[Samba] unix_primary_group=yes together with vfs objects=acl_xattr not working

Klaus Jaensch klausj at phonetik.uni-muenchen.de
Tue Dec 10 13:29:28 UTC 2019 

Hi Rowland,

Am 10.12.19 um 13:05 schrieb Rowland penny via samba:
> On 10/12/2019 11:41, Klaus Jaensch via samba wrote:
>> Hello all,
>>
>> we want to change the configuration of our Samba domain member file 
>> servers to use
>>
>> unix_primary_group=yes
>>
>> After some experiments I was able to get it to work, but only with
>>
>> vfs objects = acl_xattr
>>
>> commented out.
>>
>> With acl_xattr enabled the primary group is still displayed correctly 
>> in the output of smbstatus, but new files are not created with with 
>> this primary group. The created files have the default group 'users' 
>> instead.
>>
>>
>> Is it a  bug in the acl_xattr module?
>>
>>
>> I used the latest Ubuntu server version for testing:
>>
>> Samba version 4.10.7-Ubuntu
>>
>>
>> Klaus
>>
>>
>>
> I think you need to post your smb.conf, the default user group is 
> Domain Users, not 'users', that is the default local Unix group.
>
Here is my test smb.conf

[global]
   security = ads
   realm = SAMDOM
   workgroup = IPS
   idmap config *:backend =tdb
   idmap config *:range = 5000000-6000000
   idmap config IPS:backend = ad
   idmap config IPS:schema_mode = rfc2307
   idmap config IPS:range = 100-999999
   idmap config IPS:unix_nss_info = yes
   idmap config IPS:default = yes
   idmap config IPS:unix_primary_group = yes
   # Use settings from AD for login shell and home directory
   winbind nss info = rfc2307
   winbind enum users = yes
   winbind enum groups = yes
   winbind cache time = 10
   winbind use default domain = yes
   winbind rpc only = yes
   kerberos method = secrets and keytab
   client use spnego = yes
   client ntlmv2 auth = yes
   ntlm auth = no
   encrypt passwords = yes
   restrict anonymous = 2
   domain master = no
   local master = no
   preferred master = no
   os level = 0
   server min protocol = SMB2
   vfs objects = acl_xattr
   map acl inherit = yes
   store dos attributes = yes
   access based share enum = yes
   server signing = mandatory
   smb encrypt = desired

[test_share]
        path= /data/test_share
        read only = No
        create mask = 0660
        directory mask = 0770
        valid users =test_user

I use the Windows Server AD as backend and set the GID in the 
ActiveDirectory UNIX-Attributes of the user.

On the Linux Samba server I have a group with this GID.

The name of this group shows up in the smbstatus output.

New files are created with this GID, but only if vfs objects = acl_xattr 
is commented out.


We access the file servers from Windows clients via SMB and from Linux 
clients via NFS. I want to use private user groups on Ubuntu to change 
the umask to 002 on login automatically on Ubuntu (Explained in 
/etc/login.defs).

Therefore every user requires its own primary group with the same name 
of the user. I know that it is not possible to have groups with the same 
name in AD, so I want to use the GID (number) UNIX attribute and resolve 
it to the existing (private user) group on the Linux server.

Everything works as expected but only without the vfs objects = 
acl_xattr line in smb.conf.


Klaus


> Rowland
>
>
>
-- 
------------------------------------------
Klaus Jaensch
Muenchen
Germany

Institut fuer Phonetik und Sprachverarbeitung
Schellingstr.3/II
Room 223 VG
80799 München

Phone (Work): +49-(0)89-2180-2806
Fax:          +49-(0)89-2180-5790
EMail: klausj at phonetik.uni-muenchen.de

More information about the samba mailing list