[Samba] unix_primary_group not used when writing files

Matthew Richardson m.richardson at ed.ac.uk
Thu Aug 18 09:00:17 UTC 2022 

Hi,

Thanks for the extra info.
>> However even with this setting and having restarted samba etc the files are
>> still group 'domain user'.
>
> Yes and this IS correct and the default..
> I recommend NOT to change it.. and you really must..
> Change primaryGroupID in the AD, but really, use ACLS..

This doesn't seem to agree with what the Samba wiki docs say:

https://wiki.samba.org/index.php/Idmap_config_ad

"There is now a new setting unix_primary_group, this allows you to use
another group for the users primary group instead of Domain Users.

If this is set with unix_primary_group = yes, the users primary group is
obtained from the gidNumber attribute found in the users AD object."

"Whichever setting you use, do not change the users primaryGroupID
attribute, Windows relies on all users being a member of Domain Users."

>
> So whats set as ACL on  /home/alice
> getfacl /home/alice

Currently I have it set to being owned by group g_alice:

$  getfacl /home/alice
getfacl: Removing leading '/' from absolute path names
# file: home/alice
# owner: alice
# group: g_alice
user::rwx
group::r-x
other::r-x

I could explicitly set 'mandatory' ACLs on the homedir and have these
propagate, but that feels like a workaround for something that the docs
imply shouldn't be needed?

>
> Then next part..
> its what Rowland is saying, you should see all the users in the domain user group.
>

Yes, it takes a very long time, but 'getent group "domain users" does
return all domain users.

> Whats set in /etc/nsswitch.conf ?  since your using ubuntu and I don’t think apparmor is bugging you.
> if that’s the case you should see it in the syslog I think.
>

nsswitch has:

passwd: files systemd winbind
group:  files systemd winbind
...
hosts:  files  dns


> The smb.conf is correct. Ow. ps, one thing..
> you don’t have " winbind refresh tickets = yes" in add it.
> At least, the only thing I didn’t see.
>

I do have this in - though I assumed it wasn't relevant at this point?

> Also keep this in mind..
> You can add a windows users with UID/GID in a linux group.
> You can not add a unix users to a Windows group.
>

Noted.

> So, what I think, the primary GroupID isnt changed from "domain users" to g_alice in the AD.
> Or you hitting cache problem;  try also : net cache flush
>

Caches flushed, services (and server) restarted - no change.

Thanks,

Matthew
The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. Is e buidheann carthannais a th’ ann an Oilthigh Dhùn Èideann, clàraichte an Alba, àireamh clàraidh SC005336.

More information about the samba mailing list