samba - Feb 2021 - Any drawback in changing primary group of domain users ?

On 2/25/21 4:40 PM, Roy Eastwood wrote:
>> Nicola wrote
>> After reading all of your considerations, which at the moment
>> I can only partially understand, this is what I made.
>>
>> ---- /etc/smb.conf --------------------
>> force group = adm
>> --------------------------------------------
>>
>> It seemed to me the easiest solution. To perform and to maintain.
>>
>> I leave the Primary Group to "Domain Users" for all Windows
domain user,
>> not to go against Windows habits.
>>
>> I will keep it working for a week and see if any issue emerges.
>>
>> The benefits seems to be:
>>
>> . Directories don't get by default "Domain user" group
when written in
>> the ext4. So "Domain user" people
>> can go only where I say they can go through 'getfacl'.  I
don't need to
>> worry any more
>> about the interaction between Linux group permission and the W.Domain
>> users.
>>
>> . My default user in NAS  is in the group "adm".
'adm' is not defined
>> as a group in AD => I can walk  freely in the shared disk still
being
>> only a
>> "Linux user" without any Windows Domain Group.
>>
>> thank you all for your insightful considerations and experience !
>>
>> bye
>> Nicola
>>
> Maybe I've misunderstood your issues, but if you add
>   	acl_xattr:ignore system acl = yes
> to your smb.conf (instead of force group) will that solve the problem?
>
> Roy
>
Hi Roy,

maybe that would work as well.? I preferred the other just because
i already used it. The NAS is in production, the amount of experiments
I can do is limited.

The problem is that I was having strange issues of users not able to
reach some contents, condition which, by ACL rules, should not have 
happened.

I red all what i could find about Samba, permissions, ACL, etc. still my 
grasp
of the whole story is not strong. So I can not analyze the issue 
deductively.
Instead, I noticed that the directory having problems had all "Domain
user"
as a group, in Linux, so I induced there might have been a clash of 
permissions between
ACL rules and Linux directory group permissions.

Then I thought I might have changed the default group from Domain Users
to something different. Somebody reccomended against it, i think Rowland.
So, I preferred to roll back to a previous config which should be safer.

I will see what happens tomorrow morning. If something didn't work I 
will know
soon enough.

Sorry for the confusion. I posted two related but different questions in 
short
time. I will not repeat the same mistake again.

Thank everybody for your suggestions !

bye
Nicola

> -----Original Message-----
> From: Nicola Mingotti <nmingotti at gmail.com>
> Sent: 25 February 2021 19:06
> To: Roy Eastwood <spindles7 at gmail.com>; samba at lists.samba.org
> Cc: nmingotti at gmail.com
> Subject: Re: [Samba] Any drawback in changing primary group of domain users
?
> 
> 
> 
> On 2/25/21 4:40 PM, Roy Eastwood wrote:
> >> Nicola wrote
> >> After reading all of your considerations, which at the moment
> >> I can only partially understand, this is what I made.
> >>
> >> ---- /etc/smb.conf --------------------
> >> force group = adm
> >> --------------------------------------------
> >>
> >> It seemed to me the easiest solution. To perform and to maintain.
> >>
> >> I leave the Primary Group to "Domain Users" for all
Windows domain user,
> >> not to go against Windows habits.
> >>
> >> I will keep it working for a week and see if any issue emerges.
> >>
> >> The benefits seems to be:
> >>
> >> . Directories don't get by default "Domain user"
group when written in
> >> the ext4. So "Domain user" people
> >> can go only where I say they can go through 'getfacl'.  I
don't need to
> >> worry any more
> >> about the interaction between Linux group permission and the
W.Domain
> >> users.
> >>
> >> . My default user in NAS  is in the group "adm".
'adm' is not defined
> >> as a group in AD => I can walk  freely in the shared disk still
being
> >> only a
> >> "Linux user" without any Windows Domain Group.
> >>
> >> thank you all for your insightful considerations and experience !
> >>
> >> bye
> >> Nicola
> >>
> > Maybe I've misunderstood your issues, but if you add
> >   	acl_xattr:ignore system acl = yes
> > to your smb.conf (instead of force group) will that solve the problem?
> >
> > Roy
> >
> 
> Hi Roy,
> 
> maybe that would work as well.  I preferred the other just because
> i already used it. The NAS is in production, the amount of experiments
> I can do is limited.
> 
> The problem is that I was having strange issues of users not able to
> reach some contents, condition which, by ACL rules, should not have
> happened.
> 
> I red all what i could find about Samba, permissions, ACL, etc. still my
> grasp
> of the whole story is not strong. So I can not analyze the issue
> deductively.
> Instead, I noticed that the directory having problems had all "Domain
user"
> as a group, in Linux, so I induced there might have been a clash of
> permissions between
> ACL rules and Linux directory group permissions.
> 
> Then I thought I might have changed the default group from Domain Users
> to something different. Somebody reccomended against it, i think Rowland.
> So, I preferred to roll back to a previous config which should be safer.
@Rowland I think the OP's problems stem from the fact that both POSIX ACLs
and Windows ACLs are in play.
I have scanned the WiKi and can find no reference to adding the line:
	acl_xattr:ignore system acl = yes
to either the share share definition or the global section of smb.conf when
using Windows ACLs.
Is it worth making this clear by adding it to the
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
page?

Roy