Re: [Samba] problem with force group parameter

Thu, 05 Nov 2009 23:16:06 -0800 

But what about this:
"In Samba 2.0.5 and above this parameter has extended functionality in the following way. If the group name listed here has a '+' character prepended to it then the current user accessing the share only has the primary group default assigned to this group if they are already assigned as a member of that group. This allows an administrator to decide that only users who are already in a particular group will create files with group ownership set to that group. This gives a finer granularity of ownership assignment. For example, the setting |force group = +sys| means that only users who are already in group sys will have their default primary group assigned to sys when accessing this Samba share. All other users will retain their ordinary primary group." 

http://us1.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#FORCEGROUP


Gary Dale пишет:

Force group forces the Unix group to be whatever you force it to. It 
has nothing to do with what group the connecting use belongs to.



vishesh kumar wrote:

I also facing same issue.

Does it mean that we cant specify secondary group as 'force group' in 
group.


On 11/5/09, Andrey Zykov <[email protected]> wrote:

 

Hello!

I tryed to configure Debian Linux file server as Windows 2003 domain

member using samba with security = ADS mode and stucked with such 
problem:


File server (fs) succesfully joined my domain with correct user and
group mapping (i'm using idmap rid). Users from domain have their unix

accounts with <DOMAIN_NAME>\ prefix, i.e for domain user "andrey" i 
have

local unix user: 'DOMAIN\andrey':

fs:~# id DOMAIN\\andrey
uid=11118(DOMAIN\andrey) gid=10513(DOMAIN\пользователи домена)
группы=10513(DOMAIN\пользователи домена),10512(DOMAIN\администраторы

домена),11395(DOMAIN\сотрудники),10001(BUILTIN\users),10000(BUILTIN\administrators) 



as you can see, user have uid=11118, primary group
gid=10513('DOMAIN\пользователи домена' - 'DOMAIN\domain users' in
english) and few supplementary groups.
Now i want to make a share restricted to use by users from one of
supplementary groups, i.e. 11395(DOMAIN\сотрудники).
I created a directory:

fs:~# ls -l /home/sambashare/ | grep officepub

drwxrwx---   2 DOMAIN\admin    DOMAIN\сотрудники             4096 
Окт 26

20:28 officepub

and checked that i can access it localy via ssh:

fs:~# su DOMAIN\\andrey
domain\and...@fs:/root$ cd /home/sambashare/officepub/
domain\and...@fs:/home/sambashare/officepub$ touch file
domain\and...@fs:/home/sambashare/officepub$ rm file


Next i added share definition in smb.conf with my group in 'force 
group'

parameter:
...
[officepub]
        comment = Office Public Share
        path = /home/sambashare/officepub
        force group = +DOMAIN\сотрудники
        read only = No
        browseable = No


restarted samba, tried to access it via smbclient and got following 
error:


fs:~# smbclient '\\fs\officepub' -U DOMAIN\\andrey
Enter DOMAIN\andrey's password:
Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.2.5]
smb: \> ls
NT_STATUS_NETWORK_ACCESS_DENIED listing \*

                0 blocks of size 0. 61680 blocks available
smb: \>

But in the same time i have similar working share with restriction by
_primary_ group:

fs:~# id DOMAIN\\andrey
uid=11118(DOMAIN\andrey) gid=10513(DOMAIN\пользователи домена)
группы=10513(DOMAIN\пользователи домена),10512(DOMAIN\администраторы

домена),11395(DOMAIN\сотрудники),10001(BUILTIN\users),10000(BUILTIN\administrators) 


fs:~# ls -l /home/sambashare/ | grep pub

drwxrwx---   2 DOMAIN\admin    DOMAIN\пользователи домена    4096 
Ноя  4

00:00 pub
fs:~# su DOMAIN\\andrey
domain\and...@fs:/root$ cd /home/sambashare/pub/
domain\and...@fs:/home/sambashare/pub$ touch file
domain\and...@fs:/home/sambashare/pub$ exit
exit
fs:~# smbclient '\\fs\pub' -U DOMAIN\\andrey
Enter DOMAIN\andrey's password:
Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.2.5]
smb: \> ls

  .                                   D        0  Thu Nov  5 
17:02:01 2009
  ..                                  D        0  Wed Jun  3 
18:22:47 2009
  file                                         0  Thu Nov  5 
17:02:01 2009


                64000 blocks of size 8192. 28337 blocks available
smb: \>

So i've decided that problem is in the not working (or
misundertandeted?) 'force group' parameter.

What did i do wrong and how to fix this?

Some technical information:

Distro used: Debian Lenny, kernel  2.6.26-2-amd64
Samba version: 3.2.5-4lenny6
Domain Controller: Windows Server 2003 R2 Enterprise Edition
smb.conf: http://pastebin.ca/1658364
Log file: http://pastebin.ca/1658368

P.S. Sorry for my english :-)

--
Andrey Zykov

e-mail: [email protected]
jabber: [email protected].


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

    



  





--
Andrey Zykov

e-mail: [email protected]
jabber: [email protected].


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba





















					Reply via email to