[Samba] Backend RID and UNIX Primary Group...

Wed Nov 12 06:30:16 UTC 2025

Hello,

weve created one group for each share in the AD: fs_<server>_<share> and 
give this to the users that should have access to the share.

In the share we use force group = +AD-DOMAIN\fs_<server>_<share>

This way only users that have this group can access the share (thats 
what the + does) and if the user has is, than it will be the default 
group for this connection. New files and directories will be created as 
AD-DOMAIN\user : AD-DOMAIN\fs_<server>_<share>

Hope this helps!

Bonus points: even RO-access is possible with this: create an additional 
group AD-DOMAIN\fs_<server>_<share>_ro and give it read-only access to 
the whole share.

Have a nice day, Matthias.

Am 11.11.25 um 18:55 schrieb Marco Gaiarin via samba:
> Mandi! Rowland Penny via samba
>    In chel di` si favelave...
>
>> If you use the 'rid' idmap backend all users get Domain Users as their
>> primary group ID, an example:
>>
>> id rowland
>> uid=11104(rowland) gid=10513(domain users) groups=10513(domain
>> users)..........
>>
>> but the users also get their own private group:
>>
>> getent group rowland
>> rowland:x:11104:rowland
>>
>> This comes from Samba and the 'rid' backend.
> This is a bit problematic... if i use POSIX ACL and vfs_acl, this mean that
> all file and folder created by users get full access for all other users...
>
>
>> You can change a user primary group by pointing their 'primaryGroupID'
>> at a different RID, but you would also have to join the user to
>> the Domain Users group. Windows expects every user to be a member of
>> Domain Users, so there is little point in changing the users primary
>> group.
> As in AD backend. But i supposed was a 'problem' (a glitch, indeed) of using
> AD backend...
>
> Anyway, the point is that: files and folders on UNIX get created (by
> default) with the primary group of the user, and so if this is 'Domain
> Users' all file are by default 'open' to other...
>
-- 
Senior Webentwickler
Datenschutzbeauftragter

Ellerhold Aktiengesellschaft
Friedrich-List-Str. 4
01445 Radebeul

Telefon: +49 (0) 351 83933-61
Web: www.ellerhold.de
Facebook: www.facebook.com/ellerhold.gruppe
Instagram: www.instagram.com/ellerhold.gruppe
LinkedIn: www.linkedin.com/company/ellerhold-gruppe

Amtsgericht Dresden / HRB 23769
Vorstand: Stephan Ellerhold, Maximilian Ellerhold
Vorsitzender des Aufsichtsrates: Frank Ellerhold

---
Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und um sofortiges löschen dieser E-Mail und der Anlagen.

Unsere Hinweise zum Datenschutz finden Sie hier: https://www.ellerhold.de/datenschutz/

This e-mail and its attachments are privileged and confidential. If you are not the intended recipient, please notify us and immediately delete this e-mail and its attachments.

You can find our privacy policy here: https://www.ellerhold.de/datenschutz/