[Samba] Any drawback in changing primary group of domain users ?

Rowland penny rpenny at samba.org
Thu Feb 25 09:30:49 UTC 2021

On 25/02/2021 09:06, Marco Gaiarin via samba wrote:
> Mandi! Nicola Mingotti via samba
>    In chel di` si favelave...
>> In these days I am trying to do some polishing/tuning in my NAS
>> and I focused my attention on a detail: all domain users have
>> "Primary group" set to "Domain users".
> It is needed to do some distiction: do you mean 'windows primary group'
> or 'POSIX primary group'?

I took it as Windows primary group, mainly because there is no concept 
of POSIX primary group in AD. A user can have a gidNumber attribute, but 
this has nothing to do with any primary group.

> AFAI've understood, the former HAVE to be 'Domain users' and 'cannot'
> be changed; the second may change, but have to be listed in (normal)
> group membership.

You can change it, but it isn't recommended.

>> I don't like it much. I would prefer e.g. the user 'foo' to have
>> by default as primary group 'g-foo'.
> Corect. This could have also some ''security implication'', if you use
> POSIX ACLs: by default the permission mask is equal to the POSIX primary
> group memebrship, so this lead to new file and folder created by user with
> group 'Domain Users' and group writeable, eg new files are writaeable
> by any users (in 'Domain Users').

There are ways around this, once you get your head around the fact that 
this is how Windows works. If it works for Windows, it will work on Linux.


More information about the samba mailing list