[Samba] unix_primary_group not used when writing files

Rowland Penny rpenny at samba.org
Thu Aug 18 09:24:57 UTC 2022 

On Thu, 2022-08-18 at 10:00 +0100, Matthew Richardson via samba wrote:
> Hi,
> 
> Thanks for the extra info.
> > > However even with this setting and having restarted samba etc the
> > > files are
> > > still group 'domain user'.
> > 
> > Yes and this IS correct and the default..
> > I recommend NOT to change it.. and you really must..
> > Change primaryGroupID in the AD, but really, use ACLS..
> 
> This doesn't seem to agree with what the Samba wiki docs say:
> 
> https://wiki.samba.org/index.php/Idmap_config_ad
> 
> "There is now a new setting unix_primary_group, this allows you to
> use
> another group for the users primary group instead of Domain Users.
> 
> If this is set with unix_primary_group = yes, the users primary group
> is
> obtained from the gidNumber attribute found in the users AD object."
> 
> "Whichever setting you use, do not change the users primaryGroupID
> attribute, Windows relies on all users being a member of Domain
> Users."

Yes, whatever you do, do not change the primaryGroupID attribute.

> 
> > So whats set as ACL on  /home/alice
> > getfacl /home/alice
> 
> Currently I have it set to being owned by group g_alice:
> 
> $  getfacl /home/alice
> getfacl: Removing leading '/' from absolute path names
> # file: home/alice
> # owner: alice
> # group: g_alice
> user::rwx
> group::r-x
> other::r-x
> 
> I could explicitly set 'mandatory' ACLs on the homedir and have these
> propagate, but that feels like a workaround for something that the
> docs
> imply shouldn't be needed?

Where does it imply that ? tell me and I will change it.
Your problem is possibly being caused by the share being connected by a
member of the g_alice group (yes, I know there is only one user) and
the group doesn't have write access.

> 
> > 
> ...
> hosts:  files  dns
> 
> 
> > The smb.conf is correct. Ow. ps, one thing..
> > you don’t have " winbind refresh tickets = yes" in add it.
> > At least, the only thing I didn’t see.
> > 
> 
> I do have this in - though I assumed it wasn't relevant at this
> point?

It is always relevant, without it being set, your kerberos tickets will
expire after 10hrs and will not get renewed.

Rowland

>

More information about the samba mailing list