Web lists-archives.com

Re: [Samba] using Windows AD unwanted Group rights get applied to new Files

On Fri, 10 Aug 2018 14:32:01 +0100
"miguel medalha" <medalist@xxxxxxx> wrote:

> > >having a particular group
> > > set as "Primary group" 
> > How are setting the 'primary group' ?
> The 'primary group' had been set a long time ago, when the system was
> created. It had been set with ADUC, under the "Member of" tab, as
> told before.

Yes, but that shouldn't change the 'primaryGroupID' attribute.

> > By default all AD users (aka windows users) are members of the
> > 'Domain Users' group even though they do not appear in the 'Domain
> > Users' AD object.
> Yes, of course. That's not the point.

No, its the very point.

> > > and I created a new file and a new folder
> > > inside a share. Looking at it on the security tab, I can see that
> > > the "Domain Users" group is not in the list of permissions. I
> > > logged out.
> > Have you done something strange like changing the contents of the
> > users
> 'primaryGroupID' attribute ?
> > > 
> > > As Administrator, using ADUC, in the "Member of" tab I changed the
> > > primary group of the same user to the "Domain users" default.
> > Yep, it sounds like you have.
> > 
> > > I logged on again as the same regular user and I created a new
> > > file and a new folder inside the same share. Looking at the
> > > "Security" tab, I see that the "Domain users" group is now there,
> > > with advanced permissions of "Full Control, This object only" and
> > > "Full Control, This folder only".
> > > 
> > > Resetting the user's primary group to its original group restores
> > > the intended behavior, the "Domain Users" is no longer present in
> > > newly created files or folders.
> > No, this is not the intended behaviour, it might be your intended
> > behavior, but it isn't Windows.
> It is also the behavior intended by the OP. Shouldn't a folder
> inherit the permissions of its parent when inheritance is on? If so,
> why does the group "Domain users" appear there with "Full control"
> permissions when it is not present in the parent folder?
> > All the 'rid' backend does is calculate the user & group ID's from
> > their 'RID'. 
> Yes, I know, but one of your previous posts seems to imply that the
> behavior the OP wants is not possible unless you use the AD backend
> or a convoluted workaround. You also stated that changing the
> "primary group" would be ignored, which isn't. I thought it would be
> helpful to actually test it... I found the problem the OP complained
> about somewhat strange because I had never met it, and I had never
> met it because all my users had their primary group set to the
> intended group from the beginning, some years ago.

What does 'getent passwd ausername' return on a Unix domain member ?

It should return something like this:

rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

The first '10000' is the users uidNumber and the second is the
gidNumber for 'Domain Users'


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba