[Samba] using Windows AD unwanted Group rights get applied to new Files

Rowland Penny rpenny at samba.org
Fri Aug 10 13:57:32 UTC 2018

On Fri, 10 Aug 2018 14:32:01 +0100
"miguel medalha" <medalist at sapo.pt> wrote:

> > >having a particular group
> > > set as "Primary group" 
> > How are setting the 'primary group' ?
> The 'primary group' had been set a long time ago, when the system was
> created. It had been set with ADUC, under the "Member of" tab, as
> told before.

Yes, but that shouldn't change the 'primaryGroupID' attribute.

> > By default all AD users (aka windows users) are members of the
> > 'Domain Users' group even though they do not appear in the 'Domain
> > Users' AD object.
> Yes, of course. That's not the point.

No, its the very point.

> > > and I created a new file and a new folder
> > > inside a share. Looking at it on the security tab, I can see that
> > > the "Domain Users" group is not in the list of permissions. I
> > > logged out.
> > Have you done something strange like changing the contents of the
> > users
> 'primaryGroupID' attribute ?
> > > 
> > > As Administrator, using ADUC, in the "Member of" tab I changed the
> > > primary group of the same user to the "Domain users" default.
> > Yep, it sounds like you have.
> > 
> > > I logged on again as the same regular user and I created a new
> > > file and a new folder inside the same share. Looking at the
> > > "Security" tab, I see that the "Domain users" group is now there,
> > > with advanced permissions of "Full Control, This object only" and
> > > "Full Control, This folder only".
> > > 
> > > Resetting the user's primary group to its original group restores
> > > the intended behavior, the "Domain Users" is no longer present in
> > > newly created files or folders.
> > No, this is not the intended behaviour, it might be your intended
> > behavior, but it isn't Windows.
> It is also the behavior intended by the OP. Shouldn't a folder
> inherit the permissions of its parent when inheritance is on? If so,
> why does the group "Domain users" appear there with "Full control"
> permissions when it is not present in the parent folder?
> > All the 'rid' backend does is calculate the user & group ID's from
> > their 'RID'. 
> Yes, I know, but one of your previous posts seems to imply that the
> behavior the OP wants is not possible unless you use the AD backend
> or a convoluted workaround. You also stated that changing the
> "primary group" would be ignored, which isn't. I thought it would be
> helpful to actually test it... I found the problem the OP complained
> about somewhat strange because I had never met it, and I had never
> met it because all my users had their primary group set to the
> intended group from the beginning, some years ago.

What does 'getent passwd ausername' return on a Unix domain member ?

It should return something like this:

rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

The first '10000' is the users uidNumber and the second is the
gidNumber for 'Domain Users'


More information about the samba mailing list