[prev in list] [next in list] [prev in thread] [next in thread] 

List:       samba
Subject:    Re: [Samba] Using Force Group with AD Group
From:       Rowland Penny via samba <samba () lists ! samba ! org>
Date:       2022-09-26 7:06:02
Message-ID: 5a069169-74d1-67d9-aadc-d901bcdb2258 () samba ! org
[Download RAW message or body]



On 26/09/2022 07:32, Matthias Kühne | Ellerhold AG via samba wrote:
> Hello,
> 
> force group = DOMAIN\Domain Group
> 
> Each operation on this share will now behave as if the connecting user
> has this group. So no more group-based ACL. If you want to share certain
> folders via group-permission - this gives everybody the group (even
> those that do not have them in the AD) and gives them access or denies
> it to them. Even more so this group will be the primary group of the
> user during the connection.
> 
> So everybody can access this share now because it behaves as if the user
> has this group.
> 
> force group = +DOMAIN\Domain Group
> 
> If the connecting user has this group (either directly or inherited) it
> will set this to be their _primary_ group -- it does not add any group
> to any user at all. It just changes the primary group.
> 
> All ACL-checks still work! New files and directories are created with
> this group, so other people accessing the share can open them (if you're
> using group-based permissions).

If you use the acl_xattr VFS object, then you shouldn't use 'force 
group' etc, you should use Windows access control lists (ACL) instead.

Rowland


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[prev in list] [next in list] [prev in thread] [next in thread]