samba - Feb 2019 - unix_primary_group = yes don t work

thanks for the answer, Louis.
i m talking about the userhome dir.
I ve already read https://wiki.samba.org/index.php/User_Home_Folders and 
i m applying the posix acls to my share.
As the users's home is shared between windows and linux, i d rather use 
the posix acls than the windows ones.

Beside the homedir of my users have a form like /home/ first letter of 
name /login ( ex : /home/d/dare ) and i cant change that, this is why i 
use the [home] share , it s the simplier solution for me.

Is it mandatory to use the windows acls to have the functionnality i m 
looking for ?


Le 06/02/2019 à 12:08, L.P.H. van Belle via samba a
écrit :
> Hai,
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Christian Daré via samba
>> Verzonden: woensdag 6 februari 2019 11:54
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] unix_primary_group = yes don t work
>>
>> Hi,
>>
>> On a samba 4.9.4 fileserver using ad backend with rfc2307  , when i
>> create a file from a Win10 client, it s always created with
>> the rights
>> user:"domain users".
>> I ve understood that with "unix_primary_group = yes" , the
>> file should
>> be created with the rights user:gidNumber .
> Yes, and if the gid resolvs to a name then you see the name of the group.
>
>> Here is my config :
>> [global]
>>          security = ADS
>>          workgroup = SAMBA494
>>          realm = SAMBA494.UNIV-BREST.FR
>>          log file = /var/log/samba/%m.log
>>          log level = 1
>>
>>          idmap config * : backend = tdb
>>          idmap config * : range = 700000001-800000000
>>          idmap config SAMBA494 : backend = ad
>>          idmap config SAMBA494 : range = 100000-4000000
>>          idmap config SAMBA494 : schema_mode = rfc2307
>>
>>         idmap config SAMBA494 : unix_nss_info = yes
>>         idmap config SAMBA494 : unix_primary_group = yes
>>
>>         username map = /etc/samba/samba_usermapping
>>
>>       vfs objects = acl_xattr
>>       map acl inherit = yes
>>       store dos attributes = yes
>>
>>       load printers = no
>>       printing = bsd
>>       printcap name = /dev/null
>>       disable spoolss = yes
>>
>>       winbind enum users = yes
>>       winbind enum groups = yes
> Once your dont testing, set these to winbind enum user/group to No.
> Everything keeps working.
> You can test this with: getent passwd username / getent passwd group / id
group ..
>
>>       winbind use default domain = yes
>>
>>       usershare path >>
>> [homes]
>>       comment = repertoires personnels
>>       browseable = no
>>       read only = no
>>       force create mode = 0755
>>       force directory mode = 0755
>>
>> id dare
>> uid=202369(dare) gid=151495(pnia) groupes=151495(pnia),105000(domain
>> users),700000002(BUILTIN\users)
>>
>> root at mom11:/home/d/dare# ls -l
>> total 8
>> drwxrwxr-x+ 2 dare domain users 4096 févr.  6 11:44 test_win10_v1
>>
>> root at mom11:/home/d/dare# getfacl test_win10_v1/
>> # file: test_win10_v1/
>> # owner: dare
>> # group: domain\040users
>> user::rwx
>> user:dare:rwx
>> group::r-x
>> group:domain\040users:r-x
>> mask::rwx
>> other::r-x
>> default:user::rwx
>> default:user:dare:rwx
>> default:group::r-x
>> default:group:domain\040users:r-x
>> default:mask::rwx
>> default:other::r-x
>>
>> What am i missing ?
> Nope, its exact as you have setup.
> Your mistake ( not really a misstake but more a misconfiguration /
thought..)
>
> Here your checking the "Windows" acls.
>   root at mom11:/home/d/dare# getfacl test_win10_v1/
>
> Here your forcing POSTIX acl's.
>>       force create mode = 0755
>>       force directory mode = 0755
> The above force settings should be removed.
>
> Is this a "userhome dir" or "profiles folder"
> Because these needs a bit different rights, .. Depening on you needs..
> My suggestion, re-read.
>
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> And
> https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles
>
> Greetz,
>
> Louis
>
>
>
>
>
>
>
-- 
UBO <http://www.univ-brest.fr>

