[Samba] unix_primary_group=yes together with vfs objects=acl_xattr not working
Klaus Jaensch
klausj at phonetik.uni-muenchen.de
Tue Dec 10 13:29:28 UTC 2019
Hi Rowland,
Am 10.12.19 um 13:05 schrieb Rowland penny via samba:
> On 10/12/2019 11:41, Klaus Jaensch via samba wrote:
>> Hello all,
>>
>> we want to change the configuration of our Samba domain member file
>> servers to use
>>
>> unix_primary_group=yes
>>
>> After some experiments I was able to get it to work, but only with
>>
>> vfs objects = acl_xattr
>>
>> commented out.
>>
>> With acl_xattr enabled the primary group is still displayed correctly
>> in the output of smbstatus, but new files are not created with with
>> this primary group. The created files have the default group 'users'
>> instead.
>>
>>
>> Is it a bug in the acl_xattr module?
>>
>>
>> I used the latest Ubuntu server version for testing:
>>
>> Samba version 4.10.7-Ubuntu
>>
>>
>> Klaus
>>
>>
>>
> I think you need to post your smb.conf, the default user group is
> Domain Users, not 'users', that is the default local Unix group.
>
Here is my test smb.conf
[global]
security = ads
realm = SAMDOM
workgroup = IPS
idmap config *:backend =tdb
idmap config *:range = 5000000-6000000
idmap config IPS:backend = ad
idmap config IPS:schema_mode = rfc2307
idmap config IPS:range = 100-999999
idmap config IPS:unix_nss_info = yes
idmap config IPS:default = yes
idmap config IPS:unix_primary_group = yes
# Use settings from AD for login shell and home directory
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 10
winbind use default domain = yes
winbind rpc only = yes
kerberos method = secrets and keytab
client use spnego = yes
client ntlmv2 auth = yes
ntlm auth = no
encrypt passwords = yes
restrict anonymous = 2
domain master = no
local master = no
preferred master = no
os level = 0
server min protocol = SMB2
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
access based share enum = yes
server signing = mandatory
smb encrypt = desired
[test_share]
path= /data/test_share
read only = No
create mask = 0660
directory mask = 0770
valid users =test_user
I use the Windows Server AD as backend and set the GID in the
ActiveDirectory UNIX-Attributes of the user.
On the Linux Samba server I have a group with this GID.
The name of this group shows up in the smbstatus output.
New files are created with this GID, but only if vfs objects = acl_xattr
is commented out.
We access the file servers from Windows clients via SMB and from Linux
clients via NFS. I want to use private user groups on Ubuntu to change
the umask to 002 on login automatically on Ubuntu (Explained in
/etc/login.defs).
Therefore every user requires its own primary group with the same name
of the user. I know that it is not possible to have groups with the same
name in AD, so I want to use the GID (number) UNIX attribute and resolve
it to the existing (private user) group on the Linux server.
Everything works as expected but only without the vfs objects =
acl_xattr line in smb.conf.
Klaus
> Rowland
>
>
>
--
------------------------------------------
Klaus Jaensch
Muenchen
Germany
Institut fuer Phonetik und Sprachverarbeitung
Schellingstr.3/II
Room 223 VG
80799 München
Phone (Work): +49-(0)89-2180-2806
Fax: +49-(0)89-2180-5790
EMail: klausj at phonetik.uni-muenchen.de
More information about the samba
mailing list