Rowland Penny
2018-Aug-08 07:17 UTC
[Samba] using Windows AD unwanted Group rights get applied to new Files
On Tue, 07 Aug 2018 22:43:23 +0100 Miguel Medalha via samba <samba at lists.samba.org> wrote:> > By default, every AD user is a member of 'Domain Users' and so, > > when you use the 'rid' backend every Unix user gets the group as > > their primary group. > > > The only way to change this is by using a version of Samba >= 4.6.0 > > and use the 'ad' backendĀ (...) > > You can also use RSAT and define some other group as the user's > primary group, and still use 'rid' backend. If I remember well, the > setting resides in the "Member of" tab of Active Directory Users and > Computers (ADUC).Wrong, that just adds another attribute ('msSFU30PosixMember' I think) and this is ignored. Yes, there is another way, add user to a group, change users primaryGroupID attribute to contain the RID of the new group and your users group on Unix will be the new group. Unfortunately there is a big problem with doing this, it breaks Windows, as it relies on all users being a member of Domain Users and that group not actually having any members ;-) Rowland
miguel medalha
2018-Aug-10 12:20 UTC
[Samba] using Windows AD unwanted Group rights get applied to new Files
> > > By default, every AD user is a member of 'Domain Users' and so, > > > when you use the 'rid' backend every Unix user gets the group as > > > their primary group. > > > > > The only way to change this is by using a version of Samba >= 4.6.0 > > > and use the 'ad' backend (...) > > > > You can also use RSAT and define some other group as the user's > > primary group, and still use 'rid' backend. If I remember well, the > > setting resides in the "Member of" tab of Active Directory Users and > > Computers (ADUC).> Wrong, that just adds another attribute ('msSFU30PosixMember' I > think) and this is ignored.> Yes, there is another way, add user to a group, change users > primaryGroupID attribute to contain the RID of the new group and your > users group on Unix will be the new group. Unfortunately there is a big > problem with doing this, it breaks Windows, as it relies on all users > being a member of Domain Users and that group not actually having any > members ;-)Are you sure about that? I am using the RID backend and I just tested this: I logged on to Windows 7 as a regular user having a particular group set as "Primary group" and I created a new file and a new folder inside a share. Looking at it on the security tab, I can see that the "Domain Users" group is not in the list of permissions. I logged out. As Administrator, using ADUC, in the "Member of" tab I changed the primary group of the same user to the "Domain users" default. I logged on again as the same regular user and I created a new file and a new folder inside the same share. Looking at the "Security" tab, I see that the "Domain users" group is now there, with advanced permissions of "Full Control, This object only" and "Full Control, This folder only". Resetting the user's primary group to its original group restores the intended behavior, the "Domain Users" is no longer present in newly created files or folders. This is a Samba Active Directory serving a network of mainly Windows 7 machines. The Samba version is 4.8.3. As I said before, the RID backend is in use.
Rowland Penny
2018-Aug-10 12:59 UTC
[Samba] using Windows AD unwanted Group rights get applied to new Files
On Fri, 10 Aug 2018 13:20:15 +0100 "miguel medalha" <medalist at sapo.pt> wrote:> > > > By default, every AD user is a member of 'Domain Users' and so, > > > > when you use the 'rid' backend every Unix user gets the group as > > > > their primary group. > > > > > > > The only way to change this is by using a version of Samba >> > > > 4.6.0 and use the 'ad' backend (...) > > > > > > You can also use RSAT and define some other group as the user's > > > primary group, and still use 'rid' backend. If I remember well, > > > the setting resides in the "Member of" tab of Active Directory > > > Users and Computers (ADUC). > > > Wrong, that just adds another attribute ('msSFU30PosixMember' I > > think) and this is ignored. > > > Yes, there is another way, add user to a group, change users > > primaryGroupID attribute to contain the RID of the new group and > > your users group on Unix will be the new group. Unfortunately there > > is a big problem with doing this, it breaks Windows, as it relies > > on all users being a member of Domain Users and that group not > > actually having any members ;-) > > > Are you sure about that? I am using the RID backend and I just tested > this: > > I logged on to Windows 7 as a regular userWhat do you mean by 'regular user' ?>having a particular group > set as "Primary group"How are setting the 'primary group' ? By default all AD users (aka windows users) are members of the 'Domain Users' group even though they do not appear in the 'Domain Users' AD object.>and I created a new file and a new folder > inside a share. Looking at it on the security tab, I can see that the > "Domain Users" group is not in the list of permissions. I logged out.Have you done something strange like changing the contents of the users 'primaryGroupID' attribute ?> > As Administrator, using ADUC, in the "Member of" tab I changed the > primary group of the same user to the "Domain users" default.Yep, it sounds like you have.> > I logged on again as the same regular user and I created a new file > and a new folder inside the same share. Looking at the "Security" > tab, I see that the "Domain users" group is now there, with advanced > permissions of "Full Control, This object only" and "Full Control, > This folder only". > > Resetting the user's primary group to its original group restores the > intended behavior, the "Domain Users" is no longer present in newly > created files or folders.No, this is not the intended behaviour, it might be your intended behaviour, but it isn't Windows.> > This is a Samba Active Directory serving a network of mainly Windows > 7 machines. The Samba version is 4.8.3. As I said before, the RID > backend is in use.All the 'rid' backend does is calculate the user & group ID's from their 'RID'. Rowland
Possibly Parallel Threads
- using Windows AD unwanted Group rights get applied to new Files
- using Windows AD unwanted Group rights get applied to new Files
- using Windows AD unwanted Group rights get applied to new Files
- using Windows AD unwanted Group rights get applied to new Files
- using Windows AD unwanted Group rights get applied to new Files