[Samba] unix_primary_group=yes together with vfs objects=acl_xattr not working

Rowland penny rpenny at samba.org
Tue Dec 10 14:08:17 UTC 2019 

On 10/12/2019 13:29, Klaus Jaensch via samba wrote:
> Hi Rowland,
>
>>> I used the latest Ubuntu server version for testing:
>>>
>>> Samba version 4.10.7-Ubuntu
>>>
>> Here is my test smb.conf
>
> [global]
>   security = ads
>   realm = SAMDOM
>   workgroup = IPS
>   idmap config *:backend =tdb
>   idmap config *:range = 5000000-6000000
>   idmap config IPS:backend = ad
>   idmap config IPS:schema_mode = rfc2307
>   idmap config IPS:range = 100-999999

Why are you using '100' for the range start number ?

It looks like it is picking up the local Unix group 'users' which has 
the GID 100

> idmap config IPS:unix_nss_info = yes
>   idmap config IPS:default = yes
I don't know where you got that line from, it doesn't exist
> idmap config IPS:unix_primary_group = yes
>   # Use settings from AD for login shell and home directory
>   winbind nss info = rfc2307
That line is only used if you are using Samba < 4.8.0
> winbind enum users = yes
>   winbind enum groups = yes
You should turn the two lines above off, they are not needed and can 
slow things down.
> winbind cache time = 10
>   winbind use default domain = yes
>   winbind rpc only = yes
NOOOOOOOOOO, do not set the line above
> kerberos method = secrets and keytab
>   client use spnego = yes
>   client ntlmv2 auth = yes
>   ntlm auth = no
>   encrypt passwords = yes
The four lines above are defaults and as such are not required.
> restrict anonymous = 2
>   domain master = no
>   local master = no
>   preferred master = no
>   os level = 0
>   server min protocol = SMB2
>   vfs objects = acl_xattr
>   map acl inherit = yes
>   store dos attributes = yes
>   access based share enum = yes
>   server signing = mandatory
>   smb encrypt = desired
>
> [test_share]
>        path= /data/test_share
>        read only = No
>        create mask = 0660
>        directory mask = 0770
>        valid users =test_user
>
> I use the Windows Server AD as backend and set the GID in the 
> ActiveDirectory UNIX-Attributes of the user.
>
> On the Linux Samba server I have a group with this GID.

Yes, it is local Unix group:

cat /etc/group | grep 100
users:x:100:

>
> The name of this group shows up in the smbstatus output.
>
> New files are created with this GID, but only if vfs objects = 
> acl_xattr is commented out.
>
>
> We access the file servers from Windows clients via SMB and from Linux 
> clients via NFS. I want to use private user groups on Ubuntu to change 
> the umask to 002 on login automatically on Ubuntu (Explained in 
> /etc/login.defs).
Just use SMB for everything. If you only had Linux clients, then you 
could use NFS and ignore Samba, but I wouldn't try to use the same files 
from NFS and Windows.

Rowland

More information about the samba mailing list