Hi,
We recently deployed the SUSE Enterprise Storage with Ceph filesystem and have been able to export it as SMB shares and connect it to our Windows AD. The permissions work partially. However, when we modify the permissions of the folders within the share to give access to specific User Groups (custom groups) in Windows AD the user of the group is not able to access the folder. The user gets the access denied message though he is part of the user group in AD. The only User group that works is the Built-in Domain Users group. Any help on this would be appreciated.
Assuming, that You configured the SMB shares to be provided by the ‘vfs_ceph’ plugin, access will only be granted to members of a user group, that have set this user group as their primary group in AD. Due to a bug in the ‘vfs_ceph’ plugin, memberships in supplementary groups (all groups except the primary group) are not considered. By default the AD group ‘Domain Users’ is set as the primary group of an AD user account. Therefore the built-in group ‘Domain Users’ works, which will by default grant access to most if not all AD users.
Setting the primary group of those affected to specific user groups allows access control for the folders of the share.
Alternatively, the Ceph filesystem can be mounted into the filesystem of the Samba Server and be shared as a file system path. This way the access to the folders of the share should work as expected.