Sam A
Members
-
Joined
-
Last visited
Solutions
-
Sam A's post in v6.9.2 upgrade to 6.10 or 6.11 -- Doesn't respect AD group memberships/permissions (Solved) was marked as the answerSolved this problem (at least for myself - YMMV).. Solution was rather silly; I'm still curious what changed between 6.9.2 and now 6.11.1 (I'm guessing Samba related, and the update to Unraid carried it over)..
However, what I did was change the initial group in the SMB settings to be the default value of "Domain Users" (originally had it set as Domain Admins) -- You could probably use some other group that would be considered least-privilege (but includes all users that need access to the share - both RW and RO).. Then, SSH'd back into the Unraid server as root, cd /mnt/user and ran the following commands to reset all permissions:
chgrp -Rc "Domain Users" * && chown -R Administrator *
Once that command finished running, I connected as the domain administrator and re-wrote the permission from there; Included Domain Users which by default had "Full control" I change that to read only, and set the permissions to replace all child permissions. Seems to have done the trick. I didn't intend for Domain Users to be "read only" but it works for my use-case. I'll keep my "read-only" group as well... The reason I chose to go with "Domain Users" as the initial owner over the other RO specific group was that I didn't want to nest-groups; because of this new 'feature' (read: limitation) by setting the initial owner to by the Read Only group, I would also need to nest the RW/Read Write group inside the Read Only group so that they also had access to the share. While that works (verified/tested on my secondary/backup server) I didn't like the way it looked and it triggered my OCD a little.
TLDR; It seems like the "initial" is really "Share" permissions. So at a minimum, the initial group needs to include all users that may possibility access the share; set your permissions for this group to be the most restrictive (RO), and then you're able to open up permissions via other groups...
Someone can correct me if I'm misunderstanding or communicating this. -- I just spent a few hours churning at it so I could be wrong. But it's back working as expected. RO users == Read only, and Read Write users basically have full control. All users can now access the share regardless of their group permissions since they're a member of Domain Users.