[Samba] SYSTEM gid=70006 in POSIX ACLs ?

Rowland Penny rowlandpenny at googlemail.com
Wed Oct 29 15:35:51 MDT 2014 

On 29/10/14 20:26, ?icro MEGAS wrote:
> Hey all,
>
> I decided to use the default ranges in the smb.conf of my member server, so I changed my smb.conf and it looks like that:
> ==================================================
> [global]
>          netbios name = MEMBERSRV
>          workgroup = MYDOM
>          security = ADS
>          realm = MYDOM.EXAMPLE.COM
>          encrypt passwords = yes
>
>          idmap config MYDOM:backend = ad
>          idmap config MYDOM:schema_mode = rfc2307
>          idmap config MYDOM:range = 500-40000
>
>          idmap config *:backend = tdb
>          idmap config *:range = 70001-80000
>
>          winbind nss info = rfc2307
>          winbind trusted domains only = no
>          winbind use default domain = yes
>          winbind enum users  = yes
>          winbind enum groups = yes
>          template shell = /bin/false
>
>          username map = /etc/samba/smbmap
>
>          vfs objects = acl_xattr
>          map acl inherit = Yes
>          store dos attributes = Yes
> ==================================================
>
> I am irritated at the moment because of a strange behaviour I never realized before...
>
> I am creating a new share on linux prompt with "mkdir -p /some/share". The directory /some/share has mode 755 and root:root.
> Now through a Windows host I connect to that member server and define following:
>
> [Share] settings:
> -------------------------------
> Domain Users => Full
> Domain Admins => Full
> SYSTEM => Full
>
> [Security settings:
> -------------------------------
> Domain Users => Read/Execute (this folder only)
> Domain Admins => Full (this folder, subfolder and files)
> SYSTEM => Full (this folder, subfolders and files)
> Creator/Owner => Full (Subfolders and files)
>
> and I unchecked the "inherit" box.
>
> So far so good, when I look at the POSIX ACLs at the linux prompt of the member server, I get following output:
>
> root at membersrv:~$ getfacl /some/share
>
> # file: share/
> # owner: root
> # group: root
> user::rwx
> user:root:rwx
> group::---
> group:root:---
> group:domain\040admins:rwx
> group:domain\040users:r-x
> group:70006:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:group::---
> default:group:root:---
> default:group:domain\040admins:rwx
> default:group:70006:rwx
> default:mask::rwx
> default:other::---
>
> I am confused about gid=70006. I did some tests and found out, that this is listed in POSIX ACLs when I add "SYSTEM" to the windows security settings. So SYSTEM seems to carry this strange gid 70006. But why? Is that something static inside Windows ? And why cannot my member server resolve gid 70006 then? Please anyone give me some explanation and advice. I am not sure, if this is correct. I never realized the 70006 gid before and I am not sure if something's wrong with the idmap stuff on my member server. I want to add, that after I adjusted my smb.conf at memberserver I restarted samba+winbind and I also tried to delete /var/lib/samba/winbind* and restart sama+winbind again. It didn't change anything, 70006 is still unresolved listed.
>
> Thanks in advance,
> Mirco
Hi, as Steve said, there is not much you can do about it and there is 
nothing to worry about. You are getting this number because you have 
this in smb.conf:

idmap config *:backend = tdb
idmap config *:range = 70001-80000

'*' is the BUILTIN windows users & groups and what the above means is:

Store the builtin users & groups in a .tdb file using the range 
70001-80000, starting at 70001, so now can you see where 70006 comes 
from ? and why getent doesn't map it to a name?

Rowland

More information about the samba mailing list