On Wed, 6 Feb 2019 13:25:08 +0100
Christian Daré via samba <samba at lists.samba.org> wrote:
> thanks for the answer, Louis.
> i m talking about the userhome dir.
> I ve already read https://wiki.samba.org/index.php/User_Home_Folders
> and i m applying the posix acls to my share.
> As the users's home is shared between windows and linux, i d rather
> use the posix acls than the windows ones.
> 
> Beside the homedir of my users have a form like /home/ first letter
> of name /login ( ex : /home/d/dare ) and i cant change that, this is
> why i use the [home] share , it s the simplier solution for me.
> 
> Is it mandatory to use the windows acls to have the functionnality i
> m looking for ?
> 
Been doing some testing on this, if a user connects via ssh to a Unix
domain member that is set up to use the users Unix group as its primary
group and creates a file, I get this:

root at testsmb:~# ls -la /home/giduser/test.txt 
-rw-r--r-- 1 giduser unixgroup 0 Feb  6 14:31 /home/giduser/test.txt

However, if the user connects via SMB to a share and creates a file, I
get this:

root at testsmb:~# ls -la /home/data/test.txt
-rwxrwxr-x+ 1 giduser domain users 0 Feb  6 13:48 /home/data/test.txt

It looks like the Samba tools ignore 'idmap config SAMDOM :
unix_primary_group = yes'

Rowland

Hai Rowland, 

Thats strange.. my test shows different things. 

A SSH login, SSO/kerberos on domain member with nfsv4 kerberized mounted
homedir.
Tested samba 4.8.8 and 4.9.4 (members) 

touch test-for-Rowland
-rw-r-----   1 louis domain users        0 Feb  6 15:42 test-for-Rowland

And i copied this from my w10 pc. 
-rwxrwx---   1 louis domain users        0 Feb  6 15:42 test-for-Rowland - kopie

And a new txt file made from my pc
-rwxrwx---   1 louis domain users        0 Feb  6 15:45 Nieuw tekstdocument for
Rowland.txt


Member with nfs mounted homedir. 

getfacl ../louis/
# file: ../louis/
# owner: louis
# group: root
user::rwx
group::rwx
other::---


And the member sharing the nfs, also where i write over smb from my win10 pc.

getfacl /home/samba/users/louis
getfacl: Removing leading '/' from absolute path names
# file: home/samba/users/louis
# owner: louis
# group: root
user::rwx
user:root:rwx
user:louis:rwx
group::---
group:root:---
group:BUILTIN\134administrators:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:louis:rwx
default:group::---
default:group:root:---
default:group:BUILTIN\134administrators:rwx
default:mask::rwx
default:other::---


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: woensdag 6 februari 2019 15:39
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] unix_primary_group = yes don t work
> 
> On Wed, 6 Feb 2019 13:25:08 +0100
> Christian Daré via samba <samba at lists.samba.org> wrote:
> 
> > thanks for the answer, Louis.
> > i m talking about the userhome dir.
> > I ve already read https://wiki.samba.org/index.php/User_Home_Folders
> > and i m applying the posix acls to my share.
> > As the users's home is shared between windows and linux, i d
rather
> > use the posix acls than the windows ones.
> > 
> > Beside the homedir of my users have a form like /home/ first letter
> > of name /login ( ex : /home/d/dare ) and i cant change that, this is
> > why i use the [home] share , it s the simplier solution for me.
> > 
> > Is it mandatory to use the windows acls to have the functionnality i
> > m looking for ?
> > 
> 
> Been doing some testing on this, if a user connects via ssh to a Unix
> domain member that is set up to use the users Unix group as 
> its primary
> group and creates a file, I get this:
> 
> root at testsmb:~# ls -la /home/giduser/test.txt 
> -rw-r--r-- 1 giduser unixgroup 0 Feb  6 14:31 /home/giduser/test.txt
> 
> However, if the user connects via SMB to a share and creates a file, I
> get this:
> 
> root at testsmb:~# ls -la /home/data/test.txt
> -rwxrwxr-x+ 1 giduser domain users 0 Feb  6 13:48 /home/data/test.txt
> 
> It looks like the Samba tools ignore 'idmap config SAMDOM :
> unix_primary_group = yes'
> 
> Rowland
> 
>  
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

I have the same conclusion
Anybody have a conf with "unix_primary_group = yes" working ?

