Nicola Mingotti
2021-Feb-25 09:39 UTC
[Samba] Any drawback in changing primary group of domain users ?
The reason I want to perform this is because if a user makes a directory It gets by default group "Domain users". I guess this is creating issues because the permission given to a directory by the fact that a user is in the "Domain users" group may conflict with what i defined plain "Domain users" can do in that area of the filesystem. What "Domain users" can make in my domain is quite limited. There are very specific group and i would prefer to control all access privileges explicitly through 'setfacl' instead of having group permission lurking in because a user makes a directory somewhere. So, the main/only reason for me to define/create a specific primary group for each domain user is to ensure its group permission do not conflict with what I define via 'setfacl'. I am considering also setting ---- NAS : /etc/smb.conf --------------------- force group = adm ----------------------------------------------------- That would be faster to do and easier to maintain than defining a lot of groups. I found it to be quite easy to make the group from Windows and set the 'Primary group' from Windows as well. I did not find a nice procedure for Linux, but ok, this is not fundamental for the moment. The 'Primary group' i am talking about is the one that you can see in the Windows 'Active directory Users and Coputer' -> Select a User -> Select 'Memeber of' . I can't be more precise than this, my understanding of the permission interplay between Linux/Windows/ACL is still not that much deep. bye Nicola On 2/25/21 10:06 AM, Marco Gaiarin via samba wrote:> Mandi! Nicola Mingotti via samba > In chel di` si favelave... > >> In these days I am trying to do some polishing/tuning in my NAS >> and I focused my attention on a detail: all domain users have >> "Primary group" set to "Domain users". > It is needed to do some distiction: do you mean 'windows primary group' > or 'POSIX primary group'? > AFAI've understood, the former HAVE to be 'Domain users' and 'cannot' > be changed; the second may change, but have to be listed in (normal) > group membership. > > >> I don't like it much. I would prefer e.g. the user 'foo' to have >> by default as primary group 'g-foo'. > Corect. This could have also some ''security implication'', if you use > POSIX ACLs: by default the permission mask is equal to the POSIX primary > group memebrship, so this lead to new file and folder created by user with > group 'Domain Users' and group writeable, eg new files are writaeable > by any users (in 'Domain Users'). > > >> Before I do systematic change to all my users I would like >> to know your opinion about this. Do you foresee any issue >> if I perform such a move ? >> Also, I can change the Primary group from Windows tools >> but i can't find a proper way of doing it from Linux. >> Any ideas ? > I'm still a bit 'confused' in this topic, too, so i seek some feedback > me too... > > > Thanks. >
Rowland penny
2021-Feb-25 10:11 UTC
[Samba] Any drawback in changing primary group of domain users ?
On 25/02/2021 09:39, Nicola Mingotti wrote:> > The reason I want to perform this is because > if a user makes a directory It gets by default group > "Domain users". > > I guess this is creating issues because the permission > given to a directory by the fact that a user is in the "Domain users" > group may conflict with what i defined plain "Domain users" can > do in that area of the filesystem. > > What "Domain users" can make in my domain is quite > limited. There are very specific group and i would prefer > to control all access privileges explicitly through 'setfacl' > instead of having group permission lurking in because > a user makes a directory somewhere. > > So, the main/only reason for me to define/create a specific > primary group for each domain user is to ensure its group > permission do not conflict with what I define via 'setfacl'. > > I am considering also setting > ---- NAS : /etc/smb.conf --------------------- > force group = adm > ----------------------------------------------------- > That would be faster to do and easier to maintain than > defining a lot of groups. > > I found it to be quite easy to make the group from Windows > and set the 'Primary group' from Windows as well. I did not > find a nice procedure for Linux, but ok, this is not fundamental > for the moment. > > The 'Primary group' i am talking about is the one that you can > see in the Windows 'Active directory Users and Coputer' > -> Select a User -> Select 'Memeber of' . > > I can't be more precise than this, my understanding of the > permission interplay between Linux/Windows/ACL is still > not that much deep.You need to understand that the permissions are stored in three places, in the normal Unix acl's 'ugo'. an EA that stores the ACL's created by setfacl and an EA (security.NTACL) for ACL's created from Windows or by 'samba-tool ntacl set' You also need to understand that RSAT on Windows 10 no longer has the Unix Attributes tabs. There is nothing I can say that can stop you doing it your way, but it isn't sustainable in my opinion. As I said, using one group for all the users, works on Windows, so why Unix sysadmins want to do it differently, beats me. There is an old English saying 'When in Rome, do as the Romans do', so you are in AD, so I would suggest you do as Windows does. Rowland
Marco Gaiarin
2021-Feb-25 11:27 UTC
[Samba] Any drawback in changing primary group of domain users ?
Mandi! Nicola Mingotti via samba In chel di` si favelave...> The reason I want to perform this is because > if a user makes a directory It gets by default group > "Domain users".Try to change POSIX primary group, eg 'gidNumber:'. The only thing you have to note is that the group 'gidNumber' belong to have to be listed as one for which the user ar member, otherwise something unpredicted could be happen. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)