I have a samba 4.4.3 file server set up as AD domain member.
My current smb.conf file is:
[global]
workgroup = MYDOMAIN
realm = MYDOMAIN.ROOT
security = ADS
encrypt passwords = yes
idmap config *:backend =tdb
idmap config *:range = 70001-80000
idmap config MYDOMAIN:backend = rid
idmap config MYDOMAIN:range = 80000 - 1234567890123456
winbind trusted domains only =no
winbind enum users = yes
winbind enum groups = yes
domain master = no
local master = no
map untrusted to domain = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = yes
dns proxy = no
log level = 10
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
server role = member server
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
template shell = /bin/bash
template homedir = /home/%D/%U
client use spnego = yes
read only = yes
create mask = 0700
directory mask = 0700
[rw]
path = /srv/rw
writable = yes
guest ok = no
force user = share
force group = share
valid users=
allow hosts =
deny hosts =
As you can see, i used "force user" and "force group" options so that every user in domain is mapped to share:share.
Now the security model changed, i would like to map a domain user to share:share only if the domain user is in "shareWriteAccess" (domain) group, and to ro:ro if not. Is that possible ?
The goal is to enable some domain users to have a write access on the share, while others will only have read access. I was more confident to use linux file permissions checking for that, so i thought of mapping to 2 different linux users. /srv/rw has permissions 755 share:share, so domain users mapped as ro:ro are effectively "read only". I'm open to another solution though
