[Samba] Any drawback in changing primary group of domain users ?

Rowland penny rpenny at samba.org
Fri Feb 26 13:27:02 UTC 2021

On 26/02/2021 12:55, Roy Eastwood via samba wrote:
> On 26 February 2021 10:28 Rowland penny wrote:
>> On 26/02/2021 09:41, Roy Eastwood via samba wrote:
>>> @Rowland I think the OP's problems stem from the fact that both POSIX ACLs
>> and Windows ACLs are in play.
>> On the wikipage:
>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>> It says this:
>> Do not set ANY additional share parameters, such as force user or valid
>> users. Adding them to the share definition can prevent you from
>> configuring or using the share.
>> However, there isn't anything on the POSIX wikipage:
>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs
>>> I have scanned the WiKi and can find no reference to adding the line:
>>> 	acl_xattr:ignore system acl = yes
>>> to either the share share definition or the global section of smb.conf when
>> using Windows ACLs.
>> Using that setting only really makes sense if you are using Windows
>> ACL's, because you want to use the system acl's if using setfacl.
>> Whichever method you use, Windows or POSIX ACL's, you should not mix
>> them. Either set the permissions from Windows or on the Samba server
>> using setfacl.
>> Rowland
> Thanks Rowland.   I have obviously misunderstood the effect of "acl_xattr:ignore
> system acl = yes" in smb.conf.   The reason that I have added it to my smb.conf
> is that when the home folder path is added to ADUC, the user's home folder is
> automatically created like this as seen from linux:
> 	drwxrwx---+ 1 roy   domain users   0 Feb 26 12:38 test1
> So I thought that other domain users would be able to access test1's folder.
> But I have now done some more tests and find that other domain users have
> permission denied if they try to access the folder irrespective of whether the
> above entry is in smb.conf or not.    So what does this parameter do?  Ignore
> any settings made with setfacl?    Seems to ignore the standard 'unix'
> permisssions by default.
> Regards,
> Roy
Try reading the manpages, in this instance 'man vfs_acl_xattr' 😁


More information about the samba mailing list