[Samba] Any drawback in changing primary group of domain users ?

[Roy Eastwood]

On 26 February 2021 10:28 Rowland penny wrote:
> On 26/02/2021 09:41, Roy Eastwood via samba wrote:
> > @Rowland I think the OP's problems stem from the fact that both POSIX ACLs
> and Windows ACLs are in play.
> 
> 
> On the wikipage:
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> 
> It says this:
> 
> Do not set ANY additional share parameters, such as force user or valid
> users. Adding them to the share definition can prevent you from
> configuring or using the share.
> 
> However, there isn't anything on the POSIX wikipage:
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs
> 
> > I have scanned the WiKi and can find no reference to adding the line:
> > 	acl_xattr:ignore system acl = yes
> > to either the share share definition or the global section of smb.conf when
> using Windows ACLs.
> 
> 
> Using that setting only really makes sense if you are using Windows
> ACL's, because you want to use the system acl's if using setfacl.
> Whichever method you use, Windows or POSIX ACL's, you should not mix
> them. Either set the permissions from Windows or on the Samba server
> using setfacl.
> 
> Rowland

Thanks Rowland.   I have obviously misunderstood the effect of "acl_xattr:ignore
system acl = yes" in smb.conf.   The reason that I have added it to my smb.conf
is that when the home folder path is added to ADUC, the user's home folder is
automatically created like this as seen from linux:
	drwxrwx---+ 1 roy   domain users   0 Feb 26 12:38 test1
So I thought that other domain users would be able to access test1's folder.
But I have now done some more tests and find that other domain users have
permission denied if they try to access the folder irrespective of whether the
above entry is in smb.conf or not.    So what does this parameter do?  Ignore
any settings made with setfacl?    Seems to ignore the standard 'unix'
permisssions by default.

Regards,
Roy