[Samba] Any drawback in changing primary group of domain users ?

Thu Feb 25 09:39:05 UTC 2021

The reason I want to perform this is because
if a user makes a directory It gets by default group
"Domain users".

I guess this is creating issues because the permission
given to a directory by the fact that a user is in the "Domain users"
group may conflict with what i defined plain "Domain users" can
do in that area of the filesystem.

What "Domain users" can make in my domain is quite
limited. There are very specific group and i would prefer
to control all access privileges explicitly through 'setfacl'
instead of having group permission lurking in because
a user makes a directory somewhere.

So, the main/only reason for me to define/create a specific
primary group for each domain user is to ensure its group
permission do not conflict with what I define via 'setfacl'.

I am considering also setting
---- NAS : /etc/smb.conf ---------------------
force group = adm
-----------------------------------------------------
That would be faster to do and easier to maintain than
defining a lot of groups.

I found it to be quite easy to make the group from Windows
and set the 'Primary group' from Windows as well. I did not
find a nice procedure for Linux, but ok, this is not fundamental
for the moment.

The 'Primary group' i am talking about is the one that you can
see in the Windows 'Active directory Users and Coputer'
-> Select a User -> Select 'Memeber of' .

I can't be more precise than this, my understanding of the
permission interplay between Linux/Windows/ACL is still
not that much deep.

bye
Nicola

On 2/25/21 10:06 AM, Marco Gaiarin via samba wrote:
> Mandi! Nicola Mingotti via samba
>    In chel di` si favelave...
>
>> In these days I am trying to do some polishing/tuning in my NAS
>> and I focused my attention on a detail: all domain users have
>> "Primary group" set to "Domain users".
> It is needed to do some distiction: do you mean 'windows primary group'
> or 'POSIX primary group'?
> AFAI've understood, the former HAVE to be 'Domain users' and 'cannot'
> be changed; the second may change, but have to be listed in (normal)
> group membership.
>
>
>> I don't like it much. I would prefer e.g. the user 'foo' to have
>> by default as primary group 'g-foo'.
> Corect. This could have also some ''security implication'', if you use
> POSIX ACLs: by default the permission mask is equal to the POSIX primary
> group memebrship, so this lead to new file and folder created by user with
> group 'Domain Users' and group writeable, eg new files are writaeable
> by any users (in 'Domain Users').
>
>
>> Before I do systematic change to all my users I would like
>> to know your opinion about this. Do you foresee any issue
>> if I perform such a move ?
>> Also, I can change the Primary group from Windows tools
>> but i can't find a proper way of doing it from Linux.
>> Any ideas ?
> I'm still a bit 'confused' in this topic, too, so i seek some feedback
> me too...
>
>
> Thanks.
>