samba - Aug 2022 - unix_primary_group not used when writing files

On Thu, 2022-08-18 at 10:00 +0100, Matthew Richardson via samba
wrote:
> Hi,
> 
> Thanks for the extra info.
> > > However even with this setting and having restarted samba etc the
> > > files are
> > > still group 'domain user'.
> > 
> > Yes and this IS correct and the default..
> > I recommend NOT to change it.. and you really must..
> > Change primaryGroupID in the AD, but really, use ACLS..
> 
> This doesn't seem to agree with what the Samba wiki docs say:
> 
> https://wiki.samba.org/index.php/Idmap_config_ad
> 
> "There is now a new setting unix_primary_group, this allows you to
> use
> another group for the users primary group instead of Domain Users.
> 
> If this is set with unix_primary_group = yes, the users primary group
> is
> obtained from the gidNumber attribute found in the users AD object."
> 
> "Whichever setting you use, do not change the users primaryGroupID
> attribute, Windows relies on all users being a member of Domain
> Users."
Yes, whatever you do, do not change the primaryGroupID attribute.
> 
> > So whats set as ACL on  /home/alice
> > getfacl /home/alice
> 
> Currently I have it set to being owned by group g_alice:
> 
> $  getfacl /home/alice
> getfacl: Removing leading '/' from absolute path names
> # file: home/alice
> # owner: alice
> # group: g_alice
> user::rwx
> group::r-x
> other::r-x
> 
> I could explicitly set 'mandatory' ACLs on the homedir and have
these
> propagate, but that feels like a workaround for something that the
> docs
> imply shouldn't be needed?
Where does it imply that ? tell me and I will change it.
Your problem is possibly being caused by the share being connected by a
member of the g_alice group (yes, I know there is only one user) and
the group doesn't have write access.
> 
> > 
> ...
> hosts:  files  dns
> 
> 
> > The smb.conf is correct. Ow. ps, one thing..
> > you don?t have " winbind refresh tickets = yes" in add it.
> > At least, the only thing I didn?t see.
> > 
> 
> I do have this in - though I assumed it wasn't relevant at this
> point?
It is always relevant, without it being set, your kerberos tickets will
expire after 10hrs and will not get renewed.

Rowland
>

>> I could explicitly set 'mandatory' ACLs on the homedir and have
these
>> propagate, but that feels like a workaround for something that the
>> docs
>> imply shouldn't be needed?
>
> Where does it imply that ? tell me and I will change it.
I was just meaning that since the samba docs don't mention things like
facls, setgid bits etc, this implies that the primary_unix_group setting
should 'just work' to set group ownership , and I shouldn't need to
do
anything else 'special'. So yes, no doc changes needed!
> Your problem is possibly being caused by the share being connected by a
> member of the g_alice group (yes, I know there is only one user) and
> the group doesn't have write access.
>
I've changed the permissions to be 775 on /home/alice (with group still
g_alice) but it still creates files group owned 'domain user'.

Thanks,

Matthew
The University of Edinburgh is a charitable body, registered in Scotland, with
registration number SC005336. Is e buidheann carthannais a th? ann an Oilthigh
Dh?n ?ideann, cl?raichte an Alba, ?ireamh cl?raidh SC005336.