Hi, On a samba 4.9.4 fileserver using ad backend with rfc2307 , when i create a file from a Win10 client, it s always created with the rights user:"domain users". I ve understood that with "unix_primary_group = yes" , the file should be created with the rights user:gidNumber . Here is my config : [global] security = ADS workgroup = SAMBA494 realm = SAMBA494.UNIV-BREST.FR log file = /var/log/samba/%m.log log level = 1 idmap config * : backend = tdb idmap config * : range = 700000001-800000000 idmap config SAMBA494 : backend = ad idmap config SAMBA494 : range = 100000-4000000 idmap config SAMBA494 : schema_mode = rfc2307 idmap config SAMBA494 : unix_nss_info = yes idmap config SAMBA494 : unix_primary_group = yes username map = /etc/samba/samba_usermapping vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes winbind enum users = yes winbind enum groups = yes winbind use default domain = yes usershare path [homes] comment = repertoires personnels browseable = no read only = no force create mode = 0755 force directory mode = 0755 id dare uid=202369(dare) gid=151495(pnia) groupes=151495(pnia),105000(domain users),700000002(BUILTIN\users) root at mom11:/home/d/dare# ls -l total 8 drwxrwxr-x+ 2 dare domain users 4096 févr. 6 11:44 test_win10_v1 root at mom11:/home/d/dare# getfacl test_win10_v1/ # file: test_win10_v1/ # owner: dare # group: domain\040users user::rwx user:dare:rwx group::r-x group:domain\040users:r-x mask::rwx other::r-x default:user::rwx default:user:dare:rwx default:group::r-x default:group:domain\040users:r-x default:mask::rwx default:other::r-x What am i missing ? thanks Christian D -- <http://www.univ-brest.fr>
Hai,> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Christian Daré via samba > Verzonden: woensdag 6 februari 2019 11:54 > Aan: samba at lists.samba.org > Onderwerp: [Samba] unix_primary_group = yes don t work > > Hi, > > On a samba 4.9.4 fileserver using ad backend with rfc2307 , when i > create a file from a Win10 client, it s always created with > the rights > user:"domain users". > I ve understood that with "unix_primary_group = yes" , the > file should > be created with the rights user:gidNumber .Yes, and if the gid resolvs to a name then you see the name of the group.> > Here is my config : > [global] > security = ADS > workgroup = SAMBA494 > realm = SAMBA494.UNIV-BREST.FR > log file = /var/log/samba/%m.log > log level = 1 > > idmap config * : backend = tdb > idmap config * : range = 700000001-800000000 > idmap config SAMBA494 : backend = ad > idmap config SAMBA494 : range = 100000-4000000 > idmap config SAMBA494 : schema_mode = rfc2307 > > idmap config SAMBA494 : unix_nss_info = yes > idmap config SAMBA494 : unix_primary_group = yes > > username map = /etc/samba/samba_usermapping > > vfs objects = acl_xattr > map acl inherit = yes > store dos attributes = yes > > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > > winbind enum users = yes > winbind enum groups = yesOnce your dont testing, set these to winbind enum user/group to No. Everything keeps working. You can test this with: getent passwd username / getent passwd group / id group ..> winbind use default domain = yes > > usershare path > > [homes] > comment = repertoires personnels > browseable = no > read only = no > force create mode = 0755 > force directory mode = 0755 > > id dare > uid=202369(dare) gid=151495(pnia) groupes=151495(pnia),105000(domain > users),700000002(BUILTIN\users) > > root at mom11:/home/d/dare# ls -l > total 8 > drwxrwxr-x+ 2 dare domain users 4096 févr. 6 11:44 test_win10_v1 > > root at mom11:/home/d/dare# getfacl test_win10_v1/ > # file: test_win10_v1/ > # owner: dare > # group: domain\040users > user::rwx > user:dare:rwx > group::r-x > group:domain\040users:r-x > mask::rwx > other::r-x > default:user::rwx > default:user:dare:rwx > default:group::r-x > default:group:domain\040users:r-x > default:mask::rwx > default:other::r-x > > What am i missing ?Nope, its exact as you have setup. Your mistake ( not really a misstake but more a misconfiguration / thought..) Here your checking the "Windows" acls. root at mom11:/home/d/dare# getfacl test_win10_v1/ Here your forcing POSTIX acl's.> force create mode = 0755 > force directory mode = 0755The above force settings should be removed. Is this a "userhome dir" or "profiles folder" Because these needs a bit different rights, .. Depening on you needs.. My suggestion, re-read. https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs And https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles Greetz, Louis
