[Samba] Samba 4 with sssd - primary Windows group membership not honored

Joseph Dickson jdickson at evolvetsi.com
Wed Mar 23 16:18:57 UTC 2016

Thanks for the reply!  I'm confused on a few bits:

To change a users primary group is a bit like jumping through hoops, you
> have to add the user to the group that you want to be the new primary
> group, then change the primaryGroupID attribute to contain the RID of the
> new group and then finally add the user to the 'Domain Users' group. If I
> were you, I wouldn't bother, as AD expects every users primary group to be
> 'Domain Users'.

I've since come up with a theory.. I'm relying on the NT ACL lists for
permissions management, but that creates some hassles with making sure that
smbd still has the needed UNIX permissions.   I'm using force group = users
in my smb.conf, combined with a mask that makes sure files are created as
group writable at the UNIX level.  It appears that since "force group"
changes the user's effective primary group, it is replacing the fact that
the user is a member of "Domain Users".  This doesn't seem like correct
behavior, but I'm not sure.  I'm having trouble thinking of a way to work
around it without making my files world writeable at the UNIX level..

You shouldn't really be using winbind and sssd together, select one and
> then remove the other.

I've never seen a succinct description of how this should work in the Samba
4 world.  What I've read over and over is that even if you aren't using
winbind for UNIX integration (PAM, NSS, etc) that it needs to be running in
order for smbd to operate properly.. caching of domain controller
connections, etc.  In my limited experience, if I stop winbind I start to
see all sorts of strange behaviors including raw SIDs listed in Security
Panes etc...

The way I have it currently set up, sssd is being used for the integration
piece (nss, pam) but winbind is running for smbd to use.  As best I can
tell, that's the recommended configuration..  is there documentation that
might clear it up?  I've tried digging through the docs I can find and
unfortunately it seems to leave most of the guts of this process in the
dark, so it's pretty hard to see the most correct/recommended way to
configure Samba 4 as a transparent-ish file server replacement..


*Joseph Dickson*
Director of IT Systems, Evolve Tele-Services, Inc.

More information about the samba mailing list