[Samba] unix_primary_group=yes together with vfs objects=acl_xattr not working
klausj at phonetik.uni-muenchen.de
Tue Dec 10 15:56:30 UTC 2019
Am 10.12.19 um 15:08 schrieb Rowland penny via samba:
> On 10/12/2019 13:29, Klaus Jaensch via samba wrote:
>> Hi Rowland,
>>>> I used the latest Ubuntu server version for testing:
>>>> Samba version 4.10.7-Ubuntu
>>> Here is my test smb.conf
>> security = ads
>> realm = SAMDOM
>> workgroup = IPS
>> idmap config *:backend =tdb
>> idmap config *:range = 5000000-6000000
>> idmap config IPS:backend = ad
>> idmap config IPS:schema_mode = rfc2307
>> idmap config IPS:range = 100-999999
> Why are you using '100' for the range start number ?
I set the Unix attribute GID of the AD group 'Domain Users' to 100.
The idea was to map the AD 'Domain Users' group to default UNIX group
'users' GID 100.
I guess that was not a good idea?
> It looks like it is picking up the local Unix group 'users' which has
> the GID 100
Thanks Rowland, that was the problem! Changed the range to 10000-999999
and it works now.
But shouldn't the Primary Group GID entry of the user in AD have
precedence over the 'Domain Users' membership?
>> idmap config IPS:unix_nss_info = yes
>> idmap config IPS:default = yes
> I don't know where you got that line from, it doesn't exist
>> idmap config IPS:unix_primary_group = yes
>> # Use settings from AD for login shell and home directory
>> winbind nss info = rfc2307
> That line is only used if you are using Samba < 4.8.0
>> winbind enum users = yes
>> winbind enum groups = yes
> You should turn the two lines above off, they are not needed and can
> slow things down.
>> winbind cache time = 10
>> winbind use default domain = yes
>> winbind rpc only = yes
> NOOOOOOOOOO, do not set the line above
OK, the line was only in the test server config.
>> kerberos method = secrets and keytab
>> client use spnego = yes
>> client ntlmv2 auth = yes
>> ntlm auth = no
>> encrypt passwords = yes
> The four lines above are defaults and as such are not required.
>> restrict anonymous = 2
>> domain master = no
>> local master = no
>> preferred master = no
>> os level = 0
>> server min protocol = SMB2
>> vfs objects = acl_xattr
>> map acl inherit = yes
>> store dos attributes = yes
>> access based share enum = yes
>> server signing = mandatory
>> smb encrypt = desired
>> path= /data/test_share
>> read only = No
>> create mask = 0660
>> directory mask = 0770
>> valid users =test_user
>> I use the Windows Server AD as backend and set the GID in the
>> ActiveDirectory UNIX-Attributes of the user.
>> On the Linux Samba server I have a group with this GID.
> Yes, it is local Unix group:
> cat /etc/group | grep 100
>> The name of this group shows up in the smbstatus output.
>> New files are created with this GID, but only if vfs objects =
>> acl_xattr is commented out.
>> We access the file servers from Windows clients via SMB and from
>> Linux clients via NFS. I want to use private user groups on Ubuntu to
>> change the umask to 002 on login automatically on Ubuntu (Explained
>> in /etc/login.defs).
> Just use SMB for everything. If you only had Linux clients, then you
> could use NFS and ignore Samba, but I wouldn't try to use the same
> files from NFS and Windows.
We already do that for years now and it works fine. We use NFS mounted
Homes and Autofs. I don't know if that would be possible to replace with
Thank you for your very good advice to cleanup my smb.conf.
Institut fuer Phonetik und Sprachverarbeitung
Room 223 VG
Phone (Work): +49-(0)89-2180-2806
EMail: klausj at phonetik.uni-muenchen.de
More information about the samba