thanks for the answer, Louis. i m talking about the userhome dir. I ve already read https://wiki.samba.org/index.php/User_Home_Folders and i m applying the posix acls to my share. As the users's home is shared between windows and linux, i d rather use the posix acls than the windows ones. Beside the homedir of my users have a form like /home/ first letter of name /login ( ex : /home/d/dare ) and i cant change that, this is why i use the [home] share , it s the simplier solution for me. Is it mandatory to use the windows acls to have the functionnality i m looking for ? Le 06/02/2019 à 12:08, L.P.H. van Belle via samba a écrit :> Hai, > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Christian Daré via samba >> Verzonden: woensdag 6 februari 2019 11:54 >> Aan: samba at lists.samba.org >> Onderwerp: [Samba] unix_primary_group = yes don t work >> >> Hi, >> >> On a samba 4.9.4 fileserver using ad backend with rfc2307 , when i >> create a file from a Win10 client, it s always created with >> the rights >> user:"domain users". >> I ve understood that with "unix_primary_group = yes" , the >> file should >> be created with the rights user:gidNumber . > Yes, and if the gid resolvs to a name then you see the name of the group. > >> Here is my config : >> [global] >> security = ADS >> workgroup = SAMBA494 >> realm = SAMBA494.UNIV-BREST.FR >> log file = /var/log/samba/%m.log >> log level = 1 >> >> idmap config * : backend = tdb >> idmap config * : range = 700000001-800000000 >> idmap config SAMBA494 : backend = ad >> idmap config SAMBA494 : range = 100000-4000000 >> idmap config SAMBA494 : schema_mode = rfc2307 >> >> idmap config SAMBA494 : unix_nss_info = yes >> idmap config SAMBA494 : unix_primary_group = yes >> >> username map = /etc/samba/samba_usermapping >> >> vfs objects = acl_xattr >> map acl inherit = yes >> store dos attributes = yes >> >> load printers = no >> printing = bsd >> printcap name = /dev/null >> disable spoolss = yes >> >> winbind enum users = yes >> winbind enum groups = yes > Once your dont testing, set these to winbind enum user/group to No. > Everything keeps working. > You can test this with: getent passwd username / getent passwd group / id group .. > >> winbind use default domain = yes >> >> usershare path >> >> [homes] >> comment = repertoires personnels >> browseable = no >> read only = no >> force create mode = 0755 >> force directory mode = 0755 >> >> id dare >> uid=202369(dare) gid=151495(pnia) groupes=151495(pnia),105000(domain >> users),700000002(BUILTIN\users) >> >> root at mom11:/home/d/dare# ls -l >> total 8 >> drwxrwxr-x+ 2 dare domain users 4096 févr. 6 11:44 test_win10_v1 >> >> root at mom11:/home/d/dare# getfacl test_win10_v1/ >> # file: test_win10_v1/ >> # owner: dare >> # group: domain\040users >> user::rwx >> user:dare:rwx >> group::r-x >> group:domain\040users:r-x >> mask::rwx >> other::r-x >> default:user::rwx >> default:user:dare:rwx >> default:group::r-x >> default:group:domain\040users:r-x >> default:mask::rwx >> default:other::r-x >> >> What am i missing ? > Nope, its exact as you have setup. > Your mistake ( not really a misstake but more a misconfiguration / thought..) > > Here your checking the "Windows" acls. > root at mom11:/home/d/dare# getfacl test_win10_v1/ > > Here your forcing POSTIX acl's. >> force create mode = 0755 >> force directory mode = 0755 > The above force settings should be removed. > > Is this a "userhome dir" or "profiles folder" > Because these needs a bit different rights, .. Depening on you needs.. > My suggestion, re-read. > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > And > https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles > > Greetz, > > Louis > > > > > > >-- UBO <http://www.univ-brest.fr>
Apparently Analagous Threads
- unix_primary_group = yes don t work
- unix_primary_group = yes don t work
- unix_primary_group = yes don t work
- unix_primary_group = yes don t work
- issue and solution : samba 4.9.4 and win10 1809 : windows could not connect to user profile service aka the home drive letter semi-colon is missing