Matthew Richardson
2022-Aug-18 09:00 UTC
[Samba] unix_primary_group not used when writing files
Hi, Thanks for the extra info.>> However even with this setting and having restarted samba etc the files are >> still group 'domain user'. > > Yes and this IS correct and the default.. > I recommend NOT to change it.. and you really must.. > Change primaryGroupID in the AD, but really, use ACLS..This doesn't seem to agree with what the Samba wiki docs say: https://wiki.samba.org/index.php/Idmap_config_ad "There is now a new setting unix_primary_group, this allows you to use another group for the users primary group instead of Domain Users. If this is set with unix_primary_group = yes, the users primary group is obtained from the gidNumber attribute found in the users AD object." "Whichever setting you use, do not change the users primaryGroupID attribute, Windows relies on all users being a member of Domain Users."> > So whats set as ACL on /home/alice > getfacl /home/aliceCurrently I have it set to being owned by group g_alice: $ getfacl /home/alice getfacl: Removing leading '/' from absolute path names # file: home/alice # owner: alice # group: g_alice user::rwx group::r-x other::r-x I could explicitly set 'mandatory' ACLs on the homedir and have these propagate, but that feels like a workaround for something that the docs imply shouldn't be needed?> > Then next part.. > its what Rowland is saying, you should see all the users in the domain user group. >Yes, it takes a very long time, but 'getent group "domain users" does return all domain users.> Whats set in /etc/nsswitch.conf ? since your using ubuntu and I don?t think apparmor is bugging you. > if that?s the case you should see it in the syslog I think. >nsswitch has: passwd: files systemd winbind group: files systemd winbind ... hosts: files dns> The smb.conf is correct. Ow. ps, one thing.. > you don?t have " winbind refresh tickets = yes" in add it. > At least, the only thing I didn?t see. >I do have this in - though I assumed it wasn't relevant at this point?> Also keep this in mind.. > You can add a windows users with UID/GID in a linux group. > You can not add a unix users to a Windows group. >Noted.> So, what I think, the primary GroupID isnt changed from "domain users" to g_alice in the AD. > Or you hitting cache problem; try also : net cache flush >Caches flushed, services (and server) restarted - no change. Thanks, Matthew The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. Is e buidheann carthannais a th? ann an Oilthigh Dh?n ?ideann, cl?raichte an Alba, ?ireamh cl?raidh SC005336.
Rowland Penny
2022-Aug-18 09:24 UTC
[Samba] unix_primary_group not used when writing files
On Thu, 2022-08-18 at 10:00 +0100, Matthew Richardson via samba wrote:> Hi, > > Thanks for the extra info. > > > However even with this setting and having restarted samba etc the > > > files are > > > still group 'domain user'. > > > > Yes and this IS correct and the default.. > > I recommend NOT to change it.. and you really must.. > > Change primaryGroupID in the AD, but really, use ACLS.. > > This doesn't seem to agree with what the Samba wiki docs say: > > https://wiki.samba.org/index.php/Idmap_config_ad > > "There is now a new setting unix_primary_group, this allows you to > use > another group for the users primary group instead of Domain Users. > > If this is set with unix_primary_group = yes, the users primary group > is > obtained from the gidNumber attribute found in the users AD object." > > "Whichever setting you use, do not change the users primaryGroupID > attribute, Windows relies on all users being a member of Domain > Users."Yes, whatever you do, do not change the primaryGroupID attribute.> > > So whats set as ACL on /home/alice > > getfacl /home/alice > > Currently I have it set to being owned by group g_alice: > > $ getfacl /home/alice > getfacl: Removing leading '/' from absolute path names > # file: home/alice > # owner: alice > # group: g_alice > user::rwx > group::r-x > other::r-x > > I could explicitly set 'mandatory' ACLs on the homedir and have these > propagate, but that feels like a workaround for something that the > docs > imply shouldn't be needed?Where does it imply that ? tell me and I will change it. Your problem is possibly being caused by the share being connected by a member of the g_alice group (yes, I know there is only one user) and the group doesn't have write access.> > > > ... > hosts: files dns > > > > The smb.conf is correct. Ow. ps, one thing.. > > you don?t have " winbind refresh tickets = yes" in add it. > > At least, the only thing I didn?t see. > > > > I do have this in - though I assumed it wasn't relevant at this > point?It is always relevant, without it being set, your kerberos tickets will expire after 10hrs and will not get renewed. Rowland>
On 8/18/22 11:00, Matthew Richardson via samba wrote:>> So, what I think, the primary GroupID isnt changed from "domain >> users" to g_alice in the AD. Or you hitting cache problem; try >> also : net cache flush > > Caches flushed, services (and server) restarted - no change.did you change the config to you the unix_primary_group after users had been using the system before? Samba caches user tokens as part of the so calles samlogon cache. net cache samlogon {list|delete} is your friend here. Besides that, can the gid be resolved? Ie is it actually set as gid of a some group in AD? Not sure if this has already been discussed in this thread... -slow -- Ralph Boehme, Samba Team https://samba.org/ SerNet Samba Team Lead https://sernet.de/en/team-samba -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20220818/06223da7/OpenPGP_signature.sig>
> -----Oorspronkelijk bericht----- > Van: samba <samba-bounces at lists.samba.org> Namens Matthew > Richardson via samba > Verzonden: donderdag 18 augustus 2022 11:00 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] unix_primary_group not used when writing files > > Hi, > > Thanks for the extra info. > >> However even with this setting and having restarted samba etc the files > >> are still group 'domain user'. > > > > Yes and this IS correct and the default.. > > I recommend NOT to change it.. and you really must.. > > Change primaryGroupID in the AD, but really, use ACLS.. > > This doesn't seem to agree with what the Samba wiki docs say:I think i said it wrongly.. see lower...> > https://wiki.samba.org/index.php/Idmap_config_ad > > "There is now a new setting unix_primary_group, this allows you to use > another group for the users primary group instead of Domain Users. > > If this is set with unix_primary_group = yes, the users primary group is > obtained from the gidNumber attribute found in the users AD object." > > "Whichever setting you use, do not change the users primaryGroupID > attribute, Windows relies on all users being a member of Domain Users."Yes,.. Ahh, A better try to say where it is.. (* where I change it if needed). Only if you change the "Primary Group name/GID" in the Unix attributes tab in ADUC (* W7 or or W2008 or lower versions of windows still shows the Unix tab) That?s the resulting Group linux writes.. *( which is by default in windows, always "domain users") Only when I change that on a user, I get the group. And I also did read the wiki again.. If it its all correct as you think, then you have found a bug.. Rowland, the "Primary Group name/GID" in the Unix attributes tab in ADUC .. Can you show howto get that current value from ldapsearch? Since I do see, or it at least looks like, the correct group was set, since it is showing the g_alice group with id command. Greetz, Louis