[Samba] Samba4 DC/AD documents created in redirected folders with bogus UID
Rowland Penny
rowlandpenny241155 at gmail.com
Thu Aug 20 18:18:29 UTC 2015
On 20/08/15 19:10, Guilherme Boing wrote:
> Good to know that this is not a bug.
>
> Thank you!
>
> On Thu, Aug 20, 2015 at 3:05 PM, Rowland Penny
> <rowlandpenny241155 at gmail.com <mailto:rowlandpenny241155 at gmail.com>>
> wrote:
>
> On 20/08/15 18:26, Guilherme Boing wrote:
>
> Yes, you are correct.
>
> The users where the UID 3000000 was the owner were users that
> belong to
> Domain Admins group.
> Is this the correct behaviour ? I have other users that are in
> different
> groups (e.g. Marketing) and whenever they create a new file,
> their own UID
> shows up as the owner of that file, not the "Marketing" group.
>
> This only happens with Domain Admins ?
>
>
> You could start here:
>
> http://serverfault.com/questions/19311/file-ownership-for-new-files-with-administrator-why-is-it-giving-ownership-to
>
> Rowland
>
>
>
>
> Thanks.
>
> On Thu, Aug 20, 2015 at 12:04 PM, L.P.H. van Belle
> <belle at bazuin.nl <mailto:belle at bazuin.nl>> wrote:
>
>
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org
> <mailto:samba-bounces at lists.samba.org>] Namens Rowland
> Penny
> Verzonden: donderdag 20 augustus 2015 16:56
> Aan: samba at lists.samba.org <mailto:samba at lists.samba.org>
> Onderwerp: Re: [Samba] Samba4 DC/AD documents created in
> redirected folders with bogus UID
>
> On 20/08/15 15:24, Mark Foley wrote:
>
> Guilherme Boing, on 19 Aug 2015 14:31 you wrote:
>
> I just noticed that my fresh install of Samba
> 4.2.3 has the
>
> same behaviour.
>
> Did you get a solution?
>
> Odd, but this topic doesn't seem to be getting much
>
> traction. I wonder what
>
> people are using Samba4 for. Outside of hard-cord
>
> samba-junkies who love
>
> spending hours testing all kinds of esoteric
> features, I
>
> think most serious
>
> Samba4 AD/DC users are like me: small office,
> single domain
>
> with a dozen-ish
>
> Windows workstations. We don't have forests and trees
>
> scattered all over the
>
> planet. For us, AD/DC is used for: DNS, DHCP,
> mail server, Windows
> Authenticated login so users can log into any
> workstation,
>
> and redirected
>
> folders so users' desktops follow them to any
> workstation.
>
> Those are the fundamentals. Other than Windows
>
> Authentication and redirected
>
> folders, I don't really see the point of Active
> Directory.
>
> Therefore, for what I consider to be core,
> real-world Samba4
>
> usage, this problem
>
> of users' files getting created with the wrong UID
> seems to
>
> a top-priority bug.
>
> Any suggestions? Something in smb.conf,
> nsswitch.conf? A
>
> setting in RSAT?
>
> --Mark
>
> -----Original Message-----
>
> Date: Wed, 19 Aug 2015 14:31:33 -0300
> From: Guilherme Boing <kolt+samba at