Short version:
I have such situation on a Samba share:
$ ls -lha total 12K drwxr-xr-x 3 hka Domain Users 4.0K Jan 11 17:07 . drwxrwxrwt 19 root root 4.0K Jan 11 17:06 .. drwxr-xr-x 2 hka Domain Users 4.0K Jan 11 17:07 dir A -rw-r--r-- 1 hka Domain Users 0 Jan 11 17:07 file A
How am I able to change this to following using only Windows SMB/CIFS client (using 3rd party applications is OK)
$ ls -lha total 12K drwxr-xr-x 3 hka Domain Users 4.0K Jan 11 17:07 . drwxrwxrwt 19 root root 4.0K Jan 11 17:06 .. drwxr-xr-x 2 hka ntpoweruser 4.0K Jan 11 17:07 dir A -rw-r--r-- 1 hka ntpoweruser 0 Jan 11 17:07 file A
Rationale and background info
I'm using POSIX ACLs on Samba shares. Together with acl group control
for Samba, it allows me to delegate management of permissions to different users based on group membership.
Thing is, when I create a new file on a Samba share, I'm unable to set its primary group (the one that grants permission to change its permissions). It's being set to my primary group (Domain Users) or group set using force group
option in smb.conf
share definition.
Removing all groups in windows except the one I want to become the new primary group doesn't work. I can change it using chgrp group folder/
as regular user though shell, but it's suboptimal (not all users are *nix users).
Trying to set new owner to group from Windows file permission window makes the Samba to return permission denied with following log entry:
[2012/01/05 21:13:03.349734, 3] smbd/nttrans.c:1899(call_nt_transact_set_security_desc) call_nt_transact_set_security_desc: file = projects/project A/New folder, sent 0x1 [2012/01/05 21:13:03.349774, 3] smbd/posix_acls.c:1208(unpack_nt_owners) unpack_nt_owners: unable to validate owner sid for S-1-5-21-4526631811-884521863-452487935-11025 [2012/01/05 21:13:03.349804, 3] smbd/error.c:80(error_packet_set) error packet at smbd/nttrans.c(1909) cmd=160 (SMBnttrans) NT_STATUS_INVALID_OWNER
The SID is correct and belongs to group I specified in GUI.
Windows does not have the "Primary Group" concept at all. In other words, domain users simply have "Domain Users" as their primary group, probably because it is the first group to be returned to Samba.
That said, Windows has a means to specify a "Primary Group" for Unix compatibility; basically you had to set a specific AD schema attribute.
If you really want to set a primary group for your Windows users, the you had to do the following:
Some more information can be obtained here and here
Thinking through this.
So if a domain user creates a file/directory thats where the problem is? You said it did inherit the gid from the smb.conf set by force group, which it is supposed to. So the problem is when a domain user creates a file it doesn't set the file/directory to that users gid, but gets set by to the Domain Users gid?
smb.conf
Could it be the appropiate rids aren't provisioned for? smb group mapping