samba - Feb 2021 - Any drawback in changing primary group of domain users ?

Hi,

In these days I am trying to do some polishing/tuning in my NAS
and I focused my attention on a detail: all domain users have
"Primary group" set to "Domain users".

I don't like it much. I would prefer e.g. the user 'foo' to have
by default as primary group 'g-foo'.

Before I do systematic change to all my users I would like
to know your opinion about this. Do you foresee any issue
if I perform such a move ?

Also, I can change the Primary group from Windows tools
but i can't find a proper way of doing it from Linux.
Any ideas ?

bye
Nicola

On 25/02/2021 08:16, Nicola Mingotti via samba wrote:
> Hi,
>
> In these days I am trying to do some polishing/tuning in my NAS
> and I focused my attention on a detail: all domain users have
> "Primary group" set to "Domain users".
>
> I don't like it much. I would prefer e.g. the user 'foo' to
have
> by default as primary group 'g-foo'.
>
> Before I do systematic change to all my users I would like
> to know your opinion about this. Do you foresee any issue
> if I perform such a move ?

Why do you want to do this ?

I once tried doing this, just to see how it was done and it is very 
complicated.

First you have to check that the group exists and create it if it 
doesn't, you will also have to give the group a gidNumber if you are 
using the winbind 'ad' backend.

Next you change the users primaryGroupID to groups RID.

Finally you must add the user as a member of Domain Users.

You would have to do this every time you create a new user.

Lot easier to just get used to all your users having the same group, 
this is Active Directory not Linux.

Rowland

>
> Also, I can change the Primary group from Windows tools
> but i can't find a proper way of doing it from Linux.
> Any ideas ?
>
> bye
> Nicola
>
>

Mandi! Nicola Mingotti via samba
  In chel di` si favelave...
> In these days I am trying to do some polishing/tuning in my NAS
> and I focused my attention on a detail: all domain users have
> "Primary group" set to "Domain users".
It is needed to do some distiction: do you mean 'windows primary group'
or 'POSIX primary group'?
AFAI've understood, the former HAVE to be 'Domain users' and
'cannot'
be changed; the second may change, but have to be listed in (normal)
group membership.

> I don't like it much. I would prefer e.g. the user 'foo' to
have
> by default as primary group 'g-foo'.
Corect. This could have also some ''security implication'', if
you use
POSIX ACLs: by default the permission mask is equal to the POSIX primary
group memebrship, so this lead to new file and folder created by user with
group 'Domain Users' and group writeable, eg new files are writaeable
by any users (in 'Domain Users').

> Before I do systematic change to all my users I would like
> to know your opinion about this. Do you foresee any issue
> if I perform such a move ?
> Also, I can change the Primary group from Windows tools
> but i can't find a proper way of doing it from Linux.
> Any ideas ?
I'm still a bit 'confused' in this topic, too, so i seek some
feedback
me too...


Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bont?, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

How i handle this. 

As long you use SET/GETfacl you can just add group to controll the access in
folder.

How people handle this is mainly how your network/setup is done,
so this can differ with other setups, but this is how im setup. 

All my users have Primary group "Domain Users", just like how windows
handles this.

But then people think, ok, but all my files/folders now can be accessed by all
users, yes, but only where you allowed them in with a other security group.

user1, in group Domain users and SecurityGroup1. 
user2, in group Domain users and SecurityGroup2.

/srv/data/security-folder1 has groups, 
"domain admins Full" and SecurityGroup1 with right everthing execpt
full controle, because, with full control members of SecurityGroup1 could change
rights, and personaly im not allowing that.

/srv/data/security-folder2 has groups, 
"domain admins Full" and SecurityGroup2 with right everthing execpt
full controle, because, with full control members of SecurityGroup2 could change
rights, and personaly im not allowing that.


user1 cant access SecurityGroup2, but if he could then all rights to are set to
"domain users" as group. ( the Primary Group )

user2 cant access SecurityGroup1, but if he could then all rights to are set to
"domain users" as group. ( the Primary Group )

Now this is done with "Creator Group", that makes that the groups is
set to domain users.

so, very data/department folder has a group assigned to it. that has All rights
but full control, and "Creator Group" make sure it gets the
"users primary group" set on the files/folder INSIDE that "
data/department folder"

I have in total, 4 groups set by default. 
1) "Creator Group"
2) The matching security group for that folder, used to allow or block access to
the folder.
3) Domain admins and a new group "Folder managers" so selected users
   Can create and change rights if needed. 


Thats it, i hope its bit clearer now. 


Greetz, 

Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Marco Gaiarin
via
> samba
> Verzonden: donderdag 25 februari 2021 10:06
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Any drawback in changing primary group of domain
> users ?
> 
> Mandi! Nicola Mingotti via samba
>   In chel di` si favelave...
> 
> > In these days I am trying to do some polishing/tuning in my NAS
> > and I focused my attention on a detail: all domain users have
> > "Primary group" set to "Domain users".
> 
> It is needed to do some distiction: do you mean 'windows primary
group'
> or 'POSIX primary group'?
> AFAI've understood, the former HAVE to be 'Domain users' and
'cannot'
> be changed; the second may change, but have to be listed in (normal)
> group membership.
> 
> 
> > I don't like it much. I would prefer e.g. the user 'foo'
to have
> > by default as primary group 'g-foo'.
> 
> Corect. This could have also some ''security implication'',
if you use
> POSIX ACLs: by default the permission mask is equal to the POSIX primary
> group memebrship, so this lead to new file and folder created by user with
> group 'Domain Users' and group writeable, eg new files are
writaeable
> by any users (in 'Domain Users').
> 
> 
> > Before I do systematic change to all my users I would like
> > to know your opinion about this. Do you foresee any issue
> > if I perform such a move ?
> > Also, I can change the Primary group from Windows tools
> > but i can't find a proper way of doing it from Linux.
> > Any ideas ?
> 
> I'm still a bit 'confused' in this topic, too, so i seek some
feedback
> me too...
> 
> 
> Thanks.
> 
> --
> dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
>   Associazione ``La Nostra Famiglia''
> http://www.lanostrafamiglia.it/
>   Polo FVG   -   Via della Bont?, 7 - 33078   -   San Vito al Tagliamento
> (PN)
>   marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-
> 842797
> 
> 		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
>       http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
> 	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba