|
»
problem with force group parameter
|
View:
New views
4 Messages
—
Rating Filter:
Alert me
|
 |
problem with force group parameter
by Andrey Zykov-2
::
Rate this Message:
Hello!
I tryed to configure Debian Linux file server as Windows 2003 domain member using samba with security = ADS mode and stucked with such problem: File server (fs) succesfully joined my domain with correct user and group mapping (i'm using idmap rid). Users from domain have their unix accounts with <DOMAIN_NAME>\ prefix, i.e for domain user "andrey" i have local unix user: 'DOMAIN\andrey': fs:~# id DOMAIN\\andrey uid=11118(DOMAIN\andrey) gid=10513(DOMAIN\пользователи домена) группы=10513(DOMAIN\пользователи домена),10512(DOMAIN\администраторы домена),11395(DOMAIN\сотрудники),10001(BUILTIN\users),10000(BUILTIN\administrators) as you can see, user have uid=11118, primary group gid=10513('DOMAIN\пользователи домена' - 'DOMAIN\domain users' in english) and few supplementary groups. Now i want to make a share restricted to use by users from one of supplementary groups, i.e. 11395(DOMAIN\сотрудники). I created a directory: fs:~# ls -l /home/sambashare/ | grep officepub drwxrwx--- 2 DOMAIN\admin DOMAIN\сотрудники 4096 Окт 26 20:28 officepub and checked that i can access it localy via ssh: fs:~# su DOMAIN\\andrey DOMAIN\andrey@fs:/root$ cd /home/sambashare/officepub/ DOMAIN\andrey@fs:/home/sambashare/officepub$ touch file DOMAIN\andrey@fs:/home/sambashare/officepub$ rm file Next i added share definition in smb.conf with my group in 'force group' parameter: ... [officepub] comment = Office Public Share path = /home/sambashare/officepub force group = +DOMAIN\сотрудники read only = No browseable = No restarted samba, tried to access it via smbclient and got following error: fs:~# smbclient '\\fs\officepub' -U DOMAIN\\andrey Enter DOMAIN\andrey's password: Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.2.5] smb: \> ls NT_STATUS_NETWORK_ACCESS_DENIED listing \* 0 blocks of size 0. 61680 blocks available smb: \> But in the same time i have similar working share with restriction by _primary_ group: fs:~# id DOMAIN\\andrey uid=11118(DOMAIN\andrey) gid=10513(DOMAIN\пользователи домена) группы=10513(DOMAIN\пользователи домена),10512(DOMAIN\администраторы домена),11395(DOMAIN\сотрудники),10001(BUILTIN\users),10000(BUILTIN\administrators) fs:~# ls -l /home/sambashare/ | grep pub drwxrwx--- 2 DOMAIN\admin DOMAIN\пользователи домена 4096 Ноя 4 00:00 pub fs:~# su DOMAIN\\andrey DOMAIN\andrey@fs:/root$ cd /home/sambashare/pub/ DOMAIN\andrey@fs:/home/sambashare/pub$ touch file DOMAIN\andrey@fs:/home/sambashare/pub$ exit exit fs:~# smbclient '\\fs\pub' -U DOMAIN\\andrey Enter DOMAIN\andrey's password: Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.2.5] smb: \> ls . D 0 Thu Nov 5 17:02:01 2009 .. D 0 Wed Jun 3 18:22:47 2009 file 0 Thu Nov 5 17:02:01 2009 64000 blocks of size 8192. 28337 blocks available smb: \> So i've decided that problem is in the not working (or misundertandeted?) 'force group' parameter. What did i do wrong and how to fix this? Some technical information: Distro used: Debian Lenny, kernel 2.6.26-2-amd64 Samba version: 3.2.5-4lenny6 Domain Controller: Windows Server 2003 R2 Enterprise Edition smb.conf: http://pastebin.ca/1658364 Log file: http://pastebin.ca/1658368 P.S. Sorry for my english :-) -- Andrey Zykov e-mail: andrey@... jabber: zblk@.... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |
|
|
Re: problem with force group parameter
by vishesh kumar
::
Rate this Message:
I also facing same issue.
