[Samba] Any drawback in changing primary group of domain users ?
Nicola Mingotti
nmingotti at gmail.com
Fri Feb 26 22:36:46 UTC 2021
Anyway, I have some good news, today my users had no issue with
permissions. Beside changing the setting
---- /etc/smb.conf --------------------
force group = adm
--------------------------------------------
yesterday evening I 'chgrp' all files and directories in the shared disk to
the group 'adm', which is not even in the
Winddoes domain, is defined only in the NAS machine. In my case this fixed
it.
bye
n.
On Fri, Feb 26, 2021 at 7:55 PM Roy Eastwood <spindles7 at gmail.com> wrote:
> On 26 February 2021 17:30 Nicola Mingotti wrote:
> > On 2/26/21 10:41 AM, Roy Eastwood wrote:
> > >
> > >> -----Original Message-----
> > >> From: Nicola Mingotti <nmingotti at gmail.com>
> > >> Sent: 25 February 2021 19:06
> > >> To: Roy Eastwood <spindles7 at gmail.com>; samba at lists.samba.org
> > >> Cc: nmingotti at gmail.com
> > >> Subject: Re: [Samba] Any drawback in changing primary group of domain
> users
> > ?
> > >>
> > >>
> > >>
> > >> On 2/25/21 4:40 PM, Roy Eastwood wrote:
> > >>>> Nicola wrote
> > >>>> After reading all of your considerations, which at the moment
> > >>>> I can only partially understand, this is what I made.
> > >>>>
> > >>>> ---- /etc/smb.conf --------------------
> > >>>> force group = adm
> > >>>> --------------------------------------------
> > >>>>
> > >>>> It seemed to me the easiest solution. To perform and to maintain.
> > >>>>
> > >>>> I leave the Primary Group to "Domain Users" for all Windows domain
> user,
> > >>>> not to go against Windows habits.
> > >>>>
> > >>>> I will keep it working for a week and see if any issue emerges.
> > >>>>
> > >>>> The benefits seems to be:
> > >>>>
> > >>>> . Directories don't get by default "Domain user" group when written
> in
> > >>>> the ext4. So "Domain user" people
> > >>>> can go only where I say they can go through 'getfacl'. I don't
> need to
> > >>>> worry any more
> > >>>> about the interaction between Linux group permission and the
> W.Domain
> > >>>> users.
> > >>>>
> > >>>> . My default user in NAS is in the group "adm". 'adm' is not
> defined
> > >>>> as a group in AD => I can walk freely in the shared disk still
> being
> > >>>> only a
> > >>>> "Linux user" without any Windows Domain Group.
> > >>>>
> > >>>> thank you all for your insightful considerations and experience !
> > >>>>
> > >>>> bye
> > >>>> Nicola
> > >>>>
> > >>> Maybe I've misunderstood your issues, but if you add
> > >>> acl_xattr:ignore system acl = yes
> > >>> to your smb.conf (instead of force group) will that solve the
> problem?
> > >>>
> > >>> Roy
> > >>>
> > >> Hi Roy,
> > >>
> > >> maybe that would work as well. I preferred the other just because
> > >> i already used it. The NAS is in production, the amount of experiments
> > >> I can do is limited.
> > >>
> > >> The problem is that I was having strange issues of users not able to
> > >> reach some contents, condition which, by ACL rules, should not have
> > >> happened.
> > >>
> > >> I red all what i could find about Samba, permissions, ACL, etc. still
> my
> > >> grasp
> > >> of the whole story is not strong. So I can not analyze the issue
> > >> deductively.
> > >> Instead, I noticed that the directory having problems had all "Domain
> user"
> > >> as a group, in Linux, so I induced there might have been a clash of
> > >> permissions between
> > >> ACL rules and Linux directory group permissions.
> > >>
> > >> Then I thought I might have changed the default group from Domain
> Users
> > >> to something different. Somebody reccomended against it, i think
> Rowland.
> > >> So, I preferred to roll back to a previous config which should be
> safer.
> > > @Rowland I think the OP's problems stem from the fact that both POSIX
> ACLs
> > and Windows ACLs are in play.
> > > I have scanned the WiKi and can find no reference to adding the line:
> > > acl_xattr:ignore system acl = yes
> > > to either the share share definition or the global section of smb.conf
> when
> > using Windows ACLs.
> > > Is it worth making this clear by adding it to the
> > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> > > page?
> > >
> > > Roy
> > >
> >
> > Hi Roy, forgive my beginner question, but If I would set the parameter
> > as you
> > say would it be possible to change the ACL on the shared disk using
> > Linux 'setfacl' ?
> >
> > Using 'setfacl' has been a priceless plus in my case. Much better than
> > using Windows tools.
> > If that would be lost my humble recommendation is not to put it into the
> > wiki.
> >
> >
> > bye
> > Nicola
> No, see Rowland's reply on this thread. As he (and the WiKi) says you
> should use Windows ACLs or POSIX ACLs (using setfacl) but not both. I
> don't think the setting I suggested will affect your situation, and may be
> a red-herring. Basically as AD is primarily for Windows clients, I set
> everything from Windows using Windows ACLs. Using setfacl may be the
> problem here if you have also set the ACLs using windows, but Rowland or
> Louis will know better than I!
>
> Hope that helps
>
> Roy
>
>
More information about the samba
mailing list