Roy Eastwood
2021-Feb-26 09:41 UTC
[Samba] Any drawback in changing primary group of domain users ?
> -----Original Message----- > From: Nicola Mingotti <nmingotti at gmail.com> > Sent: 25 February 2021 19:06 > To: Roy Eastwood <spindles7 at gmail.com>; samba at lists.samba.org > Cc: nmingotti at gmail.com > Subject: Re: [Samba] Any drawback in changing primary group of domain users ? > > > > On 2/25/21 4:40 PM, Roy Eastwood wrote: > >> Nicola wrote > >> After reading all of your considerations, which at the moment > >> I can only partially understand, this is what I made. > >> > >> ---- /etc/smb.conf -------------------- > >> force group = adm > >> -------------------------------------------- > >> > >> It seemed to me the easiest solution. To perform and to maintain. > >> > >> I leave the Primary Group to "Domain Users" for all Windows domain user, > >> not to go against Windows habits. > >> > >> I will keep it working for a week and see if any issue emerges. > >> > >> The benefits seems to be: > >> > >> . Directories don't get by default "Domain user" group when written in > >> the ext4. So "Domain user" people > >> can go only where I say they can go through 'getfacl'. I don't need to > >> worry any more > >> about the interaction between Linux group permission and the W.Domain > >> users. > >> > >> . My default user in NAS is in the group "adm". 'adm' is not defined > >> as a group in AD => I can walk freely in the shared disk still being > >> only a > >> "Linux user" without any Windows Domain Group. > >> > >> thank you all for your insightful considerations and experience ! > >> > >> bye > >> Nicola > >> > > Maybe I've misunderstood your issues, but if you add > > acl_xattr:ignore system acl = yes > > to your smb.conf (instead of force group) will that solve the problem? > > > > Roy > > > > Hi Roy, > > maybe that would work as well. I preferred the other just because > i already used it. The NAS is in production, the amount of experiments > I can do is limited. > > The problem is that I was having strange issues of users not able to > reach some contents, condition which, by ACL rules, should not have > happened. > > I red all what i could find about Samba, permissions, ACL, etc. still my > grasp > of the whole story is not strong. So I can not analyze the issue > deductively. > Instead, I noticed that the directory having problems had all "Domain user" > as a group, in Linux, so I induced there might have been a clash of > permissions between > ACL rules and Linux directory group permissions. > > Then I thought I might have changed the default group from Domain Users > to something different. Somebody reccomended against it, i think Rowland. > So, I preferred to roll back to a previous config which should be safer.@Rowland I think the OP's problems stem from the fact that both POSIX ACLs and Windows ACLs are in play. I have scanned the WiKi and can find no reference to adding the line: acl_xattr:ignore system acl = yes to either the share share definition or the global section of smb.conf when using Windows ACLs. Is it worth making this clear by adding it to the https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs page? Roy
Rowland penny
2021-Feb-26 10:28 UTC
[Samba] Any drawback in changing primary group of domain users ?
On 26/02/2021 09:41, Roy Eastwood via samba wrote:> @Rowland I think the OP's problems stem from the fact that both POSIX ACLs and Windows ACLs are in play.On the wikipage: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs It says this: Do not set ANY additional share parameters, such as force user or valid users. Adding them to the share definition can prevent you from configuring or using the share. However, there isn't anything on the POSIX wikipage: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs> I have scanned the WiKi and can find no reference to adding the line: > acl_xattr:ignore system acl = yes > to either the share share definition or the global section of smb.conf when using Windows ACLs.Using that setting only really makes sense if you are using Windows ACL's, because you want to use the system acl's if using setfacl. Whichever method you use, Windows or POSIX ACL's, you should not mix them. Either set the permissions from Windows or on the Samba server using setfacl. Rowland> Is it worth making this clear by adding it to the https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > page? > > Roy
Nicola Mingotti
2021-Feb-26 17:29 UTC
[Samba] Any drawback in changing primary group of domain users ?
On 2/26/21 10:41 AM, Roy Eastwood wrote:> >> -----Original Message----- >> From: Nicola Mingotti <nmingotti at gmail.com> >> Sent: 25 February 2021 19:06 >> To: Roy Eastwood <spindles7 at gmail.com>; samba at lists.samba.org >> Cc: nmingotti at gmail.com >> Subject: Re: [Samba] Any drawback in changing primary group of domain users ? >> >> >> >> On 2/25/21 4:40 PM, Roy Eastwood wrote: >>>> Nicola wrote >>>> After reading all of your considerations, which at the moment >>>> I can only partially understand, this is what I made. >>>> >>>> ---- /etc/smb.conf -------------------- >>>> force group = adm >>>> -------------------------------------------- >>>> >>>> It seemed to me the easiest solution. To perform and to maintain. >>>> >>>> I leave the Primary Group to "Domain Users" for all Windows domain user, >>>> not to go against Windows habits. >>>> >>>> I will keep it working for a week and see if any issue emerges. >>>> >>>> The benefits seems to be: >>>> >>>> . Directories don't get by default "Domain user" group when written in >>>> the ext4. So "Domain user" people >>>> can go only where I say they can go through 'getfacl'. I don't need to >>>> worry any more >>>> about the interaction between Linux group permission and the W.Domain >>>> users. >>>> >>>> . My default user in NAS is in the group "adm". 'adm' is not defined >>>> as a group in AD => I can walk freely in the shared disk still being >>>> only a >>>> "Linux user" without any Windows Domain Group. >>>> >>>> thank you all for your insightful considerations and experience ! >>>> >>>> bye >>>> Nicola >>>> >>> Maybe I've misunderstood your issues, but if you add >>> acl_xattr:ignore system acl = yes >>> to your smb.conf (instead of force group) will that solve the problem? >>> >>> Roy >>> >> Hi Roy, >> >> maybe that would work as well. I preferred the other just because >> i already used it. The NAS is in production, the amount of experiments >> I can do is limited. >> >> The problem is that I was having strange issues of users not able to >> reach some contents, condition which, by ACL rules, should not have >> happened. >> >> I red all what i could find about Samba, permissions, ACL, etc. still my >> grasp >> of the whole story is not strong. So I can not analyze the issue >> deductively. >> Instead, I noticed that the directory having problems had all "Domain user" >> as a group, in Linux, so I induced there might have been a clash of >> permissions between >> ACL rules and Linux directory group permissions. >> >> Then I thought I might have changed the default group from Domain Users >> to something different. Somebody reccomended against it, i think Rowland. >> So, I preferred to roll back to a previous config which should be safer. > @Rowland I think the OP's problems stem from the fact that both POSIX ACLs and Windows ACLs are in play. > I have scanned the WiKi and can find no reference to adding the line: > acl_xattr:ignore system acl = yes > to either the share share definition or the global section of smb.conf when using Windows ACLs. > Is it worth making this clear by adding it to the https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > page? > > Roy >Hi Roy, forgive my beginner question, but If I would set the parameter as you say would it be possible to change the ACL on the shared disk using Linux 'setfacl' ? Using 'setfacl' has been a priceless plus in my case. Much better than using Windows tools. If that would be lost my humble recommendation is not to put it into the wiki. bye Nicola