[Samba] FW: [Bug 11241] different ids even when idmap.ldb copied. not abug..

Andrey Repin anrdaemon at yandex.ru
Thu Apr 30 17:58:44 MDT 2015 

Greetings, Rowland Penny!

>> wbinfo --uid-info 3000008
>> domain admins:*:3000008:3000008::/home/DOMAIN/domain admins:/bin/false
>>
>> wbinfo --gid-info 3000008
>> domain admins:x:3000008:administrator
>>
>> wbinfo --group-info "DOMAIN\domain admins"
>> domain admins:x:3000008:administrator
>>
>> wbinfo --user-info "DOMAIN\domain admins"
>> domain admins:*:3000008:3000008::/home/BAZRTD/domain admins:/bin/false
>>
>>
>> getfacl \{31B2F340-016D-11D2-945F-00C04FB984F9\}/
>> # file: {31B2F340-016D-11D2-945F-00C04FB984F9}/
>> # owner: domain\040admins
>> # group: domain\040admins
>> user::rwx
>> group::rwx
>> group:3000002:rwx
>> group:3000003:r-x
>> group:enterprise\040admins:rwx
>> group:domain\040admins:rwx
>> group:3000010:r-x
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:domain\040admins:rwx
>> default:group::---
>> default:group:3000002:rwx
>> default:group:3000003:r-x
>> default:group:enterprise\040admins:rwx
>> default:group:domain\040admins:rwx
>> default:group:3000010:r-x
>> default:mask::rwx
>> default:other::---
>>
>> the user owner is the group ?  how can the user owner be a group ?
>> I this allowed ?  This i really dont know.

> Yes this a mess and is caused by stupid stupid windows allowing groups 
> to own files,

How you deduced that this is "stupid"? May be it is UNIX file modes "stupid"?
There's no "groups" or "users" per se in Windows security model. Just SID's.
While you can't directly add members to a "user" SID, that is how SID history
works, when you migrate a user between domains. Old domain SID will be added
as a member of the new domain SID to preserve file ownership.

> therefore you end up with ID_TYPE_BOTH in idmap.ldb.

This is really unnecessary.

> From my investigations, it is only one group that owns files: Administrators,

While this is often encountered, it is not really necessary to follow to
the letter in environments, where it can't me applied directly.

> but instead of just making this group 'ID_TYPE_BOTH', samba makes a lot 
> of groups 'ID_TYPE_BOTH', have a look in idmap.ldb.

Thanks, I looked already. Deleted lots, and still have to change more to get
domain working straight.

> I also tested replacing the ownership of files and dirs in sysvol, I 
> changed 'Administrators' for 'Administrator' and changed all occurrences 
> of  'ID_TYPE_BOTH' in idmap.ldb to what it actually is. Looking from 
> windows, I couldn't see any difference, because (and I am no windows 
> expert) I think that windows doesn't actually care who owns the files, 
> it only seems to care about the ACLs.

Exactly. All it care about is what is your SID and how it maps to different
ACE's on the file you are trying to access.
Only very stupid applications would check for explicit file ownership. I only
know of one such application, and it is unlikely to be started from Samba
share.


-- 
With best regards,
Andrey Repin
Friday, May 1, 2015 02:45:55

Sorry for my terrible english...

More information about the samba mailing list