Hai.> I have subsequently worked out that to get 'getent group' to show users I > need to add the following to smb.conf: > > winbind expand groups = 1 > > This now gives: > > $ getent group g_alice > g_alice:x:12345:alice > > However even with this setting and having restarted samba etc the files are > still group 'domain user'.Yes and this IS correct and the default.. I recommend NOT to change it.. and you really must.. Change primaryGroupID in the AD, but really, use ACLS.. So whats set as ACL on /home/alice getfacl /home/alice Then next part.. its what Rowland is saying, you should see all the users in the domain user group. Whats set in /etc/nsswitch.conf ? since your using ubuntu and I don?t think apparmor is bugging you. if that?s the case you should see it in the syslog I think. The smb.conf is correct. Ow. ps, one thing.. you don?t have " winbind refresh tickets = yes" in add it. At least, the only thing I didn?t see. I have this in nsswitch.conf on my debian buster/bullseye servers. passwd: compat winbind systemd group: compat winbind systemd ... hosts: files dns mdns4_minimal [NOTFOUND=return] Also keep this in mind.. You can add a windows users with UID/GID in a linux group. You can not add a unix users to a Windows group. So, what I think, the primary GroupID isnt changed from "domain users" to g_alice in the AD. Or you hitting cache problem; try also : net cache flush but I pretty sure its one of the above points. Greetz, Louis
Matthew Richardson
2022-Aug-18 09:00 UTC
[Samba] unix_primary_group not used when writing files
Hi, Thanks for the extra info.>> However even with this setting and having restarted samba etc the files are >> still group 'domain user'. > > Yes and this IS correct and the default.. > I recommend NOT to change it.. and you really must.. > Change primaryGroupID in the AD, but really, use ACLS..This doesn't seem to agree with what the Samba wiki docs say: https://wiki.samba.org/index.php/Idmap_config_ad "There is now a new setting unix_primary_group, this allows you to use another group for the users primary group instead of Domain Users. If this is set with unix_primary_group = yes, the users primary group is obtained from the gidNumber attribute found in the users AD object." "Whichever setting you use, do not change the users primaryGroupID attribute, Windows relies on all users being a member of Domain Users."> > So whats set as ACL on /home/alice > getfacl /home/aliceCurrently I have it set to being owned by group g_alice: $ getfacl /home/alice getfacl: Removing leading '/' from absolute path names # file: home/alice # owner: alice # group: g_alice user::rwx group::r-x other::r-x I could explicitly set 'mandatory' ACLs on the homedir and have these propagate, but that feels like a workaround for something that the docs imply shouldn't be needed?> > Then next part.. > its what Rowland is saying, you should see all the users in the domain user group. >Yes, it takes a very long time, but 'getent group "domain users" does return all domain users.> Whats set in /etc/nsswitch.conf ? since your using ubuntu and I don?t think apparmor is bugging you. > if that?s the case you should see it in the syslog I think. >nsswitch has: passwd: files systemd winbind group: files systemd winbind ... hosts: files dns> The smb.conf is correct. Ow. ps, one thing.. > you don?t have " winbind refresh tickets = yes" in add it. > At least, the only thing I didn?t see. >I do have this in - though I assumed it wasn't relevant at this point?> Also keep this in mind.. > You can add a windows users with UID/GID in a linux group. > You can not add a unix users to a Windows group. >Noted.> So, what I think, the primary GroupID isnt changed from "domain users" to g_alice in the AD. > Or you hitting cache problem; try also : net cache flush >Caches flushed, services (and server) restarted - no change. Thanks, Matthew The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. Is e buidheann carthannais a th? ann an Oilthigh Dh?n ?ideann, cl?raichte an Alba, ?ireamh cl?raidh SC005336.