samba - Feb 2021 - Any drawback in changing primary group of domain users ?

> Nicola wrote
> After reading all of your considerations, which at the moment
> I can only partially understand, this is what I made.
> 
> ---- /etc/smb.conf --------------------
> force group = adm
> --------------------------------------------
> 
> It seemed to me the easiest solution. To perform and to maintain.
> 
> I leave the Primary Group to "Domain Users" for all Windows
domain user,
> not to go against Windows habits.
> 
> I will keep it working for a week and see if any issue emerges.
> 
> The benefits seems to be:
> 
> . Directories don't get by default "Domain user" group when
written in
> the ext4. So "Domain user" people
> can go only where I say they can go through 'getfacl'.  I don't
need to
> worry any more
> about the interaction between Linux group permission and the W.Domain
> users.
> 
> . My default user in NAS  is in the group "adm". 'adm' is
not defined
> as a group in AD => I can walk  freely in the shared disk still being
> only a
> "Linux user" without any Windows Domain Group.
> 
> thank you all for your insightful considerations and experience !
> 
> bye
> Nicola
> 
Maybe I've misunderstood your issues, but if you add
 	acl_xattr:ignore system acl = yes
to your smb.conf (instead of force group) will that solve the problem?

Roy

On 2/25/21 4:40 PM, Roy Eastwood wrote:
>> Nicola wrote
>> After reading all of your considerations, which at the moment
>> I can only partially understand, this is what I made.
>>
>> ---- /etc/smb.conf --------------------
>> force group = adm
>> --------------------------------------------
>>
>> It seemed to me the easiest solution. To perform and to maintain.
>>
>> I leave the Primary Group to "Domain Users" for all Windows
domain user,
>> not to go against Windows habits.
>>
>> I will keep it working for a week and see if any issue emerges.
>>
>> The benefits seems to be:
>>
>> . Directories don't get by default "Domain user" group
when written in
>> the ext4. So "Domain user" people
>> can go only where I say they can go through 'getfacl'.  I
don't need to
>> worry any more
>> about the interaction between Linux group permission and the W.Domain
>> users.
>>
>> . My default user in NAS  is in the group "adm".
'adm' is not defined
>> as a group in AD => I can walk  freely in the shared disk still
being
>> only a
>> "Linux user" without any Windows Domain Group.
>>
>> thank you all for your insightful considerations and experience !
>>
>> bye
>> Nicola
>>
> Maybe I've misunderstood your issues, but if you add
>   	acl_xattr:ignore system acl = yes
> to your smb.conf (instead of force group) will that solve the problem?
>
> Roy
>
Hi Roy,

maybe that would work as well.? I preferred the other just because
i already used it. The NAS is in production, the amount of experiments
I can do is limited.

The problem is that I was having strange issues of users not able to
reach some contents, condition which, by ACL rules, should not have 
happened.

I red all what i could find about Samba, permissions, ACL, etc. still my 
grasp
of the whole story is not strong. So I can not analyze the issue 
deductively.
Instead, I noticed that the directory having problems had all "Domain
user"
as a group, in Linux, so I induced there might have been a clash of 
permissions between
ACL rules and Linux directory group permissions.

Then I thought I might have changed the default group from Domain Users
to something different. Somebody reccomended against it, i think Rowland.
So, I preferred to roll back to a previous config which should be safer.

I will see what happens tomorrow morning. If something didn't work I 
will know
soon enough.

Sorry for the confusion. I posted two related but different questions in 
short
time. I will not repeat the same mistake again.

Thank everybody for your suggestions !

bye
Nicola