getfacl and sysvol

steve steve at steve-ss.com
Mon Aug 18 10:42:56 MDT 2014 

On Mon, 2014-08-18 at 11:13 -0400, Adam Tauno Williams wrote:
> > OK, I wonder if somebody could explain this to me, if I run getfacl on 
> > /var/lib/samba/sysvol, I get this:
> 
> This is a question more appropriate for samba at lists.samba.org
> 
> > getfacl: Removing leading '/' from absolute path names
> > # file: var/lib/samba/sysvol
> > # owner: root
> > # group: 3000000
> > user::rwx
> > user:root:rwx
> > group::rwx
> > group:3000000:rwx
> > group:3000001:r-x
> > group:3000002:rwx
> > group:3000003:r-x
> > mask::rwx
> > other::---
> > default:user::rwx
> > default:user:root:rwx
> > default:group::---
> > default:group:3000000:rwx
> > default:group:3000001:r-x
> > default:group:3000002:rwx
> > default:group:3000003:r-x
> > default:mask::rwx
> > default:other::---
> > If I examine idmap.ldb, I find that the numbers above are mapped to 
> > windows well known RID's:
> > 3000000: CN=S-1-5-32-544
> > 3000001: CN=S-1-5-32-549
> > 3000002: CN=S-1-5-18
> > 3000003: CN=S-1-5-11
> > A quick search on the internet turns up a microsoft page that tells me 
> > what the RID's are:
> > CN=S-1-5-32-544  Administrators
> > CN=S-1-5-32-549  Server Operators
> > CN=S-1-5-18         Local System
> > CN=S-1-5-11         Authenticated Users
> > So we come to the questions.
> > Why, if three of the four are groups and the other is an account, are 
> > they ALL described in idmap.ldb as ID_TYPE_BOTH ?
> > I take it that ID_TYPE_BOTH means that the object is both a user and a 
> > group, how can something be both a user AND a group ?
> > Finally, will it break something if I give them a gidNumber or uidNumber ?
> 
> I do not see why.  I am considering *trying* the same thing as `hidden`
> identities can be confusing.
Hi
You can gidNumber (and posixGroup) to Administrators, but you will not
be able to use them. They cannot be extracted from AD. Does anyone know
how?
> 
> BTW, I see the same ACLs on my sysvol.  These are set I believe by the
> sysvolreset command via samba-tool.

You see the same by coincidence and this is probably the first DC in the
domain. sysvolreset depends upon the values you have not in AD but in
the external idmap db
HTH

More information about the samba-technical mailing list