[Samba] SYSTEM gid=70006 in POSIX ACLs ?

?icro MEGAS micromegas at mail333.com
Wed Oct 29 14:26:15 MDT 2014

Hey all,

I decided to use the default ranges in the smb.conf of my member server, so I changed my smb.conf and it looks like that:
        netbios name = MEMBERSRV
        workgroup = MYDOM
        security = ADS
        realm = MYDOM.EXAMPLE.COM
        encrypt passwords = yes

        idmap config MYDOM:backend = ad
        idmap config MYDOM:schema_mode = rfc2307
        idmap config MYDOM:range = 500-40000

        idmap config *:backend = tdb
        idmap config *:range = 70001-80000

        winbind nss info = rfc2307
        winbind trusted domains only = no
        winbind use default domain = yes
        winbind enum users  = yes
        winbind enum groups = yes
        template shell = /bin/false

        username map = /etc/samba/smbmap

        vfs objects = acl_xattr
        map acl inherit = Yes
        store dos attributes = Yes

I am irritated at the moment because of a strange behaviour I never realized before...

I am creating a new share on linux prompt with "mkdir -p /some/share". The directory /some/share has mode 755 and root:root.
Now through a Windows host I connect to that member server and define following:

[Share] settings:
Domain Users => Full
Domain Admins => Full
SYSTEM => Full

[Security settings:
Domain Users => Read/Execute (this folder only)
Domain Admins => Full (this folder, subfolder and files)
SYSTEM => Full (this folder, subfolders and files)
Creator/Owner => Full (Subfolders and files)

and I unchecked the "inherit" box.

So far so good, when I look at the POSIX ACLs at the linux prompt of the member server, I get following output:

root at membersrv:~$ getfacl /some/share

# file: share/
# owner: root
# group: root

I am confused about gid=70006. I did some tests and found out, that this is listed in POSIX ACLs when I add "SYSTEM" to the windows security settings. So SYSTEM seems to carry this strange gid 70006. But why? Is that something static inside Windows ? And why cannot my member server resolve gid 70006 then? Please anyone give me some explanation and advice. I am not sure, if this is correct. I never realized the 70006 gid before and I am not sure if something's wrong with the idmap stuff on my member server. I want to add, that after I adjusted my smb.conf at memberserver I restarted samba+winbind and I also tried to delete /var/lib/samba/winbind* and restart sama+winbind again. It didn't change anything, 70006 is still unresolved listed.

Thanks in advance,

More information about the samba mailing list