Web lists-archives.com

Re: [Samba] unix_primary_group = yes don t work

thanks for the answer, Louis.
i m talking about the userhome dir.
I ve already read https://wiki.samba.org/index.php/User_Home_Folders and i m applying the posix acls to my share. As the users's home is shared between windows and linux, i d rather use the posix acls than the windows ones.

Beside the homedir of my users have a form like /home/ first letter of name /login ( ex : /home/d/dare ) and i cant change that, this is why i use the [home] share , it s the simplier solution for me.

Is it mandatory to use the windows acls to have the functionnality i m looking for ?

Le 06/02/2019 à 12:08, L.P.H. van Belle via samba a écrit :

-----Oorspronkelijk bericht-----
Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens
Christian Daré via samba
Verzonden: woensdag 6 februari 2019 11:54
Aan: samba@xxxxxxxxxxxxxxx
Onderwerp: [Samba] unix_primary_group = yes don t work


On a samba 4.9.4 fileserver using ad backend with rfc2307  , when i
create a file from a Win10 client, it s always created with
the rights
user:"domain users".
I ve understood that with "unix_primary_group = yes" , the
file should
be created with the rights user:gidNumber .
Yes, and if the gid resolvs to a name then you see the name of the group.

Here is my config :
         security = ADS
         workgroup = SAMBA494
         realm = SAMBA494.UNIV-BREST.FR
         log file = /var/log/samba/%m.log
         log level = 1

         idmap config * : backend = tdb
         idmap config * : range = 700000001-800000000
         idmap config SAMBA494 : backend = ad
         idmap config SAMBA494 : range = 100000-4000000
         idmap config SAMBA494 : schema_mode = rfc2307

        idmap config SAMBA494 : unix_nss_info = yes
        idmap config SAMBA494 : unix_primary_group = yes

        username map = /etc/samba/samba_usermapping

      vfs objects = acl_xattr
      map acl inherit = yes
      store dos attributes = yes

      load printers = no
      printing = bsd
      printcap name = /dev/null
      disable spoolss = yes

      winbind enum users = yes
      winbind enum groups = yes
Once your dont testing, set these to winbind enum user/group to No.
Everything keeps working.
You can test this with: getent passwd username / getent passwd group / id group ..

      winbind use default domain = yes

      usershare path =

      comment = repertoires personnels
      browseable = no
      read only = no
      force create mode = 0755
      force directory mode = 0755

id dare
uid=202369(dare) gid=151495(pnia) groupes=151495(pnia),105000(domain

root@mom11:/home/d/dare# ls -l
total 8
drwxrwxr-x+ 2 dare domain users 4096 févr.  6 11:44 test_win10_v1

root@mom11:/home/d/dare# getfacl test_win10_v1/
# file: test_win10_v1/
# owner: dare
# group: domain\040users

What am i missing ?
Nope, its exact as you have setup.
Your mistake ( not really a misstake but more a misconfiguration / thought..)

Here your checking the "Windows" acls.
  root@mom11:/home/d/dare# getfacl test_win10_v1/

Here your forcing POSTIX acl's.
      force create mode = 0755
      force directory mode = 0755
The above force settings should be removed.

Is this a "userhome dir" or "profiles folder"
Because these needs a bit different rights, .. Depening on you needs..
My suggestion, re-read.




UBO <http://www.univ-brest.fr>

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba