samba - Feb 2021 - Any drawback in changing primary group of domain users ?

On 25/02/2021 09:06, Marco Gaiarin via samba wrote:
> Mandi! Nicola Mingotti via samba
>    In chel di` si favelave...
>
>> In these days I am trying to do some polishing/tuning in my NAS
>> and I focused my attention on a detail: all domain users have
>> "Primary group" set to "Domain users".
> It is needed to do some distiction: do you mean 'windows primary
group'
> or 'POSIX primary group'?

I took it as Windows primary group, mainly because there is no concept 
of POSIX primary group in AD. A user can have a gidNumber attribute, but 
this has nothing to do with any primary group.
> AFAI've understood, the former HAVE to be 'Domain users' and
'cannot'
> be changed; the second may change, but have to be listed in (normal)
> group membership.

You can change it, but it isn't recommended.
>
>
>> I don't like it much. I would prefer e.g. the user 'foo' to
have
>> by default as primary group 'g-foo'.
> Corect. This could have also some ''security implication'',
if you use
> POSIX ACLs: by default the permission mask is equal to the POSIX primary
> group memebrship, so this lead to new file and folder created by user with
> group 'Domain Users' and group writeable, eg new files are
writaeable
> by any users (in 'Domain Users').

There are ways around this, once you get your head around the fact that 
this is how Windows works. If it works for Windows, it will work on Linux.

Rowland

Mandi! Rowland penny via samba
  In chel di` si favelave...
> I took it as Windows primary group, mainly because there is no concept of
> POSIX primary group in AD. A user can have a gidNumber attribute, but this
> has nothing to do with any primary group.
Right. But when you have to write data to a share backed up with POSIX
ACL (and AFAIK vfs_acl_xattr is a VFS module loaded by default, and
acl_xattr:default acl style = posix is the default) file get created
with POSIX primary group.

So, effectively if you want files not to be owned by 'Domain Users' you
have two path:

a) tackle with vfs_acl_xattr parameters and disable POSIX ACL

b) change POSIX primary group.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bont?, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)