[Samba] using Windows AD unwanted Group rights get applied to new Files
Rowland Penny
rpenny at samba.org
Fri Aug 10 13:57:32 UTC 2018
On Fri, 10 Aug 2018 14:32:01 +0100
"miguel medalha" <medalist at sapo.pt> wrote:
> > >having a particular group
> > > set as "Primary group"
>
> > How are setting the 'primary group' ?
>
> The 'primary group' had been set a long time ago, when the system was
> created. It had been set with ADUC, under the "Member of" tab, as
> told before.
Yes, but that shouldn't change the 'primaryGroupID' attribute.
>
> > By default all AD users (aka windows users) are members of the
> > 'Domain Users' group even though they do not appear in the 'Domain
> > Users' AD object.
>
> Yes, of course. That's not the point.
No, its the very point.
>
> > > and I created a new file and a new folder
> > > inside a share. Looking at it on the security tab, I can see that
> > > the "Domain Users" group is not in the list of permissions. I
> > > logged out.
>
> > Have you done something strange like changing the contents of the
> > users
> 'primaryGroupID' attribute ?
> > >
> > > As Administrator, using ADUC, in the "Member of" tab I changed the
> > > primary group of the same user to the "Domain users" default.
>
> > Yep, it sounds like you have.
>
> >
> > > I logged on again as the same regular user and I created a new
> > > file and a new folder inside the same share. Looking at the
> > > "Security" tab, I see that the "Domain users" group is now there,
> > > with advanced permissions of "Full Control, This object only" and
> > > "Full Control, This folder only".
> > >
> > > Resetting the user's primary group to its original group restores
> > > the intended behavior, the "Domain Users" is no longer present in
> > > newly created files or folders.
>
> > No, this is not the intended behaviour, it might be your intended
> > behavior, but it isn't Windows.
>
> It is also the behavior intended by the OP. Shouldn't a folder
> inherit the permissions of its parent when inheritance is on? If so,
> why does the group "Domain users" appear there with "Full control"
> permissions when it is not present in the parent folder?
>
>
> > All the 'rid' backend does is calculate the user & group ID's from
> > their 'RID'.
>
> Yes, I know, but one of your previous posts seems to imply that the
> behavior the OP wants is not possible unless you use the AD backend
> or a convoluted workaround. You also stated that changing the
> "primary group" would be ignored, which isn't. I thought it would be
> helpful to actually test it... I found the problem the OP complained
> about somewhat strange because I had never met it, and I had never
> met it because all my users had their primary group set to the
> intended group from the beginning, some years ago.
>
>
What does 'getent passwd ausername' return on a Unix domain member ?
It should return something like this:
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
The first '10000' is the users uidNumber and the second is the
gidNumber for 'Domain Users'
Rowland
More information about the samba
mailing list