[Samba] unix_primary_group not used when writing files

Matthew Richardson m.richardson at ed.ac.uk
Wed Aug 17 15:13:23 UTC 2022 

Thanks both for your help!

> What do you see if you run: id username
> And run : getfacl on the folder/files to see more..

$ id alice

uid=12345(alice) gid=12345(g_alice) groups=12345(g_alice),273711(domain
users)

$ getfacl /home/alice/test.txt
getfacl: Removing leading '/' from absolute path names
# file: /home/alice/test.txt
# owner: alice
# group: domain\040users
user::rwx
user:alice:rwx
group::rwx
group:domain\040users:rwx
mask::rwx
other::r-x

Also for some extra info:

$ wbinfo -n alice
S-1-5-21-861567501-1417001333-682003330-11132

smbclient -k -L //server.example.com/alice
> showacls
> ls test.txt
dos_clean_name [\test.txt]
unix_clean_name [\test.txt]
FILENAME:test.txt
MODE:A
SIZE:280
MTIME:Wed Aug 17 12:16:10 2022
revision: 1
type: 0x8004: SEC_DESC_DACL_PRESENT SEC_DESC_SELF_RELATIVE
DACL
        ACL     Num ACEs:       3       revision:       2
        ---
        ACE
                type: ACCESS ALLOWED (0) flags: 0x00
                Specific bits: 0x1ff
                Permissions: 0x1f01ff: SYNCHRONIZE_ACCESS
WRITE_OWNER_ACCESS WRITE_DAC_ACCESS READ_CONTROL_ACCESS DELETE_ACCESS
                SID: S-1-5-21-861567501-1417001333-682003330-11132

        ACE
                type: ACCESS ALLOWED (0) flags: 0x00
                Specific bits: 0x1ff
                Permissions: 0x1f01ff: SYNCHRONIZE_ACCESS
WRITE_OWNER_ACCESS WRITE_DAC_ACCESS READ_CONTROL_ACCESS DELETE_ACCESS
                SID: S-1-5-21-861567501-1417001333-682003330-513

        ACE
                type: ACCESS ALLOWED (0) flags: 0x00
                Specific bits: 0xa9
                Permissions: 0x1200a9: SYNCHRONIZE_ACCESS
READ_CONTROL_ACCESS
                SID: S-1-1-0

        Owner SID:      S-1-5-21-861567501-1417001333-682003330-11132
        Group SID:      S-1-5-21-861567501-1417001333-682003330-513


> Did you add 'alice' to the group 'g_alice' ? If so, how ?

I got our 'Windows person' to create the group and make alice a member.
I can ask what steps they did if that's useful, but it'll most likely be
whatever 'standard' steps you do in the AD to achieve that.

I can also confirm that the outputs are as you have updated them - i.e
no members in the first group, but members in the second.

$ getent group g_alice

g_alice:x:12345:

$ groups alice

alice : g_alice domain users

This seems to be the same for all AD groups (local groups show members)
e.g.:

$ getent group "domain users"
domain users:x:273711:

Thanks,

Matthew


On 17/08/2022 13:53, L. van Belle via samba wrote:
> This email was sent to you by someone outside the University.
> You should only click on links or attachments if you are certain that the email is genuine and the content is safe.
> 
> What do you see if you run : id username
> And run : getfacl on the folder/files to see more..
> 
> Greetz,
> 
> Louis
> 
>> -----Oorspronkelijk bericht-----
>> Van: samba <samba-bounces at lists.samba.org> Namens Matthew
>> Richardson via samba
>> Verzonden: woensdag 17 augustus 2022 13:32
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] unix_primary_group not used when writing files
>>
>> I have a samba server (v4.13.17 - Ubuntu 20.04) set up joined to an AD
>> domain, with the following idmap config:
>>
>> [global]
>>   workgroup = MYDOM
>>   realm = MYDOM.EXAMPLE.COM
>>   security = ads
>>   idmap config * : backend = tdb
>>   idmap config * : range = 3000 - 9999
>>   idmap config MYDOM : backend = ad
>>   idmap config MYDOM : schema_mode = rfc2307
>>   idmap config MYDOM : range = 10000 - 9999999
>>   idmap config MYDOM : unix_primary_group = yes
>>   idmap config MYDOM : unix_nss_info = yes
>>   winbind use default domain = yes
>>
>> All users in the domain have the unix attributes set (gidNumber, loginShell
>> etc). There is also a group with the same gid as the user's gidNumber, and
>> that user is a member of that group.
>>
>> This shows up fine using the nss commands, e.g.:
>>
>> $ getent passwd alice
>>
>> alice:*:12345:12345:Alice Smith:/home/alice:/bin/bash
>>
>> $ getent group alice
>>
>> alice:x:12345:
>>
>> $ groups alice
>>
>> alice : alice domain users
>>
>>
>> However if I connect using smbclient and write files, they are always group
>> owned by 'domain users':
>>
>> $ smbclient -k -L //server.example.com/alice
>>> put test.txt
>>
>> $ ls -l /home/alice
>>
>> -rwxrwxr-x+ 1 alice domain users 38 Aug 16 20:29 test.txt
>>
>> Samba logging (debug level 4) during this file write correctly identifies the
>> primary group:
>>
>> UNIX token of user 12345
>>   Primary group is 12345 and contains 164 supplementary groups
>>
>> However it then uses domain users when writing (gid 273711):
>>
>> [2022/08/16 19:12:02.052968,  2] ../../source3/smbd/open.c:1524(open_file)
>>   MYDOM\alice opened file test.txt read=Yes write=Yes (numopen=1)
>> [2022/08/16 19:12:02.060177,  3]
>> ../../source3/smbd/posix_acls.c:1205(unpack_nt_owners)
>>   unpack_nt_owners: owner sid mapped to uid 12345
>> [2022/08/16 19:12:02.060584,  3]
>> ../../source3/smbd/posix_acls.c:1226(unpack_nt_owners)
>>   unpack_nt_owners: group sid mapped to gid 273711
>> [2022/08/16 19:12:02.060994,  3]
>> ../../source3/smbd/posix_acls.c:3760(set_nt_acl)
>>   set_nt_acl: chown test.txt. uid = 12345, gid = 273711.
>>
>>
>> Can anyone suggest what might be going on here?
>>
>> Thanks,
>>
>> Matthew
>>
>>
>> The University of Edinburgh is a charitable body, registered in Scotland, with
>> registration number SC005336. Is e buidheann carthannais a th’ ann an
>> Oilthigh Dhùn Èideann, clàraichte an Alba, àireamh clàraidh SC005336.
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list