Is this a bug or a feature?

Rowland Penny repenny241155 at gmail.com
Thu Mar 9 09:54:52 UTC 2017 

Hi, If I look in idmap.ldb for the RID '512', I find this:

dn: CN=S-1-5-21-1768301897-3342589593-1064908849-512
cn: S-1-5-21-1768301897-3342589593-1064908849-512
objectClass: sidMap
objectSid: S-1-5-21-1768301897-3342589593-1064908849-512
type: ID_TYPE_BOTH
xidNumber: 3000013
distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-512

As you can see, the 'type' is 'ID_TYPE_BOTH', from my understanding,
this means that RID '512' (Domain Admins) will treated as if it is both
a user and a group. 

Domain Admins does not have a gidNumber attribute.

If I add a GPO and then run getfacl on the GPO dir in sysvol, I get
this:

getfacl /usr/local/samba/var/locks/sysvol/samdom.example.com/Policies/\{C0B1355A-6915-4396-B8B1-1F120B1316FB\}/
getfacl: Removing leading '/' from absolute path names
# file: usr/local/samba/var/locks/sysvol/samdom.example.com/Policies/{C0B1355A-6915-4396-B8B1-1F120B1316FB}/
# owner: 3000013
# group: SAMDOM\134domain\040admins
# flags: -s-
user::rwx
user:3000008:r-x
user:3000014:rwx
user:3000015:rwx
user:3000018:r-x
group::rwx
group:3000008:r-x
group:SAMDOM\134domain\040admins:rwx
group:SAMDOM\134enterprise\040admins:rwx
group:3000015:rwx
group:3000018:r-x
mask::rwx
other::---
default:user::rwx
default:user:3000008:r-x
default:user:3000013:rwx
default:user:3000014:rwx
default:user:3000015:rwx
default:user:3000018:r-x
default:group::---
default:group:3000008:r-x
default:group:SAMDOM\134domain\040admins:rwx
default:group:SAMDOM\134enterprise\040admins:rwx
default:group:3000015:rwx
default:group:3000018:r-x
default:mask::rwx
default:other::---

This is who the numbers are (taken from idmap.ldb):

3000008: S-1-5-11 : Authenticated Users
3000013: S-1-5-21-1768301897-3342589593-1064908849-512 : Domain Admins
3000014: S-1-5-21-1768301897-3342589593-1064908849-519 : Enterprise Admins
3000015: S-1-5-18 : Local System
3000018: S-1-5-9 : Enterprise Domain Controllers

They are all 'ID_TYPE_BOTH', but whilst 'Domain Admins' and 'Enterprise
Admins' are shown as groups, they are only shown as users by number.

The OS only knows the group as a group by name, it does not know the
group as a user by name.

As, the subject, is this a bug or a feature ??

Rowland

More information about the samba-technical mailing list