getfacl and sysvol

Adam Tauno Williams awilliam at
Mon Aug 18 09:13:57 MDT 2014

> OK, I wonder if somebody could explain this to me, if I run getfacl on 
> /var/lib/samba/sysvol, I get this:

This is a question more appropriate for samba at

> getfacl: Removing leading '/' from absolute path names
> # file: var/lib/samba/sysvol
> # owner: root
> # group: 3000000
> user::rwx
> user:root:rwx
> group::rwx
> group:3000000:rwx
> group:3000001:r-x
> group:3000002:rwx
> group:3000003:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:group::---
> default:group:3000000:rwx
> default:group:3000001:r-x
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:mask::rwx
> default:other::---
> If I examine idmap.ldb, I find that the numbers above are mapped to 
> windows well known RID's:
> 3000000: CN=S-1-5-32-544
> 3000001: CN=S-1-5-32-549
> 3000002: CN=S-1-5-18
> 3000003: CN=S-1-5-11
> A quick search on the internet turns up a microsoft page that tells me 
> what the RID's are:
> CN=S-1-5-32-544  Administrators
> CN=S-1-5-32-549  Server Operators
> CN=S-1-5-18         Local System
> CN=S-1-5-11         Authenticated Users
> So we come to the questions.
> Why, if three of the four are groups and the other is an account, are 
> they ALL described in idmap.ldb as ID_TYPE_BOTH ?
> I take it that ID_TYPE_BOTH means that the object is both a user and a 
> group, how can something be both a user AND a group ?
> Finally, will it break something if I give them a gidNumber or uidNumber ?

I do not see why.  I am considering *trying* the same thing as `hidden`
identities can be confusing.

BTW, I see the same ACLs on my sysvol.  These are set I believe by the
sysvolreset command via samba-tool.

Adam Tauno Williams <mailto:awilliam at> GPG D95ED383
Systems Administrator, Python Developer, LPI / NCLA

More information about the samba-technical mailing list