Marco Gaiarin
2021-Feb-25 09:06 UTC
[Samba] Any drawback in changing primary group of domain users ?
Mandi! Nicola Mingotti via samba In chel di` si favelave...> In these days I am trying to do some polishing/tuning in my NAS > and I focused my attention on a detail: all domain users have > "Primary group" set to "Domain users".It is needed to do some distiction: do you mean 'windows primary group' or 'POSIX primary group'? AFAI've understood, the former HAVE to be 'Domain users' and 'cannot' be changed; the second may change, but have to be listed in (normal) group membership.> I don't like it much. I would prefer e.g. the user 'foo' to have > by default as primary group 'g-foo'.Corect. This could have also some ''security implication'', if you use POSIX ACLs: by default the permission mask is equal to the POSIX primary group memebrship, so this lead to new file and folder created by user with group 'Domain Users' and group writeable, eg new files are writaeable by any users (in 'Domain Users').> Before I do systematic change to all my users I would like > to know your opinion about this. Do you foresee any issue > if I perform such a move ? > Also, I can change the Primary group from Windows tools > but i can't find a proper way of doing it from Linux. > Any ideas ?I'm still a bit 'confused' in this topic, too, so i seek some feedback me too... Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Rowland penny
2021-Feb-25 09:30 UTC
[Samba] Any drawback in changing primary group of domain users ?
On 25/02/2021 09:06, Marco Gaiarin via samba wrote:> Mandi! Nicola Mingotti via samba > In chel di` si favelave... > >> In these days I am trying to do some polishing/tuning in my NAS >> and I focused my attention on a detail: all domain users have >> "Primary group" set to "Domain users". > It is needed to do some distiction: do you mean 'windows primary group' > or 'POSIX primary group'?I took it as Windows primary group, mainly because there is no concept of POSIX primary group in AD. A user can have a gidNumber attribute, but this has nothing to do with any primary group.> AFAI've understood, the former HAVE to be 'Domain users' and 'cannot' > be changed; the second may change, but have to be listed in (normal) > group membership.You can change it, but it isn't recommended.> > >> I don't like it much. I would prefer e.g. the user 'foo' to have >> by default as primary group 'g-foo'. > Corect. This could have also some ''security implication'', if you use > POSIX ACLs: by default the permission mask is equal to the POSIX primary > group memebrship, so this lead to new file and folder created by user with > group 'Domain Users' and group writeable, eg new files are writaeable > by any users (in 'Domain Users').There are ways around this, once you get your head around the fact that this is how Windows works. If it works for Windows, it will work on Linux. Rowland
Nicola Mingotti
2021-Feb-25 09:39 UTC
[Samba] Any drawback in changing primary group of domain users ?
The reason I want to perform this is because if a user makes a directory It gets by default group "Domain users". I guess this is creating issues because the permission given to a directory by the fact that a user is in the "Domain users" group may conflict with what i defined plain "Domain users" can do in that area of the filesystem. What "Domain users" can make in my domain is quite limited. There are very specific group and i would prefer to control all access privileges explicitly through 'setfacl' instead of having group permission lurking in because a user makes a directory somewhere. So, the main/only reason for me to define/create a specific primary group for each domain user is to ensure its group permission do not conflict with what I define via 'setfacl'. I am considering also setting ---- NAS : /etc/smb.conf --------------------- force group = adm ----------------------------------------------------- That would be faster to do and easier to maintain than defining a lot of groups. I found it to be quite easy to make the group from Windows and set the 'Primary group' from Windows as well. I did not find a nice procedure for Linux, but ok, this is not fundamental for the moment. The 'Primary group' i am talking about is the one that you can see in the Windows 'Active directory Users and Coputer' -> Select a User -> Select 'Memeber of' . I can't be more precise than this, my understanding of the permission interplay between Linux/Windows/ACL is still not that much deep. bye Nicola On 2/25/21 10:06 AM, Marco Gaiarin via samba wrote:> Mandi! Nicola Mingotti via samba > In chel di` si favelave... > >> In these days I am trying to do some polishing/tuning in my NAS >> and I focused my attention on a detail: all domain users have >> "Primary group" set to "Domain users". > It is needed to do some distiction: do you mean 'windows primary group' > or 'POSIX primary group'? > AFAI've understood, the former HAVE to be 'Domain users' and 'cannot' > be changed; the second may change, but have to be listed in (normal) > group membership. > > >> I don't like it much. I would prefer e.g. the user 'foo' to have >> by default as primary group 'g-foo'. > Corect. This could have also some ''security implication'', if you use > POSIX ACLs: by default the permission mask is equal to the POSIX primary > group memebrship, so this lead to new file and folder created by user with > group 'Domain Users' and group writeable, eg new files are writaeable > by any users (in 'Domain Users'). > > >> Before I do systematic change to all my users I would like >> to know your opinion about this. Do you foresee any issue >> if I perform such a move ? >> Also, I can change the Primary group from Windows tools >> but i can't find a proper way of doing it from Linux. >> Any ideas ? > I'm still a bit 'confused' in this topic, too, so i seek some feedback > me too... > > > Thanks. >
L.P.H. van Belle
2021-Feb-25 10:11 UTC
[Samba] Any drawback in changing primary group of domain users ?
