix, i.e for domain user "andrey" i have
local unix user: 'DOMAIN\andrey':
fs:~# id DOMAIN\\andrey
uid=11118(DOMAIN\andrey) gid=10513(DOMAIN\пользователи домена)
группы=10513(DOMAIN\пользователи домена),10512(DOMAIN\администраторы
домена),11395(DOMAIN\сотрудники),10001(BUILTIN\users),10000(BUILTIN\administrators)
as you can see, user have uid=11118, primary group
gid=10513('DOMAIN\пользователи домена' - 'DOMAIN\domain users' in
english) and few supplementary groups.
Now i want to make a share restricted to use by users from one of
supplementary groups, i.e. 11395(DOMAIN\сотрудники).
I created a directory:
fs:~# ls -l /home/sambashare/ | grep officepub
drwxrwx--- 2 DOMAIN\admin DOMAIN\сотрудники 4096 Окт 26
20:28 officepub
and checked that i can access it localy via ssh:
fs:~# su DOMAIN\\andrey
domain\and...@fs:/root$ cd /home/sambashare/officepub/
domain\and...@fs:/home/sambashare/officepub$ touch file
domain\and...@fs:/home/sambashare/officepub$ rm file
Next i added share definition in smb.conf with my group in 'force group'
parameter:
...
[officepub]
comment = Office Public Share
path = /home/sambashare/officepub
force group = +DOMAIN\сотрудники
read only = No
browseable = No
restarted samba, tried to access it via smbclient and got following error:
fs:~# smbclient '\\fs\officepub' -U DOMAIN\\andrey
Enter DOMAIN\andrey's password:
Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.2.5]
smb: \> ls
NT_STATUS_NETWORK_ACCESS_DENIED listing \*
0 blocks of size 0. 61680 blocks available
smb: \>
But in the same time i have similar working share with restriction by
_primary_ group:
fs:~# id DOMAIN\\andrey
uid=11118(DOMAIN\andrey) gid=10513(DOMAIN\пользователи домена)
группы=10513(DOMAIN\пользователи домена),10512(DOMAIN\администраторы
домена),11395(DOMAIN\сотрудники),10001(BUILTIN\users),10000(BUILTIN\administrators)
fs:~# ls -l /home/sambashare/ | grep pub
drwxrwx--- 2 DOMAIN\admin DOMAIN\пользователи домена 4096 Ноя 4
00:00 pub
fs:~# su DOMAIN\\andrey
domain\and...@fs:/root$ cd /home/sambashare/pub/
domain\and...@fs:/home/sambashare/pub$ touch file
domain\and...@fs:/home/sambashare/pub$ exit
exit
fs:~# smbclient '\\fs\pub' -U DOMAIN\\andrey
Enter DOMAIN\andrey's password:
Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.2.5]
smb: \> ls
. D 0 Thu Nov 5 17:02:01 2009
.. D 0 Wed Jun 3 18:22:47 2009
file 0 Thu Nov 5 17:02:01 2009
64000 blocks of size 8192. 28337 blocks available
smb: \>
So i've decided that problem is in the not working (or
misundertandeted?) 'force group' parameter.
What did i do wrong and how to fix this?
Some technical information:
Distro used: Debian Lenny, kernel 2.6.26-2-amd64
Samba version: 3.2.5-4lenny6
Domain Controller: Windows Server 2003 R2 Enterprise Edition
smb.conf: http://pastebin.ca/1658364
Log file: http://pastebin.ca/1658368
P.S. Sorry for my english :-)
--
Andrey Zykov
e-mail: [email protected]
jabber: [email protected].
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
