Rowland Penny
2018-Aug-10 12:59 UTC
[Samba] using Windows AD unwanted Group rights get applied to new Files
On Fri, 10 Aug 2018 13:20:15 +0100 "miguel medalha" <medalist at sapo.pt> wrote:> > > > By default, every AD user is a member of 'Domain Users' and so, > > > > when you use the 'rid' backend every Unix user gets the group as > > > > their primary group. > > > > > > > The only way to change this is by using a version of Samba >> > > > 4.6.0 and use the 'ad' backend (...) > > > > > > You can also use RSAT and define some other group as the user's > > > primary group, and still use 'rid' backend. If I remember well, > > > the setting resides in the "Member of" tab of Active Directory > > > Users and Computers (ADUC). > > > Wrong, that just adds another attribute ('msSFU30PosixMember' I > > think) and this is ignored. > > > Yes, there is another way, add user to a group, change users > > primaryGroupID attribute to contain the RID of the new group and > > your users group on Unix will be the new group. Unfortunately there > > is a big problem with doing this, it breaks Windows, as it relies > > on all users being a member of Domain Users and that group not > > actually having any members ;-) > > > Are you sure about that? I am using the RID backend and I just tested > this: > > I logged on to Windows 7 as a regular userWhat do you mean by 'regular user' ?>having a particular group > set as "Primary group"How are setting the 'primary group' ? By default all AD users (aka windows users) are members of the 'Domain Users' group even though they do not appear in the 'Domain Users' AD object.>and I created a new file and a new folder > inside a share. Looking at it on the security tab, I can see that the > "Domain Users" group is not in the list of permissions. I logged out.Have you done something strange like changing the contents of the users 'primaryGroupID' attribute ?> > As Administrator, using ADUC, in the "Member of" tab I changed the > primary group of the same user to the "Domain users" default.Yep, it sounds like you have.> > I logged on again as the same regular user and I created a new file > and a new folder inside the same share. Looking at the "Security" > tab, I see that the "Domain users" group is now there, with advanced > permissions of "Full Control, This object only" and "Full Control, > This folder only". > > Resetting the user's primary group to its original group restores the > intended behavior, the "Domain Users" is no longer present in newly > created files or folders.No, this is not the intended behaviour, it might be your intended behaviour, but it isn't Windows.> > This is a Samba Active Directory serving a network of mainly Windows > 7 machines. The Samba version is 4.8.3. As I said before, the RID > backend is in use.All the 'rid' backend does is calculate the user & group ID's from their 'RID'. Rowland
miguel medalha
2018-Aug-10 13:32 UTC
[Samba] using Windows AD unwanted Group rights get applied to new Files
> > I logged on to Windows 7 as a regular user> What do you mean by 'regular user' ?I used the expression 'regular user' because I wanted to make it clear that this user does not have any administrative rights whatsoever.> >having a particular group > > set as "Primary group"> How are setting the 'primary group' ?The 'primary group' had been set a long time ago, when the system was created. It had been set with ADUC, under the "Member of" tab, as told before.> By default all AD users (aka windows users) are members of the 'Domain > Users' group even though they do not appear in the 'Domain Users' AD > object.Yes, of course. That's not the point.> > and I created a new file and a new folder > > inside a share. Looking at it on the security tab, I can see that the > > "Domain Users" group is not in the list of permissions. I logged out.> Have you done something strange like changing the contents of the users'primaryGroupID' attribute ?> > > > As Administrator, using ADUC, in the "Member of" tab I changed the > > primary group of the same user to the "Domain users" default.> Yep, it sounds like you have.> > > I logged on again as the same regular user and I created a new file > > and a new folder inside the same share. Looking at the "Security" > > tab, I see that the "Domain users" group is now there, with advanced > > permissions of "Full Control, This object only" and "Full Control, > > This folder only". > > > > Resetting the user's primary group to its original group restores the > > intended behavior, the "Domain Users" is no longer present in newly > > created files or folders.> No, this is not the intended behaviour, it might be your intended > behavior, but it isn't Windows.It is also the behavior intended by the OP. Shouldn't a folder inherit the permissions of its parent when inheritance is on? If so, why does the group "Domain users" appear there with "Full control" permissions when it is not present in the parent folder?> All the 'rid' backend does is calculate the user & group ID's from > their 'RID'.Yes, I know, but one of your previous posts seems to imply that the behavior the OP wants is not possible unless you use the AD backend or a convoluted workaround. You also stated that changing the "primary group" would be ignored, which isn't. I thought it would be helpful to actually test it... I found the problem the OP complained about somewhat strange because I had never met it, and I had never met it because all my users had their primary group set to the intended group from the beginning, some years ago.
Rowland Penny
2018-Aug-10 13:57 UTC
[Samba] using Windows AD unwanted Group rights get applied to new Files
On Fri, 10 Aug 2018 14:32:01 +0100 "miguel medalha" <medalist at sapo.pt> wrote:> > >having a particular group > > > set as "Primary group" > > > How are setting the 'primary group' ? > > The 'primary group' had been set a long time ago, when the system was > created. It had been set with ADUC, under the "Member of" tab, as > told before.Yes, but that shouldn't change the 'primaryGroupID' attribute.> > > By default all AD users (aka windows users) are members of the > > 'Domain Users' group even though they do not appear in the 'Domain > > Users' AD object. > > Yes, of course. That's not the point.No, its the very point.> > > > and I created a new file and a new folder > > > inside a share. Looking at it on the security tab, I can see that > > > the "Domain Users" group is not in the list of permissions. I > > > logged out. > > > Have you done something strange like changing the contents of the > > users > 'primaryGroupID' attribute ? > > > > > > As Administrator, using ADUC, in the "Member of" tab I changed the > > > primary group of the same user to the "Domain users" default. > > > Yep, it sounds like you have. > > > > > > I logged on again as the same regular user and I created a new > > > file and a new folder inside the same share. Looking at the > > > "Security" tab, I see that the "Domain users" group is now there, > > > with advanced permissions of "Full Control, This object only" and > > > "Full Control, This folder only". > > > > > > Resetting the user's primary group to its original group restores > > > the intended behavior, the "Domain Users" is no longer present in > > > newly created files or folders. > > > No, this is not the intended behaviour, it might be your intended > > behavior, but it isn't Windows. > > It is also the behavior intended by the OP. Shouldn't a folder > inherit the permissions of its parent when inheritance is on? If so, > why does the group "Domain users" appear there with "Full control" > permissions when it is not present in the parent folder? > > > > All the 'rid' backend does is calculate the user & group ID's from > > their 'RID'. > > Yes, I know, but one of your previous posts seems to imply that the > behavior the OP wants is not possible unless you use the AD backend > or a convoluted workaround. You also stated that changing the > "primary group" would be ignored, which isn't. I thought it would be > helpful to actually test it... I found the problem the OP complained > about somewhat strange because I had never met it, and I had never > met it because all my users had their primary group set to the > intended group from the beginning, some years ago. > >What does 'getent passwd ausername' return on a Unix domain member ? It should return something like this: rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash The first '10000' is the users uidNumber and the second is the gidNumber for 'Domain Users' Rowland
Possibly Parallel Threads
- using Windows AD unwanted Group rights get applied to new Files
- using Windows AD unwanted Group rights get applied to new Files
- using Windows AD unwanted Group rights get applied to new Files
- using Windows AD unwanted Group rights get applied to new Files
- using Windows AD unwanted Group rights get applied to new Files