[Samba] Any drawback in changing primary group of domain users ?

L.P.H. van Belle belle at bazuin.nl
Thu Feb 25 09:33:11 UTC 2021 

How i handle this. 

As long you use SET/GETfacl you can just add group to controll the access in folder.

How people handle this is mainly how your network/setup is done,
so this can differ with other setups, but this is how im setup. 

All my users have Primary group "Domain Users", just like how windows handles this.

But then people think, ok, but all my files/folders now can be accessed by all users, yes, but only where you allowed them in with a other security group. 

user1, in group Domain users and SecurityGroup1. 
user2, in group Domain users and SecurityGroup2.

/srv/data/security-folder1 has groups, 
"domain admins Full" and SecurityGroup1 with right everthing execpt full controle, because, with full control members of SecurityGroup1 could change rights, and personaly im not allowing that. 

/srv/data/security-folder2 has groups, 
"domain admins Full" and SecurityGroup2 with right everthing execpt full controle, because, with full control members of SecurityGroup2 could change rights, and personaly im not allowing that.


user1 cant access SecurityGroup2, but if he could then all rights to are set to "domain users" as group. ( the Primary Group )

user2 cant access SecurityGroup1, but if he could then all rights to are set to "domain users" as group. ( the Primary Group ) 

Now this is done with "Creator Group", that makes that the groups is set to domain users. 

so, very data/department folder has a group assigned to it. that has All rights but full control, and "Creator Group" make sure it gets the "users primary group" set on the files/folder INSIDE that " data/department folder" 

I have in total, 4 groups set by default. 
1) "Creator Group"
2) The matching security group for that folder, used to allow or block access to the folder.
3) Domain admins and a new group "Folder managers" so selected users
   Can create and change rights if needed. 


Thats it, i hope its bit clearer now. 


Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Marco Gaiarin via
> samba
> Verzonden: donderdag 25 februari 2021 10:06
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Any drawback in changing primary group of domain
> users ?
> 
> Mandi! Nicola Mingotti via samba
>   In chel di` si favelave...
> 
> > In these days I am trying to do some polishing/tuning in my NAS
> > and I focused my attention on a detail: all domain users have
> > "Primary group" set to "Domain users".
> 
> It is needed to do some distiction: do you mean 'windows primary group'
> or 'POSIX primary group'?
> AFAI've understood, the former HAVE to be 'Domain users' and 'cannot'
> be changed; the second may change, but have to be listed in (normal)
> group membership.
> 
> 
> > I don't like it much. I would prefer e.g. the user 'foo' to have
> > by default as primary group 'g-foo'.
> 
> Corect. This could have also some ''security implication'', if you use
> POSIX ACLs: by default the permission mask is equal to the POSIX primary
> group memebrship, so this lead to new file and folder created by user with
> group 'Domain Users' and group writeable, eg new files are writaeable
> by any users (in 'Domain Users').
> 
> 
> > Before I do systematic change to all my users I would like
> > to know your opinion about this. Do you foresee any issue
> > if I perform such a move ?
> > Also, I can change the Primary group from Windows tools
> > but i can't find a proper way of doing it from Linux.
> > Any ideas ?
> 
> I'm still a bit 'confused' in this topic, too, so i seek some feedback
> me too...
> 
> 
> Thanks.
> 
> --
> dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
>   Associazione ``La Nostra Famiglia''
> http://www.lanostrafamiglia.it/
>   Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento
> (PN)
>   marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-
> 842797
> 
> 		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
>       http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
> 	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list