Christian

Le 06/02/2019 à 15:39, Rowland Penny via samba a écrit :
> On Wed, 6 Feb 2019 13:25:08 +0100
> Christian Daré via samba <samba at lists.samba.org> wrote:
>
>> thanks for the answer, Louis.
>> i m talking about the userhome dir.
>> I ve already read https://wiki.samba.org/index.php/User_Home_Folders
>> and i m applying the posix acls to my share.
>> As the users's home is shared between windows and linux, i d rather
>> use the posix acls than the windows ones.
>>
>> Beside the homedir of my users have a form like /home/ first letter
>> of name /login ( ex : /home/d/dare ) and i cant change that, this is
>> why i use the [home] share , it s the simplier solution for me.
>>
>> Is it mandatory to use the windows acls to have the functionnality i
>> m looking for ?
>>
> Been doing some testing on this, if a user connects via ssh to a Unix
> domain member that is set up to use the users Unix group as its primary
> group and creates a file, I get this:
>
> root at testsmb:~# ls -la /home/giduser/test.txt
> -rw-r--r-- 1 giduser unixgroup 0 Feb  6 14:31 /home/giduser/test.txt
>
> However, if the user connects via SMB to a share and creates a file, I
> get this:
>
> root at testsmb:~# ls -la /home/data/test.txt
> -rwxrwxr-x+ 1 giduser domain users 0 Feb  6 13:48 /home/data/test.txt
>
> It looks like the Samba tools ignore 'idmap config SAMDOM :
> unix_primary_group = yes'
>
> Rowland
>
>   
>
-- 
UBO <http://www.univ-brest.fr>

On Wed, 6 Feb 2019 15:58:52 +0100
L.P.H. van Belle <belle at bazuin.nl> wrote:
> Hai Rowland, 
> 
> Thats strange.. my test shows different things. 
> 
> A SSH login, SSO/kerberos on domain member with nfsv4 kerberized
> mounted homedir. Tested samba 4.8.8 and 4.9.4 (members) 
> 
> touch test-for-Rowland
> -rw-r-----   1 louis domain users        0 Feb  6 15:42
> test-for-Rowland
> 
> And i copied this from my w10 pc. 
> -rwxrwx---   1 louis domain users        0 Feb  6 15:42
> test-for-Rowland - kopie
> 
> And a new txt file made from my pc
> -rwxrwx---   1 louis domain users        0 Feb  6 15:45 Nieuw
> tekstdocument for Rowland.txt 
> 
> 
I tested from win10 and got this:

root at testsmb:~# ls -la /home/data
total 16
drwxrwxrwx  2 root    root         4096 Feb  6 15:17 .
drwxr-xr-x  5 root    root         4096 Feb  6 13:42 ..
-rwxrwxr-x+ 1 giduser domain users    0 Feb  6 13:48 test.txt
-rwxrwxr-x+ 1 giduser domain users    0 Feb  6 15:17 wintest.txt
root at testsmb:~# ls -la /home/giduser/test.txt 
-rw-r--r-- 1 giduser unixgroup 0 Feb  6 14:31 /home/giduser/test.txt
root at testsmb:~# getent passwd giduser
giduser:*:10048:10002::/home/giduser:/bin/bash
root at testsmb:~# id giduser
uid=10048(giduser) gid=10002(unixgroup) groups=10002(unixgroup),10000(domain
users),3001(BUILTIN\users)

Use Unix tools and the Unix primary group is honoured, use
Samba/Windows and it isn't.

Rowland

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: woensdag 6 februari 2019 16:33
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] unix_primary_group = yes don t work
> 
> On Wed, 6 Feb 2019 15:58:52 +0100
> L.P.H. van Belle <belle at bazuin.nl> wrote:
> 
> > Hai Rowland, 
> > 
> > Thats strange.. my test shows different things. 
> > 
> > A SSH login, SSO/kerberos on domain member with nfsv4 kerberized
> > mounted homedir. Tested samba 4.8.8 and 4.9.4 (members) 
> > 
> > touch test-for-Rowland
> > -rw-r-----   1 louis domain users        0 Feb  6 15:42
> > test-for-Rowland
> > 
> > And i copied this from my w10 pc. 
> > -rwxrwx---   1 louis domain users        0 Feb  6 15:42
> > test-for-Rowland - kopie
> > 
> > And a new txt file made from my pc
> > -rwxrwx---   1 louis domain users        0 Feb  6 15:45 Nieuw
> > tekstdocument for Rowland.txt 
> > 
> > 
> 
> I tested from win10 and got this:
> 
> root at testsmb:~# ls -la /home/data
> total 16
> drwxrwxrwx  2 root    root         4096 Feb  6 15:17 .
> drwxr-xr-x  5 root    root         4096 Feb  6 13:42 ..
> -rwxrwxr-x+ 1 giduser domain users    0 Feb  6 13:48 test.txt
> -rwxrwxr-x+ 1 giduser domain users    0 Feb  6 15:17 wintest.txt
> root at testsmb:~# ls -la /home/giduser/test.txt 
> -rw-r--r-- 1 giduser unixgroup 0 Feb  6 14:31 /home/giduser/test.txt
> root at testsmb:~# getent passwd giduser
> giduser:*:10048:10002::/home/giduser:/bin/bash
> root at testsmb:~# id giduser
> uid=10048(giduser) gid=10002(unixgroup) 
> groups=10002(unixgroup),10000(domain users),3001(BUILTIN\users)
> 
> Use Unix tools and the Unix primary group is honoured, use
> Samba/Windows and it isn't.
My guess here. 
That is because of misconfiguration of the base of the users homedir

You need 1700 or 3700 on /home/data  
Can you try that. 

