Give a local (linux) user right to write into a SMB (ibay) shared folder

samba
accounts-provider
(Matthieu Gaillet) #1

NS 7.6

I’ve a process which runs as its own local user. I’d like to give it the right to write into an ibay (Samba share) but that one is owned by a a group managed by nethserver (AD).

Is it possible to add a local user to an AD group ?

If not, how would I do that ?

Thanks

Matthieu

(Davide Principi) #2

No, AD group members can be only AD users

Change the user under which the service process runs?

(Matthieu Gaillet) #3

Thanks, I’ll try.

(Matthieu Gaillet) #4

Worked after dealing with various home directory issues :slight_smile:

(Davide Principi) #5

Just out of curiosity: what (kind of) application is it?

(Matthieu Gaillet) #6

transmission.

(Davide Principi) #7

It could be a common use case… :thinking:

An alternative approach could be to self mount the SMB share with AD credentials somwhere and map the mount permissions to the local user

 mount -t cifs ...

Maybe not ideal for intensive disk apps, but might fit the bill…

Anybody wants to play with it and try to write down an #howto? /cc @dev_team

(Saito Benkei) #8

I have this note (from assistance):

setfacl -R -m u:USERNAME:rwx /var/lib/nethserver/ibay/IBAYNAME

Please note that isn’t a permanent setting: if you made some modification to ibay via dashboard, you then have to give the command described above again

Try it at your risk :slight_smile:

(Stéphane de Labrusse) #9

maybe you could share the complete solution, and we could know what to do for others…thank in advance

(Matthieu Gaillet) #10

Quite easy. I created a transmission service account into NS. Had to give him Domain Admin rights. I also added it to a group that has rights to access the SAMBA share.

Then I edited the the systemd transmission-daemon.service file and changed the user from transmission to transmission@mydomain.tld

Lastly I discovered that the home directory had changed and that I needed to copy the file settings.json from the old home folder /var/lib/transmission/.config/transmission-daemon/ to /var/lib/nethserver/home/transmission/.config/transmission-daemon/

After that everything worked as I wished : The process may now write directly into the Samba share and I’m able to manipulate files from a client through the SMB interface. The main reason is that I need the files to stay on the server for my plex media server instance. I similarly created a plex@domain.tld account that has the same rights so that both processes can access the samba shared folder where plex’s library is stored.

Does it make sense ?

(Davide Principi) #11

Why? What happens otherwise?

(Matthieu Gaillet) #12

thanks @saitobenkei clever but as you probably understood I needed a permanent solution :slight_smile:

@davidep clever as well, if not elegant :slight_smile: However I believe my solution is better since it uses standard NS functions (easier to maintain and backup / restore).

(Matthieu Gaillet) #13

Process doesn’t start. I probably should investigate more :slight_smile:

(Davide Principi) #14

Yes, you have to! Being member of “domain admins” grants you almost root privileges: it’s a security issue…

(Matthieu Gaillet) #15

You’re completely right of course :slight_smile: However I was wrong : I just checked and the user belongs only to the “multimedia” group I created for plex and transmission. :sweat_smile: