samba - Aug 2018 - using Windows AD unwanted Group rights get applied to new Files

On Fri, 10 Aug 2018 13:20:15 +0100
"miguel medalha" <medalist at sapo.pt> wrote:
> > > > By default, every AD user is a member of 'Domain
Users' and so,
> > > > when you use the 'rid' backend every Unix user gets
the group as
> > > > their primary group.
> > > 
> > > > The only way to change this is by using a version of Samba
>> > > > 4.6.0 and use the 'ad' backend  (...)
> > > 
> > > You can also use RSAT and define some other group as the
user's
> > > primary group, and still use 'rid' backend. If I remember
well,
> > > the setting resides in the "Member of" tab of Active
Directory
> > > Users and Computers (ADUC).
> 
> > Wrong, that just adds another attribute ('msSFU30PosixMember'
I
> > think) and this is ignored.
> 
> > Yes, there is another way, add user to a group, change users
> > primaryGroupID attribute to contain the RID of the new group and
> > your users group on Unix will be the new group. Unfortunately there
> > is a big problem with doing this, it breaks Windows, as it relies
> > on all users being a member of Domain Users and that group not
> > actually having any members ;-)
> 
> 
> Are you sure about that? I am using the RID backend and I just tested
> this:
> 
> I logged on to Windows 7 as a regular user 
What do you mean by 'regular user' ?
>having a particular group
> set as "Primary group" 
How are setting the 'primary group' ?

By default all AD users (aka windows users) are members of the 'Domain
Users' group even though they do not appear in the 'Domain Users' AD
object.
>and I created a new file and a new folder
> inside a share. Looking at it on the security tab, I can see that the
> "Domain Users" group is not in the list of permissions. I logged
out.
Have you done something strange like changing the contents of the users
'primaryGroupID' attribute ?
> 
> As Administrator, using ADUC, in the "Member of" tab I changed
the
> primary group of the same user to the "Domain users" default.
Yep, it sounds like you have.
> 
> I logged on again as the same regular user and I created a new file
> and a new folder inside the same share. Looking at the "Security"
> tab, I see that the "Domain users" group is now there, with
advanced
> permissions of "Full Control, This object only" and "Full
Control,
> This folder only".
> 
> Resetting the user's primary group to its original group restores the
> intended behavior, the "Domain Users" is no longer present in
newly
> created files or folders.
No, this is not the intended behaviour, it might be your intended
behaviour, but it isn't Windows.
> 
> This is a Samba Active Directory serving a network of mainly Windows
> 7 machines. The Samba version is 4.8.3. As I said before, the RID
> backend is in use.
All the 'rid' backend does is calculate the user & group ID's
from
their 'RID'. 

Rowland

> > I logged on to Windows 7 as a regular user 
> What do you mean by 'regular user' ?
I used the expression 'regular user' because I wanted to make it clear
that this user does not have any administrative rights whatsoever.
> >having a particular group
> > set as "Primary group" 
> How are setting the 'primary group' ?
The 'primary group' had been set a long time ago, when the system was
created. It had been set with ADUC, under the "Member of" tab, as told
before.
> By default all AD users (aka windows users) are members of the 'Domain
> Users' group even though they do not appear in the 'Domain
Users' AD
> object.
Yes, of course. That's not the point.
> > and I created a new file and a new folder
> > inside a share. Looking at it on the security tab, I can see that the
> > "Domain Users" group is not in the list of permissions. I
logged out.
> Have you done something strange like changing the contents of the users
'primaryGroupID' attribute ?
> > 
> > As Administrator, using ADUC, in the "Member of" tab I
changed the
> > primary group of the same user to the "Domain users"
default.
> Yep, it sounds like you have.
> 
> > I logged on again as the same regular user and I created a new file
> > and a new folder inside the same share. Looking at the
"Security"
> > tab, I see that the "Domain users" group is now there, with
advanced
> > permissions of "Full Control, This object only" and
"Full Control,
> > This folder only".
> > 
> > Resetting the user's primary group to its original group restores
the
> > intended behavior, the "Domain Users" is no longer present
in newly
> > created files or folders.
> No, this is not the intended behaviour, it might be your intended
> behavior, but it isn't Windows.
It is also the behavior intended by the OP. Shouldn't a folder inherit the
permissions of its parent when inheritance is on? If so, why does the group
"Domain users" appear there with "Full control" permissions
when it is not present in the parent folder?

> All the 'rid' backend does is calculate the user & group
ID's from
> their 'RID'. 
Yes, I know, but one of your previous posts seems to imply that the behavior the
OP wants is not possible unless you use the AD backend or a convoluted
workaround. You also stated that changing the "primary group" would be
ignored, which isn't. I thought it would be helpful to actually test it... I
found the problem the OP complained about somewhat strange because I had never
met it, and I had never met it because all my users had their primary group set
to the intended group from the beginning, some years ago.

On Fri, 10 Aug 2018 14:32:01 +0100
"miguel medalha" <medalist at sapo.pt> wrote:
> > >having a particular group
> > > set as "Primary group" 
> 
> > How are setting the 'primary group' ?
> 
> The 'primary group' had been set a long time ago, when the system
was
> created. It had been set with ADUC, under the "Member of" tab, as
> told before.
Yes, but that shouldn't change the 'primaryGroupID' attribute.
> 
> > By default all AD users (aka windows users) are members of the
> > 'Domain Users' group even though they do not appear in the
'Domain
> > Users' AD object.
> 
> Yes, of course. That's not the point.
No, its the very point.
> 
> > > and I created a new file and a new folder
> > > inside a share. Looking at it on the security tab, I can see that
> > > the "Domain Users" group is not in the list of
permissions. I
> > > logged out.
> 
> > Have you done something strange like changing the contents of the
> > users
> 'primaryGroupID' attribute ?
> > > 
> > > As Administrator, using ADUC, in the "Member of" tab I
changed the
> > > primary group of the same user to the "Domain users"
default.
> 
> > Yep, it sounds like you have.
> 
> > 
> > > I logged on again as the same regular user and I created a new
> > > file and a new folder inside the same share. Looking at the
> > > "Security" tab, I see that the "Domain users"
group is now there,
> > > with advanced permissions of "Full Control, This object
only" and
> > > "Full Control, This folder only".
> > > 
> > > Resetting the user's primary group to its original group
restores
> > > the intended behavior, the "Domain Users" is no longer
present in
> > > newly created files or folders.
> 
> > No, this is not the intended behaviour, it might be your intended
> > behavior, but it isn't Windows.
> 
> It is also the behavior intended by the OP. Shouldn't a folder
> inherit the permissions of its parent when inheritance is on? If so,
> why does the group "Domain users" appear there with "Full
control"
> permissions when it is not present in the parent folder?
> 
> 
> > All the 'rid' backend does is calculate the user & group
ID's from
> > their 'RID'. 
> 
> Yes, I know, but one of your previous posts seems to imply that the
> behavior the OP wants is not possible unless you use the AD backend
> or a convoluted workaround. You also stated that changing the
> "primary group" would be ignored, which isn't. I thought it
would be
> helpful to actually test it... I found the problem the OP complained
> about somewhat strange because I had never met it, and I had never
> met it because all my users had their primary group set to the
> intended group from the beginning, some years ago.
> 
> 
What does 'getent passwd ausername' return on a Unix domain member ?

It should return something like this:

rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

The first '10000' is the users uidNumber and the second is the
gidNumber for 'Domain Users'

Rowland