> 
> Rowland
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Hai Christian, 

I configured my member as shown on the wiki. ( see below ) 
And as you see not much different compaired to yours.

The diffence is the way of the setup and the order of the setup. 
I'll see if i can make a matrix of my setup so its more ease to explain
this.


[global]

    log level = 1 auth_audit:3

    workgroup = DOM
    security = ADS
    realm = REALM.DOMAIN.TLD
    netbios name = HOSTNAME

    interfaces = 192.168.0.11 127.0.0.1
    bind interfaces only = yes
    dns proxy = yes

    # Add and Update TLS Key
    tls enabled = yes
    tls keyfile = /etc/ssl/local/private/key.pem
    tls certfile = /etc/ssl/local/certs/cert.pem
    tls cafile = /etc/ssl/certs/company-ca.pem

    ## map id's outside to domain to tdb files.
    idmap config *:backend = tdb
    idmap config *:range = 2000-9999

    ## map ids from the domain and (*) the range may not overlap !
    idmap config DOM : backend = ad
    idmap config DOM : schema_mode = rfc2307
    idmap config DOM : range = 10000-3999999
    idmap config DOM : unix_nss_info = yes
    idmap config DOM : unix_primary_group = yes

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab

    # renew the kerberos ticket
    winbind refresh tickets = yes

    # I dont want DOM\username but username.
    winbind use default domain = yes

    # enable offline logins
    winbind offline logon = yes

    # user Administrator workaround, without it you are unable to set privileges
    username map = /etc/samba/samba_usermapping

    # disable usershares creating, when set empty no error log messages.
    usershare path 
    # Disable printing completely
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes

    # For Windows ACL support on member file server, enabled globaly, OBLIGATED
    # For a mixed setup of rights, put this per share!
    vfs objects = acl_xattr
    map acl inherit = yes
    store dos attributes = yes

    # Share Setting Globally
    veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
    hide unreadable = yes

######## SHARE DEFINITIONS ################
[profiles]
    browseable = yes
    path = /home/samba/profiles
    read only = no
    # make sure we match windows ACL for profile shares. 
    # Think in GPO's, special windows rights, user/group SYSTEM. 
    acl_xattr:ignore system acl = yes

[users]
    browseable = yes
    path = /home/samba/users
    read only = no

[public]
    browseable = yes
    path = /home/samba/public
    read only = no


 
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Christian Daré via samba
> Verzonden: woensdag 6 februari 2019 16:29
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] unix_primary_group = yes don t work
> 
> I have the same conclusion
> Anybody have a conf with "unix_primary_group = yes" working ?
> 
> Christian
> 
> Le 06/02/2019 à 15:39, Rowland Penny via samba a écrit :
> > On Wed, 6 Feb 2019 13:25:08 +0100
> > Christian Daré via samba <samba at lists.samba.org> wrote:
> >
> >> thanks for the answer, Louis.
> >> i m talking about the userhome dir.
> >> I ve already read 
> https://wiki.samba.org/index.php/User_Home_Folders
> >> and i m applying the posix acls to my share.
> >> As the users's home is shared between windows and linux, i d
rather
> >> use the posix acls than the windows ones.
> >>
> >> Beside the homedir of my users have a form like /home/ first
letter
> >> of name /login ( ex : /home/d/dare ) and i cant change 
> that, this is
> >> why i use the [home] share , it s the simplier solution for me.
> >>
> >> Is it mandatory to use the windows acls to have the 
> functionnality i
> >> m looking for ?
> >>
> > Been doing some testing on this, if a user connects via ssh 
> to a Unix
> > domain member that is set up to use the users Unix group as 
> its primary
> > group and creates a file, I get this:
> >
> > root at testsmb:~# ls -la /home/giduser/test.txt
> > -rw-r--r-- 1 giduser unixgroup 0 Feb  6 14:31 /home/giduser/test.txt
> >
> > However, if the user connects via SMB to a share and 
> creates a file, I
> > get this:
> >
> > root at testsmb:~# ls -la /home/data/test.txt
> > -rwxrwxr-x+ 1 giduser domain users 0 Feb  6 13:48 
> /home/data/test.txt
> >
> > It looks like the Samba tools ignore 'idmap config SAMDOM :
> > unix_primary_group = yes'
> >
> > Rowland
> >
> >   
> >
> 
> -- 
> UBO <http://www.univ-brest.fr>
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>