[Samba] using Windows AD unwanted Group rights get applied to new Files

Rowland Penny rpenny at samba.org
Fri Aug 10 12:59:39 UTC 2018 

On Fri, 10 Aug 2018 13:20:15 +0100
"miguel medalha" <medalist at sapo.pt> wrote:

> > > > By default, every AD user is a member of 'Domain Users' and so, 
> > > > when you use the 'rid' backend every Unix user gets the group as
> > > > their primary group.
> > > 
> > > > The only way to change this is by using a version of Samba >=
> > > > 4.6.0 and use the 'ad' backend  (...)
> > > 
> > > You can also use RSAT and define some other group as the user's
> > > primary group, and still use 'rid' backend. If I remember well,
> > > the setting resides in the "Member of" tab of Active Directory
> > > Users and Computers (ADUC).
> 
> > Wrong, that just adds another attribute ('msSFU30PosixMember' I
> > think) and this is ignored.
> 
> > Yes, there is another way, add user to a group, change users
> > primaryGroupID attribute to contain the RID of the new group and
> > your users group on Unix will be the new group. Unfortunately there
> > is a big problem with doing this, it breaks Windows, as it relies
> > on all users being a member of Domain Users and that group not
> > actually having any members ;-)
> 
> 
> Are you sure about that? I am using the RID backend and I just tested
> this:
> 
> I logged on to Windows 7 as a regular user 

What do you mean by 'regular user' ?

>having a particular group
> set as "Primary group" 

How are setting the 'primary group' ?

By default all AD users (aka windows users) are members of the 'Domain
Users' group even though they do not appear in the 'Domain Users' AD
object.
>and I created a new file and a new folder
> inside a share. Looking at it on the security tab, I can see that the
> "Domain Users" group is not in the list of permissions. I logged out.

Have you done something strange like changing the contents of the users
'primaryGroupID' attribute ?
> 
> As Administrator, using ADUC, in the "Member of" tab I changed the
> primary group of the same user to the "Domain users" default.

Yep, it sounds like you have.

> 
> I logged on again as the same regular user and I created a new file
> and a new folder inside the same share. Looking at the "Security"
> tab, I see that the "Domain users" group is now there, with advanced
> permissions of "Full Control, This object only" and "Full Control,
> This folder only".
> 
> Resetting the user's primary group to its original group restores the
> intended behavior, the "Domain Users" is no longer present in newly
> created files or folders.

No, this is not the intended behaviour, it might be your intended
behaviour, but it isn't Windows.

> 
> This is a Samba Active Directory serving a network of mainly Windows
> 7 machines. The Samba version is 4.8.3. As I said before, the RID
> backend is in use.

All the 'rid' backend does is calculate the user & group ID's from
their 'RID'. 

Rowland

More information about the samba mailing list