Is this a bug or a feature?

Stefan Metzmacher metze at samba.org
Thu Mar 9 10:27:41 UTC 2017 

Hi Rowland,

we could provide name mappings for the other side of
"both", how ever it's just cosmetic.

Typically I don't add winbind to nsswitch.conf
on a dc and only get the numbers from ls.

If we someday implement this we should also
provide name mappings for BUILTIN and 'NT AUTHORITY'
sids. See https://bugzilla.samba.org/show_bug.cgi?id=12164

metze

Am 09.03.2017 um 10:54 schrieb Rowland Penny:
> 
> Hi, If I look in idmap.ldb for the RID '512', I find this:
> 
> dn: CN=S-1-5-21-1768301897-3342589593-1064908849-512
> cn: S-1-5-21-1768301897-3342589593-1064908849-512
> objectClass: sidMap
> objectSid: S-1-5-21-1768301897-3342589593-1064908849-512
> type: ID_TYPE_BOTH
> xidNumber: 3000013
> distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-512
> 
> As you can see, the 'type' is 'ID_TYPE_BOTH', from my understanding,
> this means that RID '512' (Domain Admins) will treated as if it is both
> a user and a group. 
> 
> Domain Admins does not have a gidNumber attribute.
> 
> If I add a GPO and then run getfacl on the GPO dir in sysvol, I get
> this:
> 
> getfacl /usr/local/samba/var/locks/sysvol/samdom.example.com/Policies/\{C0B1355A-6915-4396-B8B1-1F120B1316FB\}/
> getfacl: Removing leading '/' from absolute path names
> # file: usr/local/samba/var/locks/sysvol/samdom.example.com/Policies/{C0B1355A-6915-4396-B8B1-1F120B1316FB}/
> # owner: 3000013
> # group: SAMDOM\134domain\040admins
> # flags: -s-
> user::rwx
> user:3000008:r-x
> user:3000014:rwx
> user:3000015:rwx
> user:3000018:r-x
> group::rwx
> group:3000008:r-x
> group:SAMDOM\134domain\040admins:rwx
> group:SAMDOM\134enterprise\040admins:rwx
> group:3000015:rwx
> group:3000018:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:3000008:r-x
> default:user:3000013:rwx
> default:user:3000014:rwx
> default:user:3000015:rwx
> default:user:3000018:r-x
> default:group::---
> default:group:3000008:r-x
> default:group:SAMDOM\134domain\040admins:rwx
> default:group:SAMDOM\134enterprise\040admins:rwx
> default:group:3000015:rwx
> default:group:3000018:r-x
> default:mask::rwx
> default:other::---
> 
> This is who the numbers are (taken from idmap.ldb):
> 
> 3000008: S-1-5-11 : Authenticated Users
> 3000013: S-1-5-21-1768301897-3342589593-1064908849-512 : Domain Admins
> 3000014: S-1-5-21-1768301897-3342589593-1064908849-519 : Enterprise Admins
> 3000015: S-1-5-18 : Local System
> 3000018: S-1-5-9 : Enterprise Domain Controllers
> 
> They are all 'ID_TYPE_BOTH', but whilst 'Domain Admins' and 'Enterprise
> Admins' are shown as groups, they are only shown as users by number.
> 
> The OS only knows the group as a group by name, it does not know the
> group as a user by name.
> 
> As, the subject, is this a bug or a feature ??
> 
> Rowland 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170309/b0c24baf/signature.sig>

More information about the samba-technical mailing list