Ldap – How to force folders created in a subdirectory to be owned by a user’s secondary group

ldappermissionssamba

I have setup a Samba share on Ubuntu 12.04 for our finance team, and they access it via Windows 7 and Mac OS X. They mount the share using their LDAP credentials. All of our LDAP users have "employees" as their primary group, and the finance team belongs to a secondary group named "finance".

When any of the finance team members create a folder within the Samba share, the folder's group defaults to "employees". How can I force all files and folders created on the share to have the group set to "finance"?

Best Answer

For share foo, with path /bar/foo, the following in your smb.conf file should do it:

[foo]
        path = /bar/foo
        force create mode = 0020
        force directory mode = 0030
        force group = +finance

The mode statements are to ensure that all directories and files created via samba are group-writeable: it's no good just being group-owned by the right group if that group has no privileges to do anything.

Related Solutions

Samba Permissions – I’m going to throw it!

This might help. I do something similar, but only one share is open to the group's users. Other shares are read-only except for a single maintainer user. The [global] section of my smb.conf is almost identical to yours, except I don't use the force create/directory mode directives (in my case, they'd interfere with the other shares).

Here's the share definition:

[shared stuff]
        comment = blah, blah, etc
        path = /path/to/share
        write list = @sambagroup
        force group = +sambagroup
        read only = yes
        directory mask = 0775
        create mask = 0664
        guest ok = yes
        invalid users = root
        case sensitive = True
        default case = lower
        preserve case = yes
        short preserve case = yes

The important stuff here are these:

read only = yes -- by default, read only.
guest ok = yes -- guests can browse.
write list = @sambagroup -- Authenticated members of sambagroup can write.
force group = +sambagroup -- The + means that the force only applies to existing members of sambagroup. They're already the only ones who can write. I think, without the +, guest is given sambagroup credentials, which is not wanted (particularly with the write list directive above).
directory mask = 0775
create mask = 0664

These do exactly what you want yours to do: "drwxrwxr-x" on directories, "rwxrwxr-x" on files, and newly created files are owned by the user and sambagroup. The maintainers of the other shares get the same permissions as everyone else when working in shared stuff, and permissions & groups are normal when they work in the other shares.

My smb.conf has been working with only minor tweaks through several different versions of Samba, and currently is used with Samba 3.2.5. I never had it running on Ubuntu 8.04, but it ran on Ubuntu 7.04 for a long time before getting migrated to a recent Debian Lenny install.

Linux – How does LDAP handle supplementary/secondary user groups

LDAP is just a directory of information. How that information gets stored and retrieved is up to the application. In this case, posix users and groups are modeled after the /etc/passwd and /etc/group files. Each user entry lists the gid for its primary group. Each group lists all of its members(usually less the ones listing it as their primary group).

Samba and the various nss plugins to store user and group info in LDAP all do a search to find the groups a user is a member of at log in. The memberUid attribute should be indexed to make group membership searches fast. For a given user account, the search filter is something like:

(&(objectclass=posixGroup)(memberUid=$user))

If you wanted to see the users in a particular group, you could search with:

(&(objectclass=posixGroup)(cn=$group))

This assumes that all of your groups are of the posixGroup objectClass.

Best Answer

Related Solutions

Samba Permissions – I’m going to throw it!

Linux – How does LDAP handle supplementary/secondary user groups

Related Topic