[Samba] force group does not work

[Leander S.]

Hi

I set up a samba 4.1.4 server on the latest FreeBSD RELEASE 10.
Unfortunately it doesn't seem to consider the option force group. After
hours ofresearch I couldn't figure out what I'm still missing. unix
extensions is set to no. Setting the debug level up to 10 also didn't
help ;(
Is this a bug or is there simply a mistake in my setup?

When
*valid users = @Groupname*
is set, then I don't have access to the share at all anymore.

As funny as it sounds, but
*force user* **= *MyUsername*
is working as expected.


id -Gn MyUsername
MyUsername Groupname

getent group Groupname
Groupname:*:2004:MyUsername,Groupname


# ============= Global ============= #

[global]

# Basic server settings
workgroup = DOMAIN
realm = DOMAIN.LOCAL
netbios name = FILESERVER
server role = standalone server

# Password backend
passdb backend = samba_dsdb

# DNS
dns forwarder = 10.0.0.1

# Logging
log level = 2
max log size = 5000

# Charset
unix charset = UTF-8
dos charset = cp1252

# NTLMv2 aktivieren
ntlm auth = No
lanman auth = No
client ntlmv2 auth = Yes

# Printing
load printers = No
printing = BSD
printcap name = /dev/null

# Default masks
unix extensions = No
create mask = 0770
force create mode = 0770
directory mask = 0770
force directory mode = 0770

# Miscellaneous
veto oplock files = /*.doc/*.xls/*.ppt/*.mdb/*.docx/*.xlsx/*.ppt


# ============= Shares ============= #

[MyShare]
comment = NAS
path = /mnt/MyShare
guest ok = No
read only = No
valid users = @Groupname
forece user = MyUsername
force group = Groupname







Any help would be greatly appreciated ;)

Best Regards
L.


--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

[steve]

lose these for now:

> create mask = 0770
> force create mode = 0770
> directory mask = 0770
> force directory mode = 0770
>

> # Miscellaneous
> veto oplock files = /*.doc/*.xls/*.ppt/*.mdb/*.docx/*.xlsx/*.ppt
>
>
> # ============= Shares ============= #
>
> [MyShare]
> comment = NAS
> path = /mnt/MyShare
> guest ok = No
> read only = No
> valid users = @Groupname
> forece user = MyUsername
> force group = Groupname
>
>
>
>
>
>
>
> Any help would be greatly appreciated ;)
>
> Best Regards
> L.
>
>

change this:
force user = MyUsername
and go for something like:
chgrp Groupname /mnt/MyShare
chmod g +s /mnt/MyShare
maybe?
Steve

[Michael Brown]

I couldn't get "valid users = @group" ‎to work at all, but that was on a DC and I figured it was just not supported yet. Is that happening on a non-DC?

Sent from my BlackBerry 10 smartphone.
  Original Message  
From: Leander S.
Sent: Saturday, February 8, 2014 04:44
To: sa...@lists.samba.org
Reply To: Leander S.
Subject: [Samba] force group does not work

[steve]

On Sat, 2014-02-08 at 14:17 -0500, Michael Brown wrote:
> Is that happening on a non-DC?

The OP has posted his smb.conf
HTH
Steve

[Leander S.]

Hi

Thanks for your input, but this isn't really a workarround ;/
At the end of the day, I want to give each share it's own

valid users = @Groupname
force user = Username(=Groupname)
force group = Groupname

This makes permission management way easier, since users could just be
added or removed from the Groupname in order to get permission on the
share.

Also I don't need a cronjob, which sooner or later kills my HDDs, doing
a periodic chmod -R and chown -R over all files. (This is anyway not a
profeesional solution in my opinion)


My question is more likely: What am I missing in my config to make my
setup work? Am I using the wrong syntax at some place, or what? This is
quite frustrating ;)




Am 08.02.14 19:43, schrieb steve:

[Leander S.]

Am 09.02.14 11:56, schrieb Leander S.:

valid users = admin
force user = admin
force group = @admin

Results in:

*smbclient -U admin \\\\HOSTNAME-01\\DOMAIN <password>*
Domain=[DOMAIN] OS=[Unix] Server=[Samba 4.1.4]
tree connect failed: NT_STATUS_NO_SUCH_GROUP


Yet it exists and is member of:

*id -Gn admin*
admin wheel

*getent group admin*
admin:*:1001


*BUT:*


*wbinfo -u*
HOSTNAME-01\HOSTNAME-01$
HOSTNAME-01\administrator
HOSTNAME-01\krbtgt
HOSTNAME-01\guest
HOSTNAME-01\admin

*wbinfo -g*
HOSTNAME-01\read-only domain controllers
HOSTNAME-01\group policy creator owners
HOSTNAME-01\domain controllers
HOSTNAME-01\domain computers
HOSTNAME-01\domain admins
HOSTNAME-01\domain guests
HOSTNAME-01\domain users



# ========================================================= #

While following setup results in a valid login

valid users = admin
force user = admin
force group = admin


BUT

ls -lach /mnt/MyShare
[...]
drwxrwxrwx 2 admin *wheel* 2B Feb 9 12:08 TestFolder
[...]

it seems like it falling back to wheel, which is just wrong here ;(

[Leander S.]

