[Samba] Any drawback in changing primary group of domain users ?
nmingotti at gmail.com
Thu Feb 25 19:06:11 UTC 2021
On 2/25/21 4:40 PM, Roy Eastwood wrote:
>> Nicola wrote
>> After reading all of your considerations, which at the moment
>> I can only partially understand, this is what I made.
>> ---- /etc/smb.conf --------------------
>> force group = adm
>> It seemed to me the easiest solution. To perform and to maintain.
>> I leave the Primary Group to "Domain Users" for all Windows domain user,
>> not to go against Windows habits.
>> I will keep it working for a week and see if any issue emerges.
>> The benefits seems to be:
>> . Directories don't get by default "Domain user" group when written in
>> the ext4. So "Domain user" people
>> can go only where I say they can go through 'getfacl'. I don't need to
>> worry any more
>> about the interaction between Linux group permission and the W.Domain
>> . My default user in NAS is in the group "adm". 'adm' is not defined
>> as a group in AD => I can walk freely in the shared disk still being
>> only a
>> "Linux user" without any Windows Domain Group.
>> thank you all for your insightful considerations and experience !
> Maybe I've misunderstood your issues, but if you add
> acl_xattr:ignore system acl = yes
> to your smb.conf (instead of force group) will that solve the problem?
maybe that would work as well. I preferred the other just because
i already used it. The NAS is in production, the amount of experiments
I can do is limited.
The problem is that I was having strange issues of users not able to
reach some contents, condition which, by ACL rules, should not have
I red all what i could find about Samba, permissions, ACL, etc. still my
of the whole story is not strong. So I can not analyze the issue
Instead, I noticed that the directory having problems had all "Domain user"
as a group, in Linux, so I induced there might have been a clash of
ACL rules and Linux directory group permissions.
Then I thought I might have changed the default group from Domain Users
to something different. Somebody reccomended against it, i think Rowland.
So, I preferred to roll back to a previous config which should be safer.
I will see what happens tomorrow morning. If something didn't work I
Sorry for the confusion. I posted two related but different questions in
time. I will not repeat the same mistake again.
Thank everybody for your suggestions !
More information about the samba