[Samba] Any drawback in changing primary group of domain users ?

Marco Gaiarin gaio at sv.lnf.it
Thu Feb 25 12:18:28 UTC 2021

Mandi! Rowland penny via samba
  In chel di` si favelave...

> But why do need to use a primary group that isn't Domain Users ?
> Nobody has ever been able to answer that to my satisfaction, I usually get
> something along the lines of 'that is how Unix has always done it'

I hope i was clear.

By default in UNIX new file and folder are group-owned by the POSIX
primary group of the user that create it.

By default, vfs_acl_xattr take into account POSIX primary group and
have permissive setup for CREATOR_GROUP.

The result is that, apart doing some configuration, all users have
access (at least read access, mostly write access) to all newly created
file and folder.

> That will not make 'getent passwd' show a Unix group as the users primary
> group, not unless you set the required 'idmap config' line in smb.conf on
> the Unix domain member, but the users primary group on Windows would still
> be Domain Users and I do not think it is a good idea to have different
> primary groups depending on the OS.

Ah! Damn me! I've forgot it!

It is needed to add to [globals] in smb.conf:

	idmap config DOMAIN_NAME : unix_primary_group = yes

right... excuse me...

dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

More information about the samba mailing list