[Samba] Any drawback in changing primary group of domain users ?

Marco Gaiarin gaio at sv.lnf.it
Thu Feb 25 09:06:02 UTC 2021

Mandi! Nicola Mingotti via samba
  In chel di` si favelave...

> In these days I am trying to do some polishing/tuning in my NAS
> and I focused my attention on a detail: all domain users have
> "Primary group" set to "Domain users".

It is needed to do some distiction: do you mean 'windows primary group'
or 'POSIX primary group'?
AFAI've understood, the former HAVE to be 'Domain users' and 'cannot'
be changed; the second may change, but have to be listed in (normal)
group membership.

> I don't like it much. I would prefer e.g. the user 'foo' to have
> by default as primary group 'g-foo'.

Corect. This could have also some ''security implication'', if you use
POSIX ACLs: by default the permission mask is equal to the POSIX primary
group memebrship, so this lead to new file and folder created by user with
group 'Domain Users' and group writeable, eg new files are writaeable
by any users (in 'Domain Users').

> Before I do systematic change to all my users I would like
> to know your opinion about this. Do you foresee any issue
> if I perform such a move ?
> Also, I can change the Primary group from Windows tools
> but i can't find a proper way of doing it from Linux.
> Any ideas ?

I'm still a bit 'confused' in this topic, too, so i seek some feedback
me too...


dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

More information about the samba mailing list