[Samba] unix_primary_group = yes don t work

L.P.H. van Belle belle at bazuin.nl
Wed Feb 6 15:46:04 UTC 2019 

Hai Christian, 

I configured my member as shown on the wiki. ( see below ) 
And as you see not much different compaired to yours.

The diffence is the way of the setup and the order of the setup. 
I'll see if i can make a matrix of my setup so its more ease to explain this. 


[global]

    log level = 1 auth_audit:3

    workgroup = DOM
    security = ADS
    realm = REALM.DOMAIN.TLD
    netbios name = HOSTNAME

    interfaces = 192.168.0.11 127.0.0.1
    bind interfaces only = yes
    dns proxy = yes

    # Add and Update TLS Key
    tls enabled = yes
    tls keyfile = /etc/ssl/local/private/key.pem
    tls certfile = /etc/ssl/local/certs/cert.pem
    tls cafile = /etc/ssl/certs/company-ca.pem

    ## map id's outside to domain to tdb files.
    idmap config *:backend = tdb
    idmap config *:range = 2000-9999

    ## map ids from the domain and (*) the range may not overlap !
    idmap config DOM : backend = ad
    idmap config DOM : schema_mode = rfc2307
    idmap config DOM : range = 10000-3999999
    idmap config DOM : unix_nss_info = yes
    idmap config DOM : unix_primary_group = yes

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab

    # renew the kerberos ticket
    winbind refresh tickets = yes

    # I dont want DOM\username but username.
    winbind use default domain = yes

    # enable offline logins
    winbind offline logon = yes

    # user Administrator workaround, without it you are unable to set privileges
    username map = /etc/samba/samba_usermapping

    # disable usershares creating, when set empty no error log messages.
    usershare path =

    # Disable printing completely
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes

    # For Windows ACL support on member file server, enabled globaly, OBLIGATED
    # For a mixed setup of rights, put this per share!
    vfs objects = acl_xattr
    map acl inherit = yes
    store dos attributes = yes

    # Share Setting Globally
    veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
    hide unreadable = yes

######## SHARE DEFINITIONS ################
[profiles]
    browseable = yes
    path = /home/samba/profiles
    read only = no
    # make sure we match windows ACL for profile shares. 
    # Think in GPO's, special windows rights, user/group SYSTEM. 
    acl_xattr:ignore system acl = yes

[users]
    browseable = yes
    path = /home/samba/users
    read only = no

[public]
    browseable = yes
    path = /home/samba/public
    read only = no


 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Christian Daré via samba
> Verzonden: woensdag 6 februari 2019 16:29
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] unix_primary_group = yes don t work
> 
> I have the same conclusion
> Anybody have a conf with "unix_primary_group = yes" working ?
> 
> Christian
> 
> Le 06/02/2019 à 15:39, Rowland Penny via samba a écrit :
> > On Wed, 6 Feb 2019 13:25:08 +0100
> > Christian Daré via samba <samba at lists.samba.org> wrote:
> >
> >> thanks for the answer, Louis.
> >> i m talking about the userhome dir.
> >> I ve already read 
> https://wiki.samba.org/index.php/User_Home_Folders
> >> and i m applying the posix acls to my share.
> >> As the users's home is shared between windows and linux, i d rather
> >> use the posix acls than the windows ones.
> >>
> >> Beside the homedir of my users have a form like /home/ first letter
> >> of name /login ( ex : /home/d/dare ) and i cant change 
> that, this is
> >> why i use the [home] share , it s the simplier solution for me.
> >>
> >> Is it mandatory to use the windows acls to have the 
> functionnality i
> >> m looking for ?
> >>
> > Been doing some testing on this, if a user connects via ssh 
> to a Unix
> > domain member that is set up to use the users Unix group as 
> its primary
> > group and creates a file, I get this:
> >
> > root at testsmb:~# ls -la /home/giduser/test.txt
> > -rw-r--r-- 1 giduser unixgroup 0 Feb  6 14:31 /home/giduser/test.txt
> >
> > However, if the user connects via SMB to a share and 
> creates a file, I
> > get this:
> >
> > root at testsmb:~# ls -la /home/data/test.txt
> > -rwxrwxr-x+ 1 giduser domain users 0 Feb  6 13:48 
> /home/data/test.txt
> >
> > It looks like the Samba tools ignore 'idmap config SAMDOM :
> > unix_primary_group = yes'
> >
> > Rowland
> >
> >   
> >
> 
> -- 
> UBO <http://www.univ-brest.fr>
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list