[Samba] unix_primary_group = yes don t work

L.P.H. van Belle belle at bazuin.nl
Wed Feb 6 11:08:24 UTC 2019 

Hai,  

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Christian Daré via samba
> Verzonden: woensdag 6 februari 2019 11:54
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] unix_primary_group = yes don t work
> 
> Hi,
> 
> On a samba 4.9.4 fileserver using ad backend with rfc2307  , when i 
> create a file from a Win10 client, it s always created with 
> the rights 
> user:"domain users".
> I ve understood that with "unix_primary_group = yes" , the 
> file should 
> be created with the rights user:gidNumber .

Yes, and if the gid resolvs to a name then you see the name of the group. 

> 
> Here is my config :
> [global]
>         security = ADS
>         workgroup = SAMBA494
>         realm = SAMBA494.UNIV-BREST.FR
>         log file = /var/log/samba/%m.log
>         log level = 1
> 
>         idmap config * : backend = tdb
>         idmap config * : range = 700000001-800000000
>         idmap config SAMBA494 : backend = ad
>         idmap config SAMBA494 : range = 100000-4000000
>         idmap config SAMBA494 : schema_mode = rfc2307
> 
>        idmap config SAMBA494 : unix_nss_info = yes
>        idmap config SAMBA494 : unix_primary_group = yes
> 
>        username map = /etc/samba/samba_usermapping
> 
>      vfs objects = acl_xattr
>      map acl inherit = yes
>      store dos attributes = yes
> 
>      load printers = no
>      printing = bsd
>      printcap name = /dev/null
>      disable spoolss = yes
> 
>      winbind enum users = yes
>      winbind enum groups = yes

Once your dont testing, set these to winbind enum user/group to No. 
Everything keeps working. 
You can test this with: getent passwd username / getent passwd group / id group .. 

>      winbind use default domain = yes
> 
>      usershare path =
> 
> [homes]
>      comment = repertoires personnels
>      browseable = no
>      read only = no
>      force create mode = 0755
>      force directory mode = 0755
> 
> id dare
> uid=202369(dare) gid=151495(pnia) groupes=151495(pnia),105000(domain 
> users),700000002(BUILTIN\users)
> 
> root at mom11:/home/d/dare# ls -l
> total 8
> drwxrwxr-x+ 2 dare domain users 4096 févr.  6 11:44 test_win10_v1
> 
> root at mom11:/home/d/dare# getfacl test_win10_v1/
> # file: test_win10_v1/
> # owner: dare
> # group: domain\040users
> user::rwx
> user:dare:rwx
> group::r-x
> group:domain\040users:r-x
> mask::rwx
> other::r-x
> default:user::rwx
> default:user:dare:rwx
> default:group::r-x
> default:group:domain\040users:r-x
> default:mask::rwx
> default:other::r-x
> 
> What am i missing ?

Nope, its exact as you have setup. 
Your mistake ( not really a misstake but more a misconfiguration / thought..) 

Here your checking the "Windows" acls.
 root at mom11:/home/d/dare# getfacl test_win10_v1/

Here your forcing POSTIX acl's. 
>      force create mode = 0755
>      force directory mode = 0755

The above force settings should be removed. 

Is this a "userhome dir" or "profiles folder" 
Because these needs a bit different rights, .. Depening on you needs.. 
My suggestion, re-read. 

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs 
And
https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles

Greetz, 

Louis

More information about the samba mailing list