[Samba] Any drawback in changing primary group of domain users ?

Nicola Mingotti nmingotti at gmail.com
Thu Feb 25 19:06:11 UTC 2021 


On 2/25/21 4:40 PM, Roy Eastwood wrote:
>> Nicola wrote
>> After reading all of your considerations, which at the moment
>> I can only partially understand, this is what I made.
>>
>> ---- /etc/smb.conf --------------------
>> force group = adm
>> --------------------------------------------
>>
>> It seemed to me the easiest solution. To perform and to maintain.
>>
>> I leave the Primary Group to "Domain Users" for all Windows domain user,
>> not to go against Windows habits.
>>
>> I will keep it working for a week and see if any issue emerges.
>>
>> The benefits seems to be:
>>
>> . Directories don't get by default "Domain user" group when written in
>> the ext4. So "Domain user" people
>> can go only where I say they can go through 'getfacl'.  I don't need to
>> worry any more
>> about the interaction between Linux group permission and the W.Domain
>> users.
>>
>> . My default user in NAS  is in the group "adm". 'adm' is not defined
>> as a group in AD => I can walk  freely in the shared disk still being
>> only a
>> "Linux user" without any Windows Domain Group.
>>
>> thank you all for your insightful considerations and experience !
>>
>> bye
>> Nicola
>>
> Maybe I've misunderstood your issues, but if you add
>   	acl_xattr:ignore system acl = yes
> to your smb.conf (instead of force group) will that solve the problem?
>
> Roy
>

Hi Roy,

maybe that would work as well.  I preferred the other just because
i already used it. The NAS is in production, the amount of experiments
I can do is limited.

The problem is that I was having strange issues of users not able to
reach some contents, condition which, by ACL rules, should not have 
happened.

I red all what i could find about Samba, permissions, ACL, etc. still my 
grasp
of the whole story is not strong. So I can not analyze the issue 
deductively.
Instead, I noticed that the directory having problems had all "Domain user"
as a group, in Linux, so I induced there might have been a clash of 
permissions between
ACL rules and Linux directory group permissions.

Then I thought I might have changed the default group from Domain Users
to something different. Somebody reccomended against it, i think Rowland.
So, I preferred to roll back to a previous config which should be safer.

I will see what happens tomorrow morning. If something didn't work I 
will know
soon enough.

Sorry for the confusion. I posted two related but different questions in 
short
time. I will not repeat the same mistake again.

Thank everybody for your suggestions !

bye
Nicola

More information about the samba mailing list