NS 7.6
I’ve a process which runs as its own local user. I’d like to give it the right to write into an ibay (Samba share) but that one is owned by a a group managed by nethserver (AD).
Is it possible to add a local user to an AD group ?
If not, how would I do that ?
Thanks
Matthieu
No, AD group members can be only AD users
Change the user under which the service process runs?
Thanks, I’ll try.
Worked after dealing with various home directory issues 
Just out of curiosity: what (kind of) application is it?
transmission.
It could be a common use case… 
An alternative approach could be to self mount the SMB share with AD credentials somwhere and map the mount permissions to the local user
mount -t cifs ...
Maybe not ideal for intensive disk apps, but might fit the bill…
Anybody wants to play with it and try to write down an #howto? /cc @dev_team
I have this note (from assistance):
setfacl -R -m u:USERNAME:rwx /var/lib/nethserver/ibay/IBAYNAME
Please note that isn’t a permanent setting: if you made some modification to ibay via dashboard, you then have to give the command described above again
Try it at your risk
maybe you could share the complete solution, and we could know what to do for others…thank in advance
Quite easy. I created a transmission service account into NS. Had to give him Domain Admin rights. I also added it to a group that has rights to access the SAMBA share.
Then I edited the the systemd transmission-daemon.service file and changed the user from transmission to transmission@mydomain.tld
Lastly I discovered that the home directory had changed and that I needed to copy the file settings.json from the old home folder /var/lib/transmission/.config/transmission-daemon/ to /var/lib/nethserver/home/transmission/.config/transmission-daemon/
After that everything worked as I wished : The process may now write directly into the Samba share and I’m able to manipulate files from a client through the SMB interface. The main reason is that I need the files to stay on the server for my plex media server instance. I similarly created a plex@domain.tld account that has the same rights so that both processes can access the samba shared folder where plex’s library is stored.
Does it make sense ?
Why? What happens otherwise?
thanks @saitobenkei clever but as you probably understood I needed a permanent solution
@davidep clever as well, if not elegant However I believe my solution is better since it uses standard NS functions (easier to maintain and backup / restore).
Process doesn’t start. I probably should investigate more
Yes, you have to! Being member of “domain admins” grants you almost root privileges: it’s a security issue…
You’re completely right of course However I was wrong : I just checked and the user belongs only to the “multimedia” group I created for plex and transmission. 