[Samba] Any drawback in changing primary group of domain users ?

Nicola Mingotti nmingotti at gmail.com
Thu Feb 25 13:56:40 UTC 2021

After reading all of your considerations, which at the moment
I can only partially understand, this is what I made.

---- /etc/smb.conf --------------------
force group = adm

It seemed to me the easiest solution. To perform and to maintain.

I leave the Primary Group to "Domain Users" for all Windows domain user,
not to go against Windows habits.

I will keep it working for a week and see if any issue emerges.

The benefits seems to be:

. Directories don't get by default "Domain user" group when written in 
the ext4. So "Domain user" people
can go only where I say they can go through 'getfacl'.  I don't need to 
worry any more
about the interaction between Linux group permission and the W.Domain 

. My default user in NAS  is in the group "adm". 'adm' is not defined
as a group in AD => I can walk  freely in the shared disk still being 
only a
"Linux user" without any Windows Domain Group.

thank you all for your insightful considerations and experience !


On 2/25/21 12:27 PM, Marco Gaiarin via samba wrote:
> Mandi! Nicola Mingotti via samba
>    In chel di` si favelave...
>> The reason I want to perform this is because
>> if a user makes a directory It gets by default group
>> "Domain users".
> Try to change POSIX primary group, eg 'gidNumber:'.
> The only thing you have to note is that the group 'gidNumber' belong to
> have to be listed as one for which the user ar member, otherwise
> something unpredicted could be happen.

More information about the samba mailing list