Set primary group of file or directory on Samba share from Windows

windows file-permissions samba

Short version:

I have such situation on a Samba share:

$ ls -lha
total 12K
drwxr-xr-x  3 hka  Domain Users 4.0K Jan 11 17:07 .
drwxrwxrwt 19 root root         4.0K Jan 11 17:06 ..
drwxr-xr-x  2 hka  Domain Users 4.0K Jan 11 17:07 dir A
-rw-r--r--  1 hka  Domain Users    0 Jan 11 17:07 file A

How am I able to change this to following using only Windows SMB/CIFS client (using 3rd party applications is OK)

$ ls -lha
total 12K
drwxr-xr-x  3 hka  Domain Users 4.0K Jan 11 17:07 .
drwxrwxrwt 19 root root         4.0K Jan 11 17:06 ..
drwxr-xr-x  2 hka  ntpoweruser  4.0K Jan 11 17:07 dir A
-rw-r--r--  1 hka  ntpoweruser     0 Jan 11 17:07 file A

Rationale and background info

I'm using POSIX ACLs on Samba shares. Together with acl group control for Samba, it allows me to delegate management of permissions to different users based on group membership.

Thing is, when I create a new file on a Samba share, I'm unable to set its primary group (the one that grants permission to change its permissions). It's being set to my primary group (Domain Users) or group set using force group option in smb.conf share definition.

Removing all groups in windows except the one I want to become the new primary group doesn't work. I can change it using chgrp group folder/ as regular user though shell, but it's suboptimal (not all users are *nix users).

Trying to set new owner to group from Windows file permission window makes the Samba to return permission denied with following log entry:

[2012/01/05 21:13:03.349734,  3] smbd/nttrans.c:1899(call_nt_transact_set_security_desc)
  call_nt_transact_set_security_desc: file = projects/project A/New folder, sent 0x1
[2012/01/05 21:13:03.349774,  3] smbd/posix_acls.c:1208(unpack_nt_owners)
  unpack_nt_owners: unable to validate owner sid for S-1-5-21-4526631811-884521863-452487935-11025
[2012/01/05 21:13:03.349804,  3] smbd/error.c:80(error_packet_set)
  error packet at smbd/nttrans.c(1909) cmd=160 (SMBnttrans) NT_STATUS_INVALID_OWNER

The SID is correct and belongs to group I specified in GUI.


Windows does not have the "Primary Group" concept at all. In other words, domain users simply have "Domain Users" as their primary group, probably because it is the first group to be returned to Samba.

That said, Windows has a means to specify a "Primary Group" for Unix compatibility; basically you had to set a specific AD schema attribute.

If you really want to set a primary group for your Windows users, the you had to do the following:

  • install SFU (service for Unix)
  • in the AD Users and Computer panel, you can now double-click on a User and on the "UNIX Attributes" tab you can select a custom "Primary Group/GID".

Some more information can be obtained here and here

Related

Max SAS throughput of a disk stack?
Dual stack Lighttpd without repeating the SSL configuration
How do I upgrade an ESXi installation with the Dell Customized ISO?
Pop up a message or run a program on remote windows 7 computer so currently logged on user can see it
Forcing email address cron is sent FROM [duplicate]
Keep printed documents on Windows Server 2008 R2 Print Server
Working example of multiple permitopen options in authorized_keys
Unable to mount kerberized nfs?
Public and Private keys incorrect for user
What are the security implications of using allow.sysvipc in a FreeBSD jail
KVM guest doesn't recognize new size of raw disk after lvresize
Installing ODBC driver 13 for MSSQL Server in Amazon Linux on EC2 instance