[Samba] unix_primary_group not used when writing files

Rowland Penny rpenny at samba.org
Wed Aug 17 15:47:50 UTC 2022 

On Wed, 2022-08-17 at 16:13 +0100, Matthew Richardson via samba wrote:
> Thanks both for your help!
> 
> > What do you see if you run: id username
> > And run : getfacl on the folder/files to see more..
> 
> $ id alice
> 
> uid=12345(alice) gid=12345(g_alice)
> groups=12345(g_alice),273711(domain
> users)
> 
> $ getfacl /home/alice/test.txt
> getfacl: Removing leading '/' from absolute path names
> # file: /home/alice/test.txt
> # owner: alice
> # group: domain\040users
> user::rwx
> user:alice:rwx
> group::rwx
> group:domain\040users:rwx
> mask::rwx
> other::r-x
> 
> Also for some extra info:
> 
> $ wbinfo -n alice
> S-1-5-21-861567501-1417001333-682003330-11132
> 
> smbclient -k -L //server.example.com/alice
> > showacls
> > ls test.txt
> dos_clean_name [\test.txt]
> unix_clean_name [\test.txt]
> FILENAME:test.txt
> MODE:A
> SIZE:280
> MTIME:Wed Aug 17 12:16:10 2022
> revision: 1
> type: 0x8004: SEC_DESC_DACL_PRESENT SEC_DESC_SELF_RELATIVE
> DACL
>         ACL     Num ACEs:       3       revision:       2
>         ---
>         ACE
>                 type: ACCESS ALLOWED (0) flags: 0x00
>                 Specific bits: 0x1ff
>                 Permissions: 0x1f01ff: SYNCHRONIZE_ACCESS
> WRITE_OWNER_ACCESS WRITE_DAC_ACCESS READ_CONTROL_ACCESS DELETE_ACCESS
>                 SID: S-1-5-21-861567501-1417001333-682003330-11132
> 
>         ACE
>                 type: ACCESS ALLOWED (0) flags: 0x00
>                 Specific bits: 0x1ff
>                 Permissions: 0x1f01ff: SYNCHRONIZE_ACCESS
> WRITE_OWNER_ACCESS WRITE_DAC_ACCESS READ_CONTROL_ACCESS DELETE_ACCESS
>                 SID: S-1-5-21-861567501-1417001333-682003330-513
> 
>         ACE
>                 type: ACCESS ALLOWED (0) flags: 0x00
>                 Specific bits: 0xa9
>                 Permissions: 0x1200a9: SYNCHRONIZE_ACCESS
> READ_CONTROL_ACCESS
>                 SID: S-1-1-0
> 
>         Owner SID:      S-1-5-21-861567501-1417001333-682003330-11132
>         Group SID:      S-1-5-21-861567501-1417001333-682003330-513
> 
> 
> > Did you add 'alice' to the group 'g_alice' ? If so, how ?
> 
> I got our 'Windows person' to create the group and make alice a
> member.
> I can ask what steps they did if that's useful, but it'll most likely
> be
> whatever 'standard' steps you do in the AD to achieve that.
> 
> I can also confirm that the outputs are as you have updated them -
> i.e
> no members in the first group, but members in the second.
> 
> $ getent group g_alice
> 
> g_alice:x:12345:

That seems to be where your problem lies, I would expect alice to be
shown as a group member e.g. g_alice:x:12345:alice

> 
> $ groups alice
> 
> alice : g_alice domain users
> 
> This seems to be the same for all AD groups (local groups show
> members)
> e.g.:
> 
> $ getent group "domain users"
> domain users:x:273711:

Again, that should continue with a comma separated list of all users
that have a uidNumber attribute.

I seem to remember something like this happening before, trouble is. I
cannot remember just what caused it, was it apparmor (if it was, there
will be something in the logs) or was it a permissions error on the
groups in AD ?

Rowland

More information about the samba mailing list