samba - Nov 2025 - Backend RID and UNIX Primary Group...

Mandi! Rowland Penny via samba
  In chel di` si favelave...
> If you use the 'rid' idmap backend all users get Domain Users as
their
> primary group ID, an example:
> 
> id rowland
> uid=11104(rowland) gid=10513(domain users) groups=10513(domain
> users)..........
> 
> but the users also get their own private group:
> 
> getent group rowland
> rowland:x:11104:rowland
> 
> This comes from Samba and the 'rid' backend.
This is a bit problematic... if i use POSIX ACL and vfs_acl, this mean that
all file and folder created by users get full access for all other users...

> You can change a user primary group by pointing their
'primaryGroupID'
> at a different RID, but you would also have to join the user to
> the Domain Users group. Windows expects every user to be a member of
> Domain Users, so there is little point in changing the users primary
> group.
As in AD backend. But i supposed was a 'problem' (a glitch, indeed) of
using
AD backend...

Anyway, the point is that: files and folders on UNIX get created (by
default) with the primary group of the user, and so if this is 'Domain
Users' all file are by default 'open' to other...

--

Hello,

weve created one group for each share in the AD: fs_<server>_<share>
and
give this to the users that should have access to the share.

In the share we use force group = +AD-DOMAIN\fs_<server>_<share>

This way only users that have this group can access the share (thats 
what the + does) and if the user has is, than it will be the default 
group for this connection. New files and directories will be created as 
AD-DOMAIN\user : AD-DOMAIN\fs_<server>_<share>

Hope this helps!

Bonus points: even RO-access is possible with this: create an additional 
group AD-DOMAIN\fs_<server>_<share>_ro and give it read-only access
to
the whole share.

Have a nice day, Matthias.

Am 11.11.25 um 18:55 schrieb Marco Gaiarin via samba:
> Mandi! Rowland Penny via samba
>    In chel di` si favelave...
>
>> If you use the 'rid' idmap backend all users get Domain Users
as their
>> primary group ID, an example:
>>
>> id rowland
>> uid=11104(rowland) gid=10513(domain users) groups=10513(domain
>> users)..........
>>
>> but the users also get their own private group:
>>
>> getent group rowland
>> rowland:x:11104:rowland
>>
>> This comes from Samba and the 'rid' backend.
> This is a bit problematic... if i use POSIX ACL and vfs_acl, this mean that
> all file and folder created by users get full access for all other users...
>
>
>> You can change a user primary group by pointing their
'primaryGroupID'
>> at a different RID, but you would also have to join the user to
>> the Domain Users group. Windows expects every user to be a member of
>> Domain Users, so there is little point in changing the users primary
>> group.
> As in AD backend. But i supposed was a 'problem' (a glitch, indeed)
of using
> AD backend...
>
> Anyway, the point is that: files and folders on UNIX get created (by
> default) with the primary group of the user, and so if this is 'Domain
> Users' all file are by default 'open' to other...
>
-- 
Senior Webentwickler
Datenschutzbeauftragter

Ellerhold Aktiengesellschaft
Friedrich-List-Str. 4
01445 Radebeul

Telefon: +49 (0) 351 83933-61
Web: www.ellerhold.de
Facebook: www.facebook.com/ellerhold.gruppe
Instagram: www.instagram.com/ellerhold.gruppe
LinkedIn: www.linkedin.com/company/ellerhold-gruppe

Amtsgericht Dresden / HRB 23769
Vorstand: Stephan Ellerhold, Maximilian Ellerhold
Vorsitzender des Aufsichtsrates: Frank Ellerhold



---
Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten Sie
nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und um
sofortiges l?schen dieser E-Mail und der Anlagen.

Unsere Hinweise zum Datenschutz finden Sie hier:
https://www.ellerhold.de/datenschutz/

This e-mail and its attachments are privileged and confidential. If you are not
the intended recipient, please notify us and immediately delete this e-mail and
its attachments.

You can find our privacy policy here: https://www.ellerhold.de/datenschutz/