Does it mean that we cant specify secondary group as 'force group' in group. On 11/5/09, Andrey Zykov <andrey@...> wrote: > Hello! > > I tryed to configure Debian Linux file server as Windows 2003 domain > member using samba with security = ADS mode and stucked with such problem: > > File server (fs) succesfully joined my domain with correct user and > group mapping (i'm using idmap rid). Users from domain have their unix > accounts with <DOMAIN_NAME>\ prefix, i.e for domain user "andrey" i have > local unix user: 'DOMAIN\andrey': > > fs:~# id DOMAIN\\andrey > uid=11118(DOMAIN\andrey) gid=10513(DOMAIN\пользователи домена) > группы=10513(DOMAIN\пользователи домена),10512(DOMAIN\администраторы > домена),11395(DOMAIN\сотрудники),10001(BUILTIN\users),10000(BUILTIN\administrators) > > as you can see, user have uid=11118, primary group > gid=10513('DOMAIN\пользователи домена' - 'DOMAIN\domain users' in > english) and few supplementary groups. > Now i want to make a share restricted to use by users from one of > supplementary groups, i.e. 11395(DOMAIN\сотрудники). > I created a directory: > > fs:~# ls -l /home/sambashare/ | grep officepub > drwxrwx--- 2 DOMAIN\admin DOMAIN\сотрудники 4096 Окт 26 > 20:28 officepub > > and checked that i can access it localy via ssh: > > fs:~# su DOMAIN\\andrey > DOMAIN\andrey@fs:/root$ cd /home/sambashare/officepub/ > DOMAIN\andrey@fs:/home/sambashare/officepub$ touch file > DOMAIN\andrey@fs:/home/sambashare/officepub$ rm file > > Next i added share definition in smb.conf with my group in 'force group' > parameter: > ... > [officepub] > comment = Office Public Share > path = /home/sambashare/officepub > force group = +DOMAIN\сотрудники > read only = No > browseable = No > > restarted samba, tried to access it via smbclient and got following error: > > fs:~# smbclient '\\fs\officepub' -U DOMAIN\\andrey > Enter DOMAIN\andrey's password: > Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.2.5] > smb: \> ls > NT_STATUS_NETWORK_ACCESS_DENIED listing \* > > 0 blocks of size 0. 61680 blocks available > smb: \> > > But in the same time i have similar working share with restriction by > _primary_ group: > > fs:~# id DOMAIN\\andrey > uid=11118(DOMAIN\andrey) gid=10513(DOMAIN\пользователи домена) > группы=10513(DOMAIN\пользователи домена),10512(DOMAIN\администраторы > домена),11395(DOMAIN\сотрудники),10001(BUILTIN\users),10000(BUILTIN\administrators) > fs:~# ls -l /home/sambashare/ | grep pub > drwxrwx--- 2 DOMAIN\admin DOMAIN\пользователи домена 4096 Ноя 4 > 00:00 pub > fs:~# su DOMAIN\\andrey > DOMAIN\andrey@fs:/root$ cd /home/sambashare/pub/ > DOMAIN\andrey@fs:/home/sambashare/pub$ touch file > DOMAIN\andrey@fs:/home/sambashare/pub$ exit > exit > fs:~# smbclient '\\fs\pub' -U DOMAIN\\andrey > Enter DOMAIN\andrey's password: > Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.2.5] > smb: \> ls > . D 0 Thu Nov 5 17:02:01 2009 > .. D 0 Wed Jun 3 18:22:47 2009 > file 0 Thu Nov 5 17:02:01 2009 > > 64000 blocks of size 8192. 28337 blocks available > smb: \> > > So i've decided that problem is in the not working (or > misundertandeted?) 'force group' parameter. > > What did i do wrong and how to fix this? > > Some technical information: > > Distro used: Debian Lenny, kernel 2.6.26-2-amd64 > Samba version: 3.2.5-4lenny6 > Domain Controller: Windows Server 2003 R2 Enterprise Edition > smb.conf: http://pastebin.ca/1658364 > Log file: http://pastebin.ca/1658368 > > P.S. Sorry for my english :-) > > -- > Andrey Zykov > > e-mail: andrey@... > jabber: zblk@.... > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba -- Sent from my mobile device http://linuxinterviews.blogspot.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |
|
|
Re: problem with force group parameter
by Gary Dale-2
::
Rate this Message:
Force group forces the Unix group to be whatever you force it to. It has
