[Samba] unix_primary_group=yes together with vfs objects=acl_xattr not working

Rowland penny rpenny at samba.org
Tue Dec 10 16:20:42 UTC 2019

On 10/12/2019 15:56, Klaus Jaensch via samba wrote:
> I set the Unix attribute GID of the AD group 'Domain Users' to 100.
> The idea was to map the AD 'Domain Users' group to default UNIX group 
> 'users' GID 100.
> I guess that was not a good idea?

No, not really. If you create a group in AD and give it a gidNumber, 
then, on a Unix domain member using the winbind 'ad' backend, that group 
becomes a Unix group as well, that is 'getent group groupname' will 
produce output:

getent group Domain\ Users
domain users:x:10000

Using '100' will clash with the local Unix group 'users', this will mean 
that, looking from Windows, files will belong to 'Domain Users', but 
from Unix they will belong to 'users'.

>> It looks like it is picking up the local Unix group 'users' which has 
>> the GID 100
> Thanks Rowland, that was the problem! Changed the range to 
> 10000-999999 and it works now.
> But shouldn't the Primary Group GID entry of the user in AD have 
> precedence over the 'Domain Users' membership?
It doesn't seem to work that way, I personally think that 
'unix_primary_group = yes' wasn't a good idea, your view may vary ;-)
>>> idmap config IPS:unix_nss_info = yes
>>>   idmap config IPS:default = yes
>> I don't know where you got that line from, it doesn't exist
>>> idmap config IPS:unix_primary_group = yes
>>>   # Use settings from AD for login shell and home directory
>>>   winbind nss info = rfc2307
>> That line is only used if you are using Samba < 4.8.0
>>> winbind enum users = yes
>>>   winbind enum groups = yes
>> You should turn the two lines above off, they are not needed and can 
>> slow things down.
>>> winbind cache time = 10
>>>   winbind use default domain = yes
>>>   winbind rpc only = yes
>> NOOOOOOOOOO, do not set the line above
> OK, the line was only in the test server config.
>>> kerberos method = secrets and keytab
>>>   client use spnego = yes
>>>   client ntlmv2 auth = yes
>>>   ntlm auth = no
>>>   encrypt passwords = yes
>> The four lines above are defaults and as such are not required.
>>> restrict anonymous = 2
>>>   domain master = no
>>>   local master = no
>>>   preferred master = no
>>>   os level = 0
>>>   server min protocol = SMB2
>>>   vfs objects = acl_xattr
>>>   map acl inherit = yes
>>>   store dos attributes = yes
>>>   access based share enum = yes
>>>   server signing = mandatory
>>>   smb encrypt = desired
>>> [test_share]
>>>        path= /data/test_share
>>>        read only = No
>>>        create mask = 0660
>>>        directory mask = 0770
>>>        valid users =test_user
>>> I use the Windows Server AD as backend and set the GID in the 
>>> ActiveDirectory UNIX-Attributes of the user.
>>> On the Linux Samba server I have a group with this GID.
>> Yes, it is local Unix group:
>> cat /etc/group | grep 100
>> users:x:100:
>>> The name of this group shows up in the smbstatus output.
>>> New files are created with this GID, but only if vfs objects = 
>>> acl_xattr is commented out.
>>> We access the file servers from Windows clients via SMB and from 
>>> Linux clients via NFS. I want to use private user groups on Ubuntu 
>>> to change the umask to 002 on login automatically on Ubuntu 
>>> (Explained in /etc/login.defs).
>> Just use SMB for everything. If you only had Linux clients, then you 
>> could use NFS and ignore Samba, but I wouldn't try to use the same 
>> files from NFS and Windows.
> We already do that for years now and it works fine. We use NFS mounted 
> Homes and Autofs. I don't know if that would be possible to replace 
> with SMB.
Yes, it would :-)


More information about the samba mailing list