Marco Gaiarin
2021-Feb-25 11:27 UTC
[Samba] Any drawback in changing primary group of domain users ?
Mandi! Nicola Mingotti via samba In chel di` si favelave...> The reason I want to perform this is because > if a user makes a directory It gets by default group > "Domain users".Try to change POSIX primary group, eg 'gidNumber:'. The only thing you have to note is that the group 'gidNumber' belong to have to be listed as one for which the user ar member, otherwise something unpredicted could be happen. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Rowland penny
2021-Feb-25 11:45 UTC
[Samba] Any drawback in changing primary group of domain users ?
On 25/02/2021 11:27, Marco Gaiarin via samba wrote:> Mandi! Nicola Mingotti via samba > In chel di` si favelave... > >> The reason I want to perform this is because >> if a user makes a directory It gets by default group >> "Domain users". > Try to change POSIX primary group, eg 'gidNumber:'. > > The only thing you have to note is that the group 'gidNumber' belong to > have to be listed as one for which the user ar member, otherwise > something unpredicted could be happen. >That will not make 'getent passwd' show a Unix group as the users primary group, not unless you set the required 'idmap config' line in smb.conf on the Unix domain member, but the users primary group on Windows would still be Domain Users and I do not think it is a good idea to have different primary groups depending on the OS. Rowland
Nicola Mingotti
2021-Feb-25 13:56 UTC
[Samba] Any drawback in changing primary group of domain users ?
After reading all of your considerations, which at the moment I can only partially understand, this is what I made. ---- /etc/smb.conf -------------------- force group = adm -------------------------------------------- It seemed to me the easiest solution. To perform and to maintain. I leave the Primary Group to "Domain Users" for all Windows domain user, not to go against Windows habits. I will keep it working for a week and see if any issue emerges. The benefits seems to be: . Directories don't get by default "Domain user" group when written in the ext4. So "Domain user" people can go only where I say they can go through 'getfacl'.? I don't need to worry any more about the interaction between Linux group permission and the W.Domain users. . My default user in NAS? is in the group "adm". 'adm' is not defined as a group in AD => I can walk? freely in the shared disk still being only a "Linux user" without any Windows Domain Group. thank you all for your insightful considerations and experience ! bye Nicola On 2/25/21 12:27 PM, Marco Gaiarin via samba wrote:> Mandi! Nicola Mingotti via samba > In chel di` si favelave... > >> The reason I want to perform this is because >> if a user makes a directory It gets by default group >> "Domain users". > Try to change POSIX primary group, eg 'gidNumber:'. > > The only thing you have to note is that the group 'gidNumber' belong to > have to be listed as one for which the user ar member, otherwise > something unpredicted could be happen. >