[Samba] Samba4 DC/AD documents created in redirected folders with bogus UID

L.P.H. van Belle belle at bazuin.nl
Thu Aug 20 15:04:03 UTC 2015 

 

>-----Oorspronkelijk bericht-----
>Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>Verzonden: donderdag 20 augustus 2015 16:56
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] Samba4 DC/AD documents created in 
>redirected folders with bogus UID
>
>On 20/08/15 15:24, Mark Foley wrote:
>> Guilherme Boing, on 19 Aug 2015 14:31 you wrote:
>>
>>> I just noticed that my fresh install of Samba 4.2.3 has the 
>same behaviour.
>> Did you get a solution?
>>
>> Odd, but this topic doesn't seem to be getting much 
>traction.  I wonder what
>> people are using Samba4 for.  Outside of hard-cord 
>samba-junkies who love
>> spending hours testing all kinds of esoteric features, I 
>think most serious
>> Samba4 AD/DC users are like me: small office, single domain 
>with a dozen-ish
>> Windows workstations.  We don't have forests and trees 
>scattered all over the
>> planet.  For us, AD/DC is used for: DNS, DHCP, mail server, Windows
>> Authenticated login so users can log into any workstation, 
>and redirected
>> folders so users' desktops follow them to any workstation.
>>
>> Those are the fundamentals. Other than Windows 
>Authentication and redirected
>> folders, I don't really see the point of Active Directory.
>>
>> Therefore, for what I consider to be core, real-world Samba4 
>usage, this problem
>> of users' files getting created with the wrong UID seems to 
>a top-priority bug.
>>
>> Any suggestions? Something in smb.conf, nsswitch.conf? A 
>setting in RSAT?
>>
>> --Mark
>>
>> -----Original Message-----
>>> Date: Wed, 19 Aug 2015 14:31:33 -0300
>>> From: Guilherme Boing <kolt+samba at frag.com.br>
>>> Cc: samba <samba at lists.samba.org>
>>> Subject: Re: [Samba] Samba4 DC/AD documents created in 
>redirected folders  with bogus UID
>>>
>>> I just noticed that my fresh install of Samba 4.2.3 has the 
>same behaviour.
>>>
>>> I have a share (\\samba\it_share)) and some users when 
>creating files have
>>> the UID as 3000000 and some have their correct UIDs.
>>> Share permissons are being controlled by Windows ACLs.
>>>
>>> On Wed, Aug 19, 2015 at 1:58 PM, Mark Foley 
><mfoley at novatec-inc.com> wrote:
>>>
>>>> More information,
>>>>
>>>> It appears I've had this issue since installing Samba 
>4.1.0 about 6 months
>>>> ago.
>>>> When I add a domain user, the DC resisdent redirected folder gets
>>>> synchronized
>>>> with the user's desktop with the correct UID.
>>>>
>>>> For some users, but not all, new "My Documents" get 
>created with UID
>>>> 3000000 on
>>>> the DC, not the user's correct ID as shown by wbinfo.  I 
>haven't been able
>>>> to
>>>> see a configuration difference between users who are able 
>to create the
>>>> files
>>>> with the correct UID and those not.
>>>>
>>>> I need to figure this out soon. Otherwise, the users get 
>error messages
>>>> like
>>>> "Protected View. This file came from the Internet ..." 
>when trying to open
>>>> files
>>>> originally sync'd with the correct UID.
>>>>
>>>> --Mark
>>>>
>>>> -----Original Message-----
>>>>> From: Mark Foley <mfoley at novatec-inc.com>
>>>>> Date: Wed, 19 Aug 2015 01:14:03 -0400
>>>>> To: samba at lists.samba.org
>>>>>
>>>>> My up-front apologies if this topic has been covered. 
>This is my first
>>>> time
>>>>> using this list and I don't know how to search for 
>existing topics yet
>>>> ...
>>>>> I installed Samba4 on Linux Slackware 64 version 14.1 
>about 6 months
>>>> ago. I set
>>>>> up redirected folders for the Windows 7 Workstation 
>users. All worked
>>>> fine until
>>>>> recently. Now, when several of the users create documents 
>and folders on
>>>> their
>>>>> "Desktop" (redirected to the DC) they are being created with UID
>>>> 3000000, which
>>>>> is not a configured UID. For example:
>>>>>
>>>>> $ ls -ltrn "/redirectedFolders/Users/matkeson/My Documents"
>>>>> -rwxrwx---+ 1 3000045 100  27648 2015-07-30 07:17 Accounts\
>>>> 7-1-2015.docx*
>>>>> drwxrwx---+ 2 3000045 100   4096 2015-08-11 09:27 Correspondence/
>>>>> -rwxrwx---+ 1 3000000 100  11423 2015-08-18 11:04 testMark.docx*
>>>>>
>>>>> This user's actual UID is 3000045, as created months ago 
>via Windows
>>>> RSAT.
>>>>> Confirmed by:
>>>>>
>>>>> $ wbinfo -i matkeson
>>>>> HPRS\matkeson:*:3000045:100:Mark 
>Atkeson:/home/HPRS/matkeson:/bin/false
>>>>>
>>>>> I did recently upgrade Samba from the originally 
>installed 4.1.0 to
>>>> 4.1.17 a
>>>>> couple of weeks ago, but I can't really confirm that is 
>when the problem
>>>> started
>>>>> showing up.  I find files with this 3000000 UID on 
>backups before the
>>>> upgrade (I
>>>>> think).
>>>>>
>>>>> This does not affect all users. I find 3 for sure it 
>happens to and 3
>>>> for sure
>>>>> it does not happen to.
>>>>>
>>>>> I do have "idmap_ldb:use rfc2307 = yes" set in smb.conf
>>>>>
>>>>> THX
>>>>>
>
>Are you sure this is a Samba problem ? '3000000' is the 
>UID/GID (yes it 
>is both) for 'S-1-5-32-544' which is the Administrators group. Are the 
>problem users also members of the Administrators group? As far as I am 
>aware there is nothing in Samba that sets the permissions of a share 
>(apart from Sysvol and this is a special case), you have to set the 
>ownership etc somewhere, from the windows security tab for 
>instance, or 
>directly on the share dir on the Samba server. I would check 
>the windows 
>machines, you may find that the problem lies there.
>
>Rowland
>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

Ah.. 
If thats the case.. 

I bet, the following, these 2 users... the speak of.. 

one has "Domain Admins" as primary group
the other "Domain Users" as primary group

If that the case, set all user to "Domain Users" as primary group in the UNIX tab 

and NEVER work as Admin/Administrator, always as a user.
If you for some reason are working as Admin/Administrator, 
then your doing something wrong, is it not needed, ever imo ! 

and if your only using windows computer/users,
set this in your shares : 
acl_xattr:ignore system acl = yes 
read the man smb.conf what it does. 


Greet, 

Louis

More information about the samba mailing list