[Samba] Confusing primary group warning

Rowland Penny rpenny at samba.org
Thu Apr 18 07:17:38 UTC 2019

On Wed, 17 Apr 2019 23:55:40 -0400
Jonathon Reinhart via samba <samba at lists.samba.org> wrote:

> > Windows relies on all users being a member of Domain Users  
> Okay that's fine. But this is a discussion of "Primary Group", not
> general group membership. AFAIK Windows doesn't care about the Primary
> group. In fact, the "Member Of" tab in ADUC says:
> > There is no need to change Primary group unless you have Macintosh
> > clients or POSIX-compliant applications.  

This shows that you shouldn't change the users primary group.

> What is the purpose of this warning? If the whole point was that
> "Windows relies on all users being a member of Domain Users", then I
> don't understand why the Wiki is instructing users to not change the
> Primary group.

It is there because, even though you have realised that changing the
contents of 'primaryGroupID' from '513' to the RID of another group is
a bad idea, people did! This then upset Windows.

The problem is that on Unix, a user normally gets its own private
group, but it is easy to change the users primary group. In AD, the
users primary group is 'Domain Users' and isn't expected to change, but
Unix sysadmins, whilst wanting to use AD, didn't want to comply with
this restriction, so 'idmap config DOMAIN : unix_primary_group = yes'
was created. There is only one problem with this, it only works if you
actually log into the Samba fileserver, over the wire it is still
'Domain Users'


More information about the samba mailing list