getfacl and sysvol
Adam Tauno Williams
awilliam at whitemice.org
Mon Aug 18 09:13:57 MDT 2014
> OK, I wonder if somebody could explain this to me, if I run getfacl on
> /var/lib/samba/sysvol, I get this:
This is a question more appropriate for samba at lists.samba.org
> getfacl: Removing leading '/' from absolute path names
> # file: var/lib/samba/sysvol
> # owner: root
> # group: 3000000
> user::rwx
> user:root:rwx
> group::rwx
> group:3000000:rwx
> group:3000001:r-x
> group:3000002:rwx
> group:3000003:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:group::---
> default:group:3000000:rwx
> default:group:3000001:r-x
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:mask::rwx
> default:other::---
> If I examine idmap.ldb, I find that the numbers above are mapped to
> windows well known RID's:
> 3000000: CN=S-1-5-32-544
> 3000001: CN=S-1-5-32-549
> 3000002: CN=S-1-5-18
> 3000003: CN=S-1-5-11
> A quick search on the internet turns up a microsoft page that tells me
> what the RID's are:
> CN=S-1-5-32-544 Administrators
> CN=S-1-5-32-549 Server Operators
> CN=S-1-5-18 Local System
> CN=S-1-5-11 Authenticated Users
> So we come to the questions.
> Why, if three of the four are groups and the other is an account, are
> they ALL described in idmap.ldb as ID_TYPE_BOTH ?
> I take it that ID_TYPE_BOTH means that the object is both a user and a
> group, how can something be both a user AND a group ?
> Finally, will it break something if I give them a gidNumber or uidNumber ?
I do not see why. I am considering *trying* the same thing as `hidden`
identities can be confusing.
BTW, I see the same ACLs on my sysvol. These are set I believe by the
sysvolreset command via samba-tool.
--
Adam Tauno Williams <mailto:awilliam at whitemice.org> GPG D95ED383
Systems Administrator, Python Developer, LPI / NCLA
More information about the samba-technical
mailing list