Marco Gaiarin
2021-Feb-25 11:22 UTC
[Samba] Any drawback in changing primary group of domain users ?
Mandi! Rowland penny via samba In chel di` si favelave...> I took it as Windows primary group, mainly because there is no concept of > POSIX primary group in AD. A user can have a gidNumber attribute, but this > has nothing to do with any primary group.Right. But when you have to write data to a share backed up with POSIX ACL (and AFAIK vfs_acl_xattr is a VFS module loaded by default, and acl_xattr:default acl style = posix is the default) file get created with POSIX primary group. So, effectively if you want files not to be owned by 'Domain Users' you have two path: a) tackle with vfs_acl_xattr parameters and disable POSIX ACL b) change POSIX primary group. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Rowland penny
2021-Feb-25 11:38 UTC
[Samba] Any drawback in changing primary group of domain users ?
On 25/02/2021 11:22, Marco Gaiarin via samba wrote:> Mandi! Rowland penny via samba > In chel di` si favelave... > >> I took it as Windows primary group, mainly because there is no concept of >> POSIX primary group in AD. A user can have a gidNumber attribute, but this >> has nothing to do with any primary group. > Right. But when you have to write data to a share backed up with POSIX > ACL (and AFAIK vfs_acl_xattr is a VFS module loaded by default, and > acl_xattr:default acl style = posix is the default) file get created > with POSIX primary group.Well, yes, but my Unix primary group is: rowland at devstation:~$ getent passwd rowland rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash rowland at devstation:~$ getent group 10000 | awk -F ':' '{print $1}' domain users OOH, look, my Unix primary group is a AD group> > So, effectively if you want files not to be owned by 'Domain Users' you > have two path: > > a) tackle with vfs_acl_xattr parameters and disable POSIX ACL > > b) change POSIX primary group.But why do need to use a primary group that isn't Domain Users ? Nobody has ever been able to answer that to my satisfaction, I usually get something along the lines of 'that is how Unix has always done it' Rowland