[Samba] Samba 4 with sssd - primary Windows group membership not honored

Rowland penny rpenny at samba.org
Wed Mar 23 16:40:23 UTC 2016

On 23/03/16 16:18, Joseph Dickson wrote:
> Thanks for the reply!  I'm confused on a few bits:
> To change a users primary group is a bit like jumping through hoops, you
>> have to add the user to the group that you want to be the new primary
>> group, then change the primaryGroupID attribute to contain the RID of the
>> new group and then finally add the user to the 'Domain Users' group. If I
>> were you, I wouldn't bother, as AD expects every users primary group to be
>> 'Domain Users'.
> I've since come up with a theory.. I'm relying on the NT ACL lists for
> permissions management, but that creates some hassles with making sure that
> smbd still has the needed UNIX permissions.   I'm using force group = users
> in my smb.conf, combined with a mask that makes sure files are created as
> group writable at the UNIX level.  It appears that since "force group"
> changes the user's effective primary group, it is replacing the fact that
> the user is a member of "Domain Users".  This doesn't seem like correct
> behavior, but I'm not sure.  I'm having trouble thinking of a way to work
> around it without making my files world writeable at the UNIX level..

OK, you should use the standard 'rwx' permissions *or* ACLs, not both. 
If you create a directory on Unix that you want to share, set the 
owner:group to root:'Domain Admins' and permissions to 0770. You will 
then be able to set the permissions from windows or with setfacl on the 
Unix machine, you do not need the 'force group' lines in smb.conf, there 
is a wiki page for this, see here:


> You shouldn't really be using winbind and sssd together, select one and
>> then remove the other.
> I've never seen a succinct description of how this should work in the Samba
> 4 world.  What I've read over and over is that even if you aren't using
> winbind for UNIX integration (PAM, NSS, etc) that it needs to be running in
> order for smbd to operate properly.. caching of domain controller
> connections, etc.  In my limited experience, if I stop winbind I start to
> see all sorts of strange behaviors including raw SIDs listed in Security
> Panes etc...
> The way I have it currently set up, sssd is being used for the integration
> piece (nss, pam) but winbind is running for smbd to use.  As best I can
> tell, that's the recommended configuration..  is there documentation that
> might clear it up?  I've tried digging through the docs I can find and
> unfortunately it seems to leave most of the guts of this process in the
> dark, so it's pretty hard to see the most correct/recommended way to
> configure Samba 4 as a transparent-ish file server replacement..
> Thanks!

On a Domain member you do not need sssd, winbind will do everything that 
sssd does, but on an AD DC it is a bit different, winbind there ignores 
all the RFC2307 attributes except for uidNumber & gidNumber.

Samba only recommends using winbind, sssd is not supplied or supported 
by Samba.

I don't know if you have read the Samba wiki pages, there is a lot of 
info about using Samba, it starts here:



More information about the samba mailing list