Nicola Mingotti
2021-Feb-25 13:56 UTC
[Samba] Any drawback in changing primary group of domain users ?
After reading all of your considerations, which at the moment I can only partially understand, this is what I made. ---- /etc/smb.conf -------------------- force group = adm -------------------------------------------- It seemed to me the easiest solution. To perform and to maintain. I leave the Primary Group to "Domain Users" for all Windows domain user, not to go against Windows habits. I will keep it working for a week and see if any issue emerges. The benefits seems to be: . Directories don't get by default "Domain user" group when written in the ext4. So "Domain user" people can go only where I say they can go through 'getfacl'.? I don't need to worry any more about the interaction between Linux group permission and the W.Domain users. . My default user in NAS? is in the group "adm". 'adm' is not defined as a group in AD => I can walk? freely in the shared disk still being only a "Linux user" without any Windows Domain Group. thank you all for your insightful considerations and experience ! bye Nicola On 2/25/21 12:27 PM, Marco Gaiarin via samba wrote:> Mandi! Nicola Mingotti via samba > In chel di` si favelave... > >> The reason I want to perform this is because >> if a user makes a directory It gets by default group >> "Domain users". > Try to change POSIX primary group, eg 'gidNumber:'. > > The only thing you have to note is that the group 'gidNumber' belong to > have to be listed as one for which the user ar member, otherwise > something unpredicted could be happen. >
Roy Eastwood
2021-Feb-25 15:40 UTC
[Samba] Any drawback in changing primary group of domain users ?
> Nicola wrote > After reading all of your considerations, which at the moment > I can only partially understand, this is what I made. > > ---- /etc/smb.conf -------------------- > force group = adm > -------------------------------------------- > > It seemed to me the easiest solution. To perform and to maintain. > > I leave the Primary Group to "Domain Users" for all Windows domain user, > not to go against Windows habits. > > I will keep it working for a week and see if any issue emerges. > > The benefits seems to be: > > . Directories don't get by default "Domain user" group when written in > the ext4. So "Domain user" people > can go only where I say they can go through 'getfacl'. I don't need to > worry any more > about the interaction between Linux group permission and the W.Domain > users. > > . My default user in NAS is in the group "adm". 'adm' is not defined > as a group in AD => I can walk freely in the shared disk still being > only a > "Linux user" without any Windows Domain Group. > > thank you all for your insightful considerations and experience ! > > bye > Nicola >Maybe I've misunderstood your issues, but if you add acl_xattr:ignore system acl = yes to your smb.conf (instead of force group) will that solve the problem? Roy