getfacl and sysvol

Rowland Penny repenny241155 at
Mon Aug 18 11:01:27 MDT 2014

On 18/08/14 17:52, steve wrote:
> On Mon, 2014-08-18 at 17:11 +0100, Rowland Penny wrote:
>> On 18/08/14 16:13, Adam Tauno Williams wrote:
>>>> OK, I wonder if somebody could explain this to me, if I run getfacl on
>>>> /var/lib/samba/sysvol, I get this:
>>> This is a question more appropriate for samba at
>> Why ? I considered before posting here and decided, that as this was a
>> technical question, this was the place to post.
>>>> getfacl: Removing leading '/' from absolute path names
>>>> # file: var/lib/samba/sysvol
>>>> # owner: root
>>>> # group: 3000000
>>>> user::rwx
>>>> user:root:rwx
>>>> group::rwx
>>>> group:3000000:rwx
>>>> group:3000001:r-x
>>>> group:3000002:rwx
>>>> group:3000003:r-x
>>>> mask::rwx
>>>> other::---
>>>> default:user::rwx
>>>> default:user:root:rwx
>>>> default:group::---
>>>> default:group:3000000:rwx
>>>> default:group:3000001:r-x
>>>> default:group:3000002:rwx
>>>> default:group:3000003:r-x
>>>> default:mask::rwx
>>>> default:other::---
>>>> If I examine idmap.ldb, I find that the numbers above are mapped to
>>>> windows well known RID's:
>>>> 3000000: CN=S-1-5-32-544
>>>> 3000001: CN=S-1-5-32-549
>>>> 3000002: CN=S-1-5-18
>>>> 3000003: CN=S-1-5-11
>>>> A quick search on the internet turns up a microsoft page that tells me
>>>> what the RID's are:
>>>> CN=S-1-5-32-544  Administrators
>>>> CN=S-1-5-32-549  Server Operators
>>>> CN=S-1-5-18         Local System
>>>> CN=S-1-5-11         Authenticated Users
>>>> So we come to the questions.
>>>> Why, if three of the four are groups and the other is an account, are
>>>> they ALL described in idmap.ldb as ID_TYPE_BOTH ?
>>>> I take it that ID_TYPE_BOTH means that the object is both a user and a
>>>> group, how can something be both a user AND a group ?
>>>> Finally, will it break something if I give them a gidNumber or uidNumber ?
>>> I do not see why.  I am considering *trying* the same thing as `hidden`
>>> identities can be confusing.
>> Don't bother, you cannot give 'CN=S-1-5-18' anything because it does not
>> exist in AD, 'CN=S-1-5-18' is a   foreignSecurityPrincipal and will not
>> accept either a uidNumber or gidNumber and giving 'Administrators' a
>> gidNumber does not seem to have any effect, I gave up here ;-)
>>> BTW, I see the same ACLs on my sysvol.  These are set I believe by the
>>> sysvolreset command via samba-tool.
>> They may be, but seeing as I haven't run sysvolreset on sysvol, they
>> must be the standard ACL's. I wanted to try and give the groups
>> gidNumbers to stop having to copy idmap.ldb from the first DC to any
>> further DC's.
>> None of this explains just how an object can be both a user and a group,
>> this is confusing me, but I cannot seem to find anything that explains why.
>> Rowland
> It is more appropriate here. The devs have discussed what to do about
> the builtins before. One suggestion was to have a hard wired db with
> e.g. Administrators at 3000000. That would be for all DCs. Not just the
> first one.
I would prefer it lower down the range, but well above the unix range, 
there is after all, not that many 'well know RID's '. If the uid & 
gidNumber's range was to start at 10000 as microsoft does, then I am 
fairly sure that nobody would ever reach the largest 64bit number ;-)

> I don't know whether this will get into 4.2, but it would be a great
> help to those suffering GPO problems. Those of us who have by accident
> discovered the idmap db copy-over would greatly appreciate not changing
> the the values produced at the moment upon installation of the first DC
> in the domain. This would ease the changeover on upgrade.
> Thanks,
> Steve

More information about the samba-technical mailing list