[Samba] Group, idmap, unix_primary_group ...

Marco Gaiarin gaio at sv.lnf.it
Fri Jan 31 10:30:27 UTC 2020

> For the rest... i make some experiments and give back feedback here. ;-)

Still some 'glitches', or at least samba does not behave as i expected
(or as i was (ab)used in NT mode).

Situation was used: samba in NT mode, main share in XFS with ACL
enabled, users that access a set of subfolders where ACL are mostly
'group based' (eg, group only).
In NT mode, when users create folders, create folder with group owner
their primary GID.

In AD mode, when users create folders, create folder with group owner
'Domain Users'.

Share is defined as:
        comment = Spazio di Lavoro Utente
        volume = Work
        path = /srv/work
        browseable = yes
        writeable = yes
        map acl inherit = yes
        store dos attributes = yes
        vfs objects = acl_xattr

With 'unix_primary_group = yes' and setting a GID to a group different
from 'Domain Users', in UNIX users create as before files with group
owner the GID. Good.
But from Windows, files are created with group owner 'Domain Users'.

 gaio at vdmsv1:/srv/work/CED$ id
 uid=10000(gaio) gid=11001(sir) gruppi=11001(sir),4(adm),20(dialout),24(cdrom),25(floppy),46(plugdev),5000(BUILTIN\administrators),5001(BUILTIN\users),10513(domain users),10998(printops),10999(unixadm)

 gaio at vdmsv1:/srv/work/CED$ echo ciao > ciao-posix.txt
 gaio at vdmsv1:/srv/work/CED$ ls -la ciao-posix.txt 
 -rw-rw----+ 1 gaio sir 5 gen 31 11:03 ciao-posix.txt
 gaio at vdmsv1:/srv/work/CED$ getfacl ciao-posix.txt 
 # file: ciao-posix.txt
 # owner: gaio
 # group: sir
 group::rwx			#effective:rw-
 group:sir:rwx			#effective:rw-
 group:dirreg:r-x		#effective:r--

 W:\CED>echo ciao >ciao-windows.txt
 gaio at vdmsv1:/srv/work/CED$ ls -la ciao-windows.txt 
 -rwxrwx---+ 1 gaio domain users 7 gen 31 11:07 ciao-windows.txt
 gaio at vdmsv1:/srv/work/CED$ getfacl ciao-windows.txt 
 # file: ciao-windows.txt
 # owner: gaio
 # group: domain\040users

The problem came from complex ACL setup needed in some case: consider
an example:

 folder A: access to group1 and group2, RO
 folder A/current: access to group1 and group2, full control
 folder A/archive: access to group1 full control, group2 RO

in real world: group1 and group2 work against some documents, that
after a staging period have to be 'archived', and group2 have not to
modify anymore.
With currend setup, files and folders get created with group owner
'Domain Users' and permission 'full control', and so file are
accessible to anyone... (or at least to 'group2', parent folder
permission still apply).

All this setup, indeed, came from probably from 'old informations'...
AFAI remember well, initially on ACL there's no way to set explicitly
the mask, and mask are taken from group owner permission; so all my
folder have group owner ACL as 'rwx'.

But, if i surely i can fix permission with 'setfacl', seems to me that
i've no control on windows, and files on windows seems to get created
with group owner 'Domain Users' and mask 'rwx'.

Someone can explain to me?

There's some way to prevent windows to use 'Domain Users' as primary
group? I need to set:
	acl_xattr:ignore system acls = yes
	acl_xattr:default acl style = windows


dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

More information about the samba mailing list