nothing to do with what group the connecting use belongs to. vishesh kumar wrote: > I also facing same issue. > Does it mean that we cant specify secondary group as 'force group' in group. > > On 11/5/09, Andrey Zykov <andrey@...> wrote: > >> Hello! >> >> I tryed to configure Debian Linux file server as Windows 2003 domain >> member using samba with security = ADS mode and stucked with such problem: >> >> File server (fs) succesfully joined my domain with correct user and >> group mapping (i'm using idmap rid). Users from domain have their unix >> accounts with <DOMAIN_NAME>\ prefix, i.e for domain user "andrey" i have >> local unix user: 'DOMAIN\andrey': >> >> fs:~# id DOMAIN\\andrey >> uid=11118(DOMAIN\andrey) gid=10513(DOMAIN\пользователи домена) >> группы=10513(DOMAIN\пользователи домена),10512(DOMAIN\администраторы >> домена),11395(DOMAIN\сотрудники),10001(BUILTIN\users),10000(BUILTIN\administrators) >> >> as you can see, user have uid=11118, primary group >> gid=10513('DOMAIN\пользователи домена' - 'DOMAIN\domain users' in >> english) and few supplementary groups. >> Now i want to make a share restricted to use by users from one of >> supplementary groups, i.e. 11395(DOMAIN\сотрудники). >> I created a directory: >> >> fs:~# ls -l /home/sambashare/ | grep officepub >> drwxrwx--- 2 DOMAIN\admin DOMAIN\сотрудники 4096 Окт 26 >> 20:28 officepub >> >> and checked that i can access it localy via ssh: >> >> fs:~# su DOMAIN\\andrey >> DOMAIN\andrey@fs:/root$ cd /home/sambashare/officepub/ >> DOMAIN\andrey@fs:/home/sambashare/officepub$ touch file >> DOMAIN\andrey@fs:/home/sambashare/officepub$ rm file >> >> Next i added share definition in smb.conf with my group in 'force group' >> parameter: >> ... >> [officepub] >> comment = Office Public Share >> path = /home/sambashare/officepub >> force group = +DOMAIN\сотрудники >> read only = No >> browseable = No >> >> restarted samba, tried to access it via smbclient and got following error: >> >> fs:~# smbclient '\\fs\officepub' -U DOMAIN\\andrey >> Enter DOMAIN\andrey's password: >> Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.2.5] >> smb: \> ls >> NT_STATUS_NETWORK_ACCESS_DENIED listing \* >> >> 0 blocks of size 0. 61680 blocks available >> smb: \> >> >> But in the same time i have similar working share with restriction by >> _primary_ group: >> >> fs:~# id DOMAIN\\andrey >> uid=11118(DOMAIN\andrey) gid=10513(DOMAIN\пользователи домена) >> группы=10513(DOMAIN\пользователи домена),10512(DOMAIN\администраторы >> домена),11395(DOMAIN\сотрудники),10001(BUILTIN\users),10000(BUILTIN\administrators) >> fs:~# ls -l /home/sambashare/ | grep pub >> drwxrwx--- 2 DOMAIN\admin DOMAIN\пользователи домена 4096 Ноя 4 >> 00:00 pub >> fs:~# su DOMAIN\\andrey >> DOMAIN\andrey@fs:/root$ cd /home/sambashare/pub/ >> DOMAIN\andrey@fs:/home/sambashare/pub$ touch file >> DOMAIN\andrey@fs:/home/sambashare/pub$ exit >> exit >> fs:~# smbclient '\\fs\pub' -U DOMAIN\\andrey >> Enter DOMAIN\andrey's password: >> Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.2.5] >> smb: \> ls >> . D 0 Thu Nov 5 17:02:01 2009 >> .. D 0 Wed Jun 3 18:22:47 2009 >> file 0 Thu Nov 5 17:02:01 2009 >> >> 64000 blocks of size 8192. 28337 blocks available >> smb: \> >> >> So i've decided that problem is in the not working (or >> misundertandeted?) 'force group' parameter. >> >> What did i do wrong and how to fix this? >> >> Some technical information: >> >> Distro used: Debian Lenny, kernel 2.6.26-2-amd64 >> Samba version: 3.2.5-4lenny6 >> Domain Controller: Windows Server 2003 R2 Enterprise Edition >> smb.conf: http://pastebin.ca/1658364 >> Log file: http://pastebin.ca/1658368 >> >> P.S. Sorry for my english :-) >> >> -- >> Andrey Zykov >> >> e-mail: andrey@... >> jabber: zblk@.... >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |
|
|
Re: problem with force group parameter
by Andrey Zykov-2
::
Rate this Message:
But what about this:
"In Samba 2.0.5 and above this parameter has extended functionality in the following way. If the group name listed here has a '+' character prepended to it then the current user accessing the share only has the primary group default assigned to this group if they are already assigned as a member of that group. This allows an administrator to decide that only users who are already in a particular group will create files with group ownership set to that group. This gives a finer granularity of ownership assignment. For example, the setting |force group = +sys| means that only users who are already in group sys will have their default primary group assigned to sys when accessing this Samba share. All other users will retain their ordinary primary group." http://us1.