samba - Aug 2022 - unix_primary_group not used when writing files

I have subsequently worked out that to get 'getent group' to show users
I need to add the following to smb.conf:

winbind expand groups = 1

This now gives:

$ getent group g_alice
g_alice:x:12345:alice

However even with this setting and having restarted samba etc the files
are still group 'domain user'. (I also played with setting 'winbind
nested groups' which has no effect).

Don't know if that helps steer the debugging/solving of the bigger issue?

Thanks,

Matthew

On 17/08/2022 13:52, Rowland Penny via samba wrote:
> This email was sent to you by someone outside the University.
> You should only click on links or attachments if you are certain that the
email is genuine and the content is safe.
>
> On Wed, 2022-08-17 at 13:36 +0100, Matthew Richardson via samba wrote:
>> Apologies - I anonymised the real user values and put 'alice'
in as
>> the
>> group by mistake - it should say 'g_alice'.
>
> Okay, lets try again :-)
>
> Did you add 'alice' to the group 'g_alice' ?
> If so, how ?
>
> You posted this:
>
> $ getent group g_alice
>
> g_alice:x:12345:
>
> Which doesn't show any users, but you also posted this:
>
> $ groups alice
>
> alice : g_alice domain users
>
> Which does show 'alice' is a member of the 'g_alice' group
(if I have
> changed it correctly).
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
The University of Edinburgh is a charitable body, registered in Scotland, with
registration number SC005336. Is e buidheann carthannais a th? ann an Oilthigh
Dh?n ?ideann, cl?raichte an Alba, ?ireamh cl?raidh SC005336.

Hai. 

> I have subsequently worked out that to get 'getent group' to show
users I
> need to add the following to smb.conf:
> 
> winbind expand groups = 1
> 
> This now gives:
> 
> $ getent group g_alice
> g_alice:x:12345:alice
> 
> However even with this setting and having restarted samba etc the files are
> still group 'domain user'. 
Yes and this IS correct and the default.. 
I recommend NOT to change it.. and you really must.. 
Change primaryGroupID in the AD, but really, use ACLS.. 

So whats set as ACL on  /home/alice  
getfacl /home/alice

Then next part..  
its what Rowland is saying, you should see all the users in the domain user
group.

Whats set in /etc/nsswitch.conf ?  since your using ubuntu and I don?t think
apparmor is bugging you.
if that?s the case you should see it in the syslog I think. 

The smb.conf is correct. Ow. ps, one thing.. 
you don?t have " winbind refresh tickets = yes" in add it.  
At least, the only thing I didn?t see. 

I have this in nsswitch.conf on my debian buster/bullseye servers. 

passwd:         compat winbind systemd
group:          compat winbind systemd
...
hosts:          files dns mdns4_minimal [NOTFOUND=return]

Also keep this in mind.. 
You can add a windows users with UID/GID in a linux group. 
You can not add a unix users to a Windows group. 

So, what I think, the primary GroupID isnt changed from "domain users"
to g_alice in the AD.
Or you hitting cache problem;  try also : net cache flush 

but I pretty sure its one of the above points. 


Greetz, 

Louis