[Samba] using Windows AD unwanted Group rights get applied to new Files

Rowland Penny rpenny at samba.org
Tue Aug 7 12:38:24 UTC 2018

On Tue, 7 Aug 2018 11:52:31 +0000
VELARTIS Philipp Dürhammer <p.duerhammer at velartis.at> wrote:

> HI,
> Ubuntu 16.04 newest Updates. Windows 2016 Server RD and
> Domaincontroller. When we set the rights through windows everything
> is fine. But creating Files on Windows Share adds allways the primary
> group "Domänen-Benutzer" to the file. And every user is in this
> group. This just breaks permissions...

Can I suggest you remove these lines:

        idmap uid = 10000-100000000
        idmap gid = 10000-100000000
        password server = dc1.vhh.local, dc2.vhh.local
        wins server
        encrypt passwords = true
        client use spnego = yes
        winbind enum users = yes
        winbind enum groups = yes
        winbind nested groups = yes
        winbind use default domain = true
        winbind offline logon = false
        dns forwarder =
        idmap_ldb:use rfc2307 = yes

They are either default settings, deprecated or just plain shouldn't be
in a Unix domain members smb.conf

You also have in the [sc1_main] share:

       writeable = yes
       read only = no

You only need one, I am sure if you look hard enough at those lines,
you will realise they mean the same thing ;-)

We now come to your real problem, where did you get this from ?

        idmap backend = idmap_rid:VHH=10000-100000000

I would have expected something like this:

        idmap config * : backend = tdb
        idmap config * : range = 2000-9999
        idmap config VHH : backend = rid
        idmap config VHH : range = 10000-999999

Not that it would help you with your problem with 'Domain Users'.
By default, every AD user is a member of 'Domain Users' and so, when
you use the 'rid' backend every Unix user gets the group as their
primary group.

The only way to change this is by using a version of Samba >= 4.6.0 and
use the 'ad' backend and idmap config lines similar to these:

    idmap config *:backend = tdb
    idmap config *:range = 2000-9999
    idmap config VHH : backend = ad
    idmap config VHH : schema_mode = rfc2307
    idmap config VHH : unix_nss_info = yes
    idmap config VHH : unix_primary_group = yes
    idmap config VHH : range = 10000-999999

You would then need to give all your users a unique uidNumber attribute
containing a number inside the range you set in smb.conf, you would
also need to give the user a gidNumber attribute containing the
gidNumber of the required group to use instead of 'Domain Users'.


More information about the samba mailing list