getfacl and sysvol

Rowland Penny repenny241155 at
Mon Aug 18 10:11:07 MDT 2014

On 18/08/14 16:13, Adam Tauno Williams wrote:
>> OK, I wonder if somebody could explain this to me, if I run getfacl on
>> /var/lib/samba/sysvol, I get this:
> This is a question more appropriate for samba at

Why ? I considered before posting here and decided, that as this was a 
technical question, this was the place to post.

>> getfacl: Removing leading '/' from absolute path names
>> # file: var/lib/samba/sysvol
>> # owner: root
>> # group: 3000000
>> user::rwx
>> user:root:rwx
>> group::rwx
>> group:3000000:rwx
>> group:3000001:r-x
>> group:3000002:rwx
>> group:3000003:r-x
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:root:rwx
>> default:group::---
>> default:group:3000000:rwx
>> default:group:3000001:r-x
>> default:group:3000002:rwx
>> default:group:3000003:r-x
>> default:mask::rwx
>> default:other::---
>> If I examine idmap.ldb, I find that the numbers above are mapped to
>> windows well known RID's:
>> 3000000: CN=S-1-5-32-544
>> 3000001: CN=S-1-5-32-549
>> 3000002: CN=S-1-5-18
>> 3000003: CN=S-1-5-11
>> A quick search on the internet turns up a microsoft page that tells me
>> what the RID's are:
>> CN=S-1-5-32-544  Administrators
>> CN=S-1-5-32-549  Server Operators
>> CN=S-1-5-18         Local System
>> CN=S-1-5-11         Authenticated Users
>> So we come to the questions.
>> Why, if three of the four are groups and the other is an account, are
>> they ALL described in idmap.ldb as ID_TYPE_BOTH ?
>> I take it that ID_TYPE_BOTH means that the object is both a user and a
>> group, how can something be both a user AND a group ?
>> Finally, will it break something if I give them a gidNumber or uidNumber ?
> I do not see why.  I am considering *trying* the same thing as `hidden`
> identities can be confusing.
Don't bother, you cannot give 'CN=S-1-5-18' anything because it does not 
exist in AD, 'CN=S-1-5-18' is a   foreignSecurityPrincipal and will not 
accept either a uidNumber or gidNumber and giving 'Administrators' a 
gidNumber does not seem to have any effect, I gave up here ;-)

> BTW, I see the same ACLs on my sysvol.  These are set I believe by the
> sysvolreset command via samba-tool.
They may be, but seeing as I haven't run sysvolreset on sysvol, they 
must be the standard ACL's. I wanted to try and give the groups 
gidNumbers to stop having to copy idmap.ldb from the first DC to any 
further DC's.

None of this explains just how an object can be both a user and a group, 
this is confusing me, but I cannot seem to find anything that explains why.


More information about the samba-technical mailing list