[Samba] Any drawback in changing primary group of domain users ?

L.P.H. van Belle belle at bazuin.nl
Thu Feb 25 10:11:55 UTC 2021 

Now, that is an option what your doing. 

As long you dont use profiles and make sure the user home folders are set correctly, below should not be a problem but it can be a problem. 

/home/LinuxUsername 	: default rights userName:userName
/home/WindowsUsername	: default rights userName:Domain Users

example of my rights for the usersHomedir : 
drwxrwx---+  6 root  root         4096 Oct 20 17:46 WindowUsername 
# file: home/samba/users/obell/
# owner: WindowUsername
# group: root
user::rwx
user:root:rwx
user:WindowUsername:rwx
group::---
group:root:---
group:BUILTIN\\administrators:rwx
group:2005:rwx
group:domain\040admins:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:WindowUsername:rwx
default:group::---
default:group:root:---
default:group:BUILTIN\\administrators:rwx
default:group:2005:rwx
default:group:domain\040admins:rwx
default:mask::rwx
default:other::---
 
Yeah, its bit more work to setup with lots of groups, but after your setup,
its only adding removing users from the group. 

i would avoid setting things like : > force group = adm 
and do this from within windows. 

but you have to pick what works best for you in your setup. 

as extra in reply to : 
[Samba] What happens to files if an employee quits - user removed from AD 

Well, by default the user is the Own of the file, which now only has a UID on it, you need to fix that and if you had a group on it as "primary" group, 
its less work, anyone in the that group could already handle the files. 

This is why i use lots of groups and "Creater Group" 
If you want to protect personal file in a user home, 
there you set "Creator Owner" and/or  "Creater Group" 


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Nicola Mingotti
> via samba
> Verzonden: donderdag 25 februari 2021 10:39
> Aan: Marco Gaiarin; samba at lists.samba.org; Rowland penny
> CC: nmingotti at gmail.com
> Onderwerp: Re: [Samba] Any drawback in changing primary group of domain
> users ?
> 
> 
> The reason I want to perform this is because
> if a user makes a directory It gets by default group
> "Domain users".
> 
> I guess this is creating issues because the permission
> given to a directory by the fact that a user is in the "Domain users"
> group may conflict with what i defined plain "Domain users" can
> do in that area of the filesystem.
> 
> What "Domain users" can make in my domain is quite
> limited. There are very specific group and i would prefer
> to control all access privileges explicitly through 'setfacl'
> instead of having group permission lurking in because
> a user makes a directory somewhere.
> 
> So, the main/only reason for me to define/create a specific
> primary group for each domain user is to ensure its group
> permission do not conflict with what I define via 'setfacl'.
> 
> I am considering also setting
> ---- NAS : /etc/smb.conf ---------------------
> force group = adm
> -----------------------------------------------------
> That would be faster to do and easier to maintain than
> defining a lot of groups.
> 
> I found it to be quite easy to make the group from Windows
> and set the 'Primary group' from Windows as well. I did not
> find a nice procedure for Linux, but ok, this is not fundamental
> for the moment.
> 
> The 'Primary group' i am talking about is the one that you can
> see in the Windows 'Active directory Users and Coputer'
> -> Select a User -> Select 'Memeber of' .
> 
> I can't be more precise than this, my understanding of the
> permission interplay between Linux/Windows/ACL is still
> not that much deep.
> 
> bye
> Nicola
> 
> 
> 
> 
> 
> 
> 
> 
> 
> On 2/25/21 10:06 AM, Marco Gaiarin via samba wrote:
> > Mandi! Nicola Mingotti via samba
> >    In chel di` si favelave...
> >
> >> In these days I am trying to do some polishing/tuning in my NAS
> >> and I focused my attention on a detail: all domain users have
> >> "Primary group" set to "Domain users".
> > It is needed to do some distiction: do you mean 'windows primary group'
> > or 'POSIX primary group'?
> > AFAI've understood, the former HAVE to be 'Domain users' and 'cannot'
> > be changed; the second may change, but have to be listed in (normal)
> > group membership.
> >
> >
> >> I don't like it much. I would prefer e.g. the user 'foo' to have
> >> by default as primary group 'g-foo'.
> > Corect. This could have also some ''security implication'', if you use
> > POSIX ACLs: by default the permission mask is equal to the POSIX primary
> > group memebrship, so this lead to new file and folder created by user
> with
> > group 'Domain Users' and group writeable, eg new files are writaeable
> > by any users (in 'Domain Users').
> >
> >
> >> Before I do systematic change to all my users I would like
> >> to know your opinion about this. Do you foresee any issue
> >> if I perform such a move ?
> >> Also, I can change the Primary group from Windows tools
> >> but i can't find a proper way of doing it from Linux.
> >> Any ideas ?
> > I'm still a bit 'confused' in this topic, too, so i seek some feedback
> > me too...
> >
> >
> > Thanks.
> >
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list