[Samba] Any drawback in changing primary group of domain users ?

Roy Eastwood spindles7 at gmail.com
Fri Feb 26 09:41:47 UTC 2021 


> -----Original Message-----
> From: Nicola Mingotti <nmingotti at gmail.com>
> Sent: 25 February 2021 19:06
> To: Roy Eastwood <spindles7 at gmail.com>; samba at lists.samba.org
> Cc: nmingotti at gmail.com
> Subject: Re: [Samba] Any drawback in changing primary group of domain users ?
> 
> 
> 
> On 2/25/21 4:40 PM, Roy Eastwood wrote:
> >> Nicola wrote
> >> After reading all of your considerations, which at the moment
> >> I can only partially understand, this is what I made.
> >>
> >> ---- /etc/smb.conf --------------------
> >> force group = adm
> >> --------------------------------------------
> >>
> >> It seemed to me the easiest solution. To perform and to maintain.
> >>
> >> I leave the Primary Group to "Domain Users" for all Windows domain user,
> >> not to go against Windows habits.
> >>
> >> I will keep it working for a week and see if any issue emerges.
> >>
> >> The benefits seems to be:
> >>
> >> . Directories don't get by default "Domain user" group when written in
> >> the ext4. So "Domain user" people
> >> can go only where I say they can go through 'getfacl'.  I don't need to
> >> worry any more
> >> about the interaction between Linux group permission and the W.Domain
> >> users.
> >>
> >> . My default user in NAS  is in the group "adm". 'adm' is not defined
> >> as a group in AD => I can walk  freely in the shared disk still being
> >> only a
> >> "Linux user" without any Windows Domain Group.
> >>
> >> thank you all for your insightful considerations and experience !
> >>
> >> bye
> >> Nicola
> >>
> > Maybe I've misunderstood your issues, but if you add
> >   	acl_xattr:ignore system acl = yes
> > to your smb.conf (instead of force group) will that solve the problem?
> >
> > Roy
> >
> 
> Hi Roy,
> 
> maybe that would work as well.  I preferred the other just because
> i already used it. The NAS is in production, the amount of experiments
> I can do is limited.
> 
> The problem is that I was having strange issues of users not able to
> reach some contents, condition which, by ACL rules, should not have
> happened.
> 
> I red all what i could find about Samba, permissions, ACL, etc. still my
> grasp
> of the whole story is not strong. So I can not analyze the issue
> deductively.
> Instead, I noticed that the directory having problems had all "Domain user"
> as a group, in Linux, so I induced there might have been a clash of
> permissions between
> ACL rules and Linux directory group permissions.
> 
> Then I thought I might have changed the default group from Domain Users
> to something different. Somebody reccomended against it, i think Rowland.
> So, I preferred to roll back to a previous config which should be safer.

@Rowland I think the OP's problems stem from the fact that both POSIX ACLs and Windows ACLs are in play. 
I have scanned the WiKi and can find no reference to adding the line:
	acl_xattr:ignore system acl = yes
to either the share share definition or the global section of smb.conf when using Windows ACLs.
Is it worth making this clear by adding it to the https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
page?

Roy

More information about the samba mailing list