[Samba] Any drawback in changing primary group of domain users ?

Rowland penny rpenny at samba.org
Thu Feb 25 10:11:54 UTC 2021

On 25/02/2021 09:39, Nicola Mingotti wrote:
> The reason I want to perform this is because
> if a user makes a directory It gets by default group
> "Domain users".
> I guess this is creating issues because the permission
> given to a directory by the fact that a user is in the "Domain users"
> group may conflict with what i defined plain "Domain users" can
> do in that area of the filesystem.
> What "Domain users" can make in my domain is quite
> limited. There are very specific group and i would prefer
> to control all access privileges explicitly through 'setfacl'
> instead of having group permission lurking in because
> a user makes a directory somewhere.
> So, the main/only reason for me to define/create a specific
> primary group for each domain user is to ensure its group
> permission do not conflict with what I define via 'setfacl'.
> I am considering also setting
> ---- NAS : /etc/smb.conf ---------------------
> force group = adm
> -----------------------------------------------------
> That would be faster to do and easier to maintain than
> defining a lot of groups.
> I found it to be quite easy to make the group from Windows
> and set the 'Primary group' from Windows as well. I did not
> find a nice procedure for Linux, but ok, this is not fundamental
> for the moment.
> The 'Primary group' i am talking about is the one that you can
> see in the Windows 'Active directory Users and Coputer'
> -> Select a User -> Select 'Memeber of' .
> I can't be more precise than this, my understanding of the
> permission interplay between Linux/Windows/ACL is still
> not that much deep.

You need to understand that the permissions are stored in three places, 
in the normal Unix acl's 'ugo'. an EA that stores the ACL's created by 
setfacl and an EA (security.NTACL) for ACL's created from Windows or by 
'samba-tool ntacl set'

You also need to understand that RSAT on Windows 10 no longer has the 
Unix Attributes tabs.

There is nothing I can say that can stop you doing it your way, but it 
isn't sustainable in my opinion. As I said, using one group for all the 
users, works on Windows, so why Unix sysadmins want to do it 
differently, beats me. There is an old English saying 'When in Rome, do 
as the Romans do', so you are in AD, so I would suggest you do as 
Windows does.


More information about the samba mailing list