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#FORCEGROUP Gary Dale пишет: > Force group forces the Unix group to be whatever you force it to. It > has nothing to do with what group the connecting use belongs to. > > > vishesh kumar wrote: >> I also facing same issue. >> Does it mean that we cant specify secondary group as 'force group' in >> group. >> >> On 11/5/09, Andrey Zykov <andrey@...> wrote: >> >>> Hello! >>> >>> I tryed to configure Debian Linux file server as Windows 2003 domain >>> member using samba with security = ADS mode and stucked with such >>> problem: >>> >>> File server (fs) succesfully joined my domain with correct user and >>> group mapping (i'm using idmap rid). Users from domain have their unix >>> accounts with <DOMAIN_NAME>\ prefix, i.e for domain user "andrey" i >>> have >>> local unix user: 'DOMAIN\andrey': >>> >>> fs:~# id DOMAIN\\andrey >>> uid=11118(DOMAIN\andrey) gid=10513(DOMAIN\пользователи домена) >>> группы=10513(DOMAIN\пользователи домена),10512(DOMAIN\администраторы >>> домена),11395(DOMAIN\сотрудники),10001(BUILTIN\users),10000(BUILTIN\administrators) >>> >>> >>> as you can see, user have uid=11118, primary group >>> gid=10513('DOMAIN\пользователи домена' - 'DOMAIN\domain users' in >>> english) and few supplementary groups. >>> Now i want to make a share restricted to use by users from one of >>> supplementary groups, i.e. 11395(DOMAIN\сотрудники). >>> I created a directory: >>> >>> fs:~# ls -l /home/sambashare/ | grep officepub >>> drwxrwx--- 2 DOMAIN\admin DOMAIN\сотрудники 4096 >>> Окт 26 >>> 20:28 officepub >>> >>> and checked that i can access it localy via ssh: >>> >>> fs:~# su DOMAIN\\andrey >>> DOMAIN\andrey@fs:/root$ cd /home/sambashare/officepub/ >>> DOMAIN\andrey@fs:/home/sambashare/officepub$ touch file >>> DOMAIN\andrey@fs:/home/sambashare/officepub$ rm file >>> >>> Next i added share definition in smb.conf with my group in 'force >>> group' >>> parameter: >>> ... >>> [officepub] >>> comment = Office Public Share >>> path = /home/sambashare/officepub >>> force group = +DOMAIN\сотрудники >>> read only = No >>> browseable = No >>> >>> restarted samba, tried to access it via smbclient and got following >>> error: >>> >>> fs:~# smbclient '\\fs\officepub' -U DOMAIN\\andrey >>> Enter DOMAIN\andrey's password: >>> Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.2.5] >>> smb: \> ls >>> NT_STATUS_NETWORK_ACCESS_DENIED listing \* >>> >>> 0 blocks of size 0. 61680 blocks available >>> smb: \> >>> >>> But in the same time i have similar working share with restriction by >>> _primary_ group: >>> >>> fs:~# id DOMAIN\\andrey >>> uid=11118(DOMAIN\andrey) gid=10513(DOMAIN\пользователи домена) >>> группы=10513(DOMAIN\пользователи домена),10512(DOMAIN\администраторы >>> домена),11395(DOMAIN\сотрудники),10001(BUILTIN\users),10000(BUILTIN\administrators) >>> >>> fs:~# ls -l /home/sambashare/ | grep pub >>> drwxrwx--- 2 DOMAIN\admin DOMAIN\пользователи домена 4096 >>> Ноя 4 >>> 00:00 pub >>> fs:~# su DOMAIN\\andrey >>> DOMAIN\andrey@fs:/root$ cd /home/sambashare/pub/ >>> DOMAIN\andrey@fs:/home/sambashare/pub$ touch file >>> DOMAIN\andrey@fs:/home/sambashare/pub$ exit >>> exit >>> fs:~# smbclient '\\fs\pub' -U DOMAIN\\andrey >>> Enter DOMAIN\andrey's password: >>> Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.2.5] >>> smb: \> ls >>> . D 0 Thu Nov 5 >>> 17:02:01 2009 >>> .. D 0 Wed Jun 3 >>> 18:22:47 2009 >>> file 0 Thu Nov 5 >>> 17:02:01 2009 >>> >>> 64000 blocks of size 8192. 28337 blocks available >>> smb: \> >>> >>> So i've decided that problem is in the not working (or >>> misundertandeted?) 'force group' parameter. >>> >>> What did i do wrong and how to fix this? >>> >>> Some technical information: >>> >>> Distro used: Debian Lenny, kernel 2.6.26-2-amd64 >>> Samba version: 3.2.5-4lenny6 >>> Domain Controller: Windows Server 2003 R2 Enterprise Edition >>> smb.conf: http://pastebin.ca/1658364 >>> Log file: http://pastebin.ca/1658368 >>> >>> P.S. Sorry for my english :-) >>> >>> -- >>> Andrey Zykov >>> >>> e-mail: andrey@... >>> jabber: zblk@.... >>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >> >> > -- Andrey Zykov e-mail: andrey@... jabber: zblk@.... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |
| Free embeddable forum powered by Nabble | Forum Help |
