[Samba] Any drawback in changing primary group of domain users ?

Rowland penny rpenny at samba.org
Thu Feb 25 11:38:00 UTC 2021

On 25/02/2021 11:22, Marco Gaiarin via samba wrote:
> Mandi! Rowland penny via samba
>    In chel di` si favelave...
>> I took it as Windows primary group, mainly because there is no concept of
>> POSIX primary group in AD. A user can have a gidNumber attribute, but this
>> has nothing to do with any primary group.
> Right. But when you have to write data to a share backed up with POSIX
> ACL (and AFAIK vfs_acl_xattr is a VFS module loaded by default, and
> acl_xattr:default acl style = posix is the default) file get created
> with POSIX primary group.

Well, yes, but my Unix primary group is:

rowland at devstation:~$ getent passwd rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

rowland at devstation:~$ getent group 10000 | awk -F ':' '{print $1}'
domain users

OOH, look, my Unix primary group is a AD group

> So, effectively if you want files not to be owned by 'Domain Users' you
> have two path:
> a) tackle with vfs_acl_xattr parameters and disable POSIX ACL
> b) change POSIX primary group.

But why do need to use a primary group that isn't Domain Users ?

Nobody has ever been able to answer that to my satisfaction, I usually 
get something along the lines of 'that is how Unix has always done it'


More information about the samba mailing list