Hello, I'm trying to set the final permissions of my shares because we comes from an old samba managed by IP, and I've noticed that when I create a new file it has the default user group (Domain Users) instead the default configured group. I've used chown and chmod g+s to do it, and when I create a new file in that folder from terminal it keepts the group, but when I create a new file from SMB looks like samba ignores this flag and set the group to default user group. ¿Is there any way to avoid this behaviour without settings the force group option?, because Domain Users is the group of all users on domain and is too open. My smb.conf is: [global] workgroup = DOMAIN security = ADS realm = DOMAIN.COM server role = member server dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab interfaces = lo br0 br0:0 bind interfaces only = yes idmap config *:backend = tdb idmap config *:range = 3000-7999 idmap config ACONFI:backend = rid # idmap config ACONFI:schema_mode = rfc2307 idmap config ACONFI:range = 10000-999999 # winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes # winbind enum users = yes # winbind enum groups = yes winbind offline logon = yes # winbind cache time = 86400 winbind refresh tickets = Yes # winbind expand groups = 4 winbind normalize names = Yes # domain master = no # local master = no # vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes log level = 2 # Configuramos la papelera de reciclaje y el audit vfs objects = recycle full_audit acl_xattr # Papelera de reciclaje recycle:repository = /server/share/Papelera/ recycle:keeptree = yes recycle:versions = yes # No recicla ficheros vacios recycle:minsize = 1 # Excluye ficheros temporales recycle:exclude = *.tmp, *.TMP, *.temp, *.TEMP, *.o, *.obj, ~$*, *.lock, *.lck, *.sqlite-wal, *.bak, thumb.db # No recicla ficheros del escaner #recycle:exclude_dir = /server/share/Escaner/ # Audit full_audit:prefix = %u|%I|%m|%R|%S full_audit:success = chmod chmod_acl chown connect disconnect link mkdir pread pwrite read removexattr rename rmdir setxattr unlink write full_audit:failure = none full_audit:facility = LOCAL7 full_audit:priority = NOTICE [Laboral] path = /server/share/Laboral read only = no browsable = yes valid users = @laboral,administrator I know that is better to remove the "valid users" option and manage by ACLs, but I've to fix the ACLs first :P Thanks!! -- _________________________________________ Daniel Carrasco Marín Ingeniería para la Innovación i2TIC, S.L. Tlf: +34 911 12 32 84 Ext: 223 www.i2tic.com _________________________________________