Now, that is an option what your doing. As long you dont use profiles and make sure the user home folders are set correctly, below should not be a problem but it can be a problem. /home/LinuxUsername : default rights userName:userName /home/WindowsUsername : default rights userName:Domain Users example of my rights for the usersHomedir : drwxrwx---+ 6 root root 4096 Oct 20 17:46 WindowUsername # file: home/samba/users/obell/ # owner: WindowUsername # group: root user::rwx user:root:rwx user:WindowUsername:rwx group::--- group:root:--- group:BUILTIN\\administrators:rwx group:2005:rwx group:domain\040admins:rwx mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:WindowUsername:rwx default:group::--- default:group:root:--- default:group:BUILTIN\\administrators:rwx default:group:2005:rwx default:group:domain\040admins:rwx default:mask::rwx default:other::--- Yeah, its bit more work to setup with lots of groups, but after your setup, its only adding removing users from the group. i would avoid setting things like : > force group = adm and do this from within windows. but you have to pick what works best for you in your setup. as extra in reply to : [Samba] What happens to files if an employee quits - user removed from AD Well, by default the user is the Own of the file, which now only has a UID on it, you need to fix that and if you had a group on it as "primary" group, its less work, anyone in the that group could already handle the files. This is why i use lots of groups and "Creater Group" If you want to protect personal file in a user home, there you set "Creator Owner" and/or "Creater Group" Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Nicola Mingotti > via samba > Verzonden: donderdag 25 februari 2021 10:39 > Aan: Marco Gaiarin; samba at lists.samba.org; Rowland penny > CC: nmingotti at gmail.com > Onderwerp: Re: [Samba] Any drawback in changing primary group of domain > users ? > > > The reason I want to perform this is because > if a user makes a directory It gets by default group > "Domain users". > > I guess this is creating issues because the permission > given to a directory by the fact that a user is in the "Domain users" > group may conflict with what i defined plain "Domain users" can > do in that area of the filesystem. > > What "Domain users" can make in my domain is quite > limited. There are very specific group and i would prefer > to control all access privileges explicitly through 'setfacl' > instead of having group permission lurking in because > a user makes a directory somewhere. > > So, the main/only reason for me to define/create a specific > primary group for each domain user is to ensure its group > permission do not conflict with what I define via 'setfacl'. > > I am considering also setting > ---- NAS : /etc/smb.conf --------------------- > force group = adm > ----------------------------------------------------- > That would be faster to do and easier to maintain than > defining a lot of groups. > > I found it to be quite easy to make the group from Windows > and set the 'Primary group' from Windows as well. I did not > find a nice procedure for Linux, but ok, this is not fundamental > for the moment. > > The 'Primary group' i am talking about is the one that you can > see in the Windows 'Active directory Users and Coputer' > -> Select a User -> Select 'Memeber of' . > > I can't be more precise than this, my understanding of the > permission interplay between Linux/Windows/ACL is still > not that much deep. > > bye > Nicola > > > > > > > > > > On 2/25/21 10:06 AM, Marco Gaiarin via samba wrote: > > Mandi! Nicola Mingotti via samba > > In chel di` si favelave... > > > >> In these days I am trying to do some polishing/tuning in my NAS > >> and I focused my attention on a detail: all domain users have > >> "Primary group" set to "Domain users". > > It is needed to do some distiction: do you mean 'windows primary group' > > or 'POSIX primary group'? > > AFAI've understood, the former HAVE to be 'Domain users' and 'cannot' > > be changed; the second may change, but have to be listed in (normal) > > group membership. > > > > > >> I don't like it much. I would prefer e.g. the user 'foo' to have > >> by default as primary group 'g-foo'. > > Corect. This could have also some ''security implication'', if you use > > POSIX ACLs: by default the permission mask is equal to the POSIX primary > > group memebrship, so this lead to new file and folder created by user > with > > group 'Domain Users' and group writeable, eg new files are writaeable > > by any users (in 'Domain Users'). > > > > > >> Before I do systematic change to all my users I would like > >> to know your opinion about this. Do you foresee any issue > >> if I perform such a move ? > >> Also, I can change the Primary group from Windows tools > >> but i can't find a proper way of doing it from Linux. > >> Any ideas ? > > I'm still a bit 'confused' in this topic, too, so i seek some feedback > > me too... > > > > > > Thanks. > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba