[Samba] Any drawback in changing primary group of domain users ?
Roy Eastwood
spindles7 at gmail.com
Fri Feb 26 18:55:33 UTC 2021
On 26 February 2021 17:30 Nicola Mingotti wrote:
> On 2/26/21 10:41 AM, Roy Eastwood wrote:
> >
> >> -----Original Message-----
> >> From: Nicola Mingotti <nmingotti at gmail.com>
> >> Sent: 25 February 2021 19:06
> >> To: Roy Eastwood <spindles7 at gmail.com>; samba at lists.samba.org
> >> Cc: nmingotti at gmail.com
> >> Subject: Re: [Samba] Any drawback in changing primary group of domain users
> ?
> >>
> >>
> >>
> >> On 2/25/21 4:40 PM, Roy Eastwood wrote:
> >>>> Nicola wrote
> >>>> After reading all of your considerations, which at the moment
> >>>> I can only partially understand, this is what I made.
> >>>>
> >>>> ---- /etc/smb.conf --------------------
> >>>> force group = adm
> >>>> --------------------------------------------
> >>>>
> >>>> It seemed to me the easiest solution. To perform and to maintain.
> >>>>
> >>>> I leave the Primary Group to "Domain Users" for all Windows domain user,
> >>>> not to go against Windows habits.
> >>>>
> >>>> I will keep it working for a week and see if any issue emerges.
> >>>>
> >>>> The benefits seems to be:
> >>>>
> >>>> . Directories don't get by default "Domain user" group when written in
> >>>> the ext4. So "Domain user" people
> >>>> can go only where I say they can go through 'getfacl'. I don't need to
> >>>> worry any more
> >>>> about the interaction between Linux group permission and the W.Domain
> >>>> users.
> >>>>
> >>>> . My default user in NAS is in the group "adm". 'adm' is not defined
> >>>> as a group in AD => I can walk freely in the shared disk still being
> >>>> only a
> >>>> "Linux user" without any Windows Domain Group.
> >>>>
> >>>> thank you all for your insightful considerations and experience !
> >>>>
> >>>> bye
> >>>> Nicola
> >>>>
> >>> Maybe I've misunderstood your issues, but if you add
> >>> acl_xattr:ignore system acl = yes
> >>> to your smb.conf (instead of force group) will that solve the problem?
> >>>
> >>> Roy
> >>>
> >> Hi Roy,
> >>
> >> maybe that would work as well. I preferred the other just because
> >> i already used it. The NAS is in production, the amount of experiments
> >> I can do is limited.
> >>
> >> The problem is that I was having strange issues of users not able to
> >> reach some contents, condition which, by ACL rules, should not have
> >> happened.
> >>
> >> I red all what i could find about Samba, permissions, ACL, etc. still my
> >> grasp
> >> of the whole story is not strong. So I can not analyze the issue
> >> deductively.
> >> Instead, I noticed that the directory having problems had all "Domain user"
> >> as a group, in Linux, so I induced there might have been a clash of
> >> permissions between
> >> ACL rules and Linux directory group permissions.
> >>
> >> Then I thought I might have changed the default group from Domain Users
> >> to something different. Somebody reccomended against it, i think Rowland.
> >> So, I preferred to roll back to a previous config which should be safer.
> > @Rowland I think the OP's problems stem from the fact that both POSIX ACLs
> and Windows ACLs are in play.
> > I have scanned the WiKi and can find no reference to adding the line:
> > acl_xattr:ignore system acl = yes
> > to either the share share definition or the global section of smb.conf when
> using Windows ACLs.
> > Is it worth making this clear by adding it to the
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> > page?
> >
> > Roy
> >
>
> Hi Roy, forgive my beginner question, but If I would set the parameter
> as you
> say would it be possible to change the ACL on the shared disk using
> Linux 'setfacl' ?
>
> Using 'setfacl' has been a priceless plus in my case. Much better than
> using Windows tools.
> If that would be lost my humble recommendation is not to put it into the
> wiki.
>
>
> bye
> Nicola
No, see Rowland's reply on this thread. As he (and the WiKi) says you should use Windows ACLs or POSIX ACLs (using setfacl) but not both. I don't think the setting I suggested will affect your situation, and may be a red-herring. Basically as AD is primarily for Windows clients, I set everything from Windows using Windows ACLs. Using setfacl may be the problem here if you have also set the ACLs using windows, but Rowland or Louis will know better than I!
Hope that helps
Roy
More information about the samba
mailing list