[Samba] Permission question (AD)

Rowland penny rpenny at samba.org
Mon Dec 14 09:27:46 UTC 2015 

On 14/12/15 02:15, Viktor Trojanovic wrote:
> I'm using the AD ID mapping, so I manually give all my users and
> groups their respective uidNumbers and gidNumbers.
>
> I created a group of the type "security" with the scope "global" and
> added some users to it, then I gave full control permission to said
> group to certain files on a member server.
>
> However, the members from this group still can only read those files.
> Which is weird, since if I check the effective permissions from within
> Windows, it is being confirmed that there should be full control. So,
> windows believes that I should have full permission but it's not true.
>
> So there must be something weird going on the Linux side, and I'm a
> bit lost right now.
>
> First of all, I gave this particular group the gidNumber 10004, but
> when I type "getent group groupname" on the DC, I get some high number
> such as 3000049. The same happens for "domain admins" while "domain
> users" shows the correct gidNumber.

Is this on a DC ?

>
> I might know the reason for this: I created the former two groups a
> while ago without giving them an ID - I did so only later, when I
> noticed that I forgot to give them an ID. Is this problematic? I
> didn't notice any problems with the domain admins group, though
> there's only one Admin. But the other group is clearly showing this
> issue. What can I do to solve this?

What do you mean by 'I created the former two groups a while ago' , the 
two groups should already exist in AD.

>
> Secondly, does it matter that "getent passwd username" will return
> just the domain users group in the group field, but not the additional
> group the user is part of?

No, winbind returns the users primary group and this is always Domain 
Users, unless you change it, not that I recommend doing this.

>
> Should I maybe just delete the group, then recreate it and give it the
> correct attributes from the start? What kind of impact will this have
> on the shares where the deleted group had permissions, will those be
> automatically deleted too and, if not, is it necessary to first remove
> all permissions this group has?

What group are you suggesting deleting ? If Domain Users/Admins, then 
don't, if it is a group you created (and no you didn't create domain 
users) then it probably won't help.

Can you post a bit more info, What OS, your smb.conf etc.

Rowland

>
> Any good advice appreciated.
>

More information about the samba mailing list