Am 09.02.14 12:11, schrieb Leander S.:

Sorry, reading
http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#FORCEGROUP again
helped a little:


force printername (S)


When printing from Windows NT (or later), each printer in |smb.conf|
has two associated names which can be used by the client. The first
is the sharename (or shortname) defined in smb.conf. This is the
only printername available for use by Windows 9x clients. The second
name associated with a printer can be seen when browsing to the
"Printers" (or "Printers and Faxes") folder on the Samba server.
This is referred to simply as the printername (not to be confused
with the /|printer name|/ option).

When assigning a new driver to a printer on a remote Windows
compatible print server such as Samba, the Windows client will
rename the printer to match the driver name just uploaded. This can
result in confusion for users when multiple printers are bound to
the same driver. To prevent Samba from allowing the printer's
printername to differ from the sharename defined in smb.conf, set
/|force printername = yes|/.

Be aware that enabling this parameter may affect migrating printers
from a Windows server to Samba since Windows has no way to force the
sharename and printername to match.

It is recommended that this parameter's value not be changed once
the printer is in use by clients as this could cause a user not be
able to delete printer connections from their local Printers folder.

Default: //|force printername|/ = |no| /



So I changed it to:

valid users = admin
force user = admin

force group = +admin


and now I see following error:

Domain=[DOMAIN] OS=[Unix] Server=[Samba 4.1.4]

tree connect failed: NT_STATUS_MEMBER_NOT_IN_GROUP


But admin ist in Group admin ... so f****** what?
Where does Samba lookup those groups, that it is incapable of finding them?!

[Jonathan Buzzard]

On 08/02/14 09:35, Leander S. wrote:
> Hi
>
> I set up a samba 4.1.4 server on the latest FreeBSD RELEASE 10.
> Unfortunately it doesn't seem to consider the option force group. After
> hours ofresearch I couldn't figure out what I'm still missing. unix
> extensions is set to no. Setting the debug level up to 10 also didn't
> help ;(
> Is this a bug or is there simply a mistake in my setup?
>

You don't say what your clients are? In my experience the number one
reason force group does not work is because you have Mac OSX clients and
unix extensions enabled.


JAB.

--
Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.

[Leander S.]

Am 09.02.14 14:47, schrieb Jonathan Buzzard:

> On 08/02/14 09:35, Leander S. wrote:
>> Hi
>>
>> I set up a samba 4.1.4 server on the latest FreeBSD RELEASE 10.
>> Unfortunately it doesn't seem to consider the option force group. After
>> hours ofresearch I couldn't figure out what I'm still missing. unix
>> extensions is set to no. Setting the debug level up to 10 also didn't
>> help ;(
>> Is this a bug or is there simply a mistake in my setup?
>>
>
> You don't say what your clients are? In my experience the number one
> reason force group does not work is because you have Mac OSX clients
> and unix extensions enabled.
>
>
> JAB.
>

Hi JAB,

thanks for your input. I've tried it via

* smbclient -U MyUser \\\\${SERVERNAME,,}\\MyShare <password>
* as well as I tried it with my MacOSX client
* as well as I tried it with my Windows7 client

unfortunately all results in the same.
A couple of posts before, I've published my smb4.conf. I've already set
'unix extensions' to 'No', otherwhise

create mask = 0770
force create mode = 0770
directory mask = 0770
force directory mode = 0770

will also be ignored.

[Thomas Bork]

Am 08.02.2014 10:35, schrieb Leander S.:

> When
> *valid users = @Groupname*
> is set, then I don't have access to the share at all anymore.

Due to an open bug the forced user must be included in 'valid users'.
This bug breaks many setups and your question will not be the last
question about it:

https://bugzilla.samba.org/show_bug.cgi?id=9878

> [MyShare]
> comment = NAS
> path = /mnt/MyShare
> guest ok = No
> read only = No
> valid users = @Groupname
> forece user = MyUsername

^^^^^^

And this is a typo (forece != force).

--
der tom

[Jeremy Allison]

On Mon, Feb 10, 2014 at 06:23:24PM +0100, Thomas Bork wrote:
> Am 08.02.2014 10:35, schrieb Leander S.:
>
> >When
> >*valid users = @Groupname*
> >is set, then I don't have access to the share at all anymore.
>
> Due to an open bug the forced user must be included in 'valid users'.
> This bug breaks many setups and your question will not be the last
> question about it:
>
> https://bugzilla.samba.org/show_bug.cgi?id=9878

On my list of things to fix. I know what the
problem is, the patch however might be a little
harder :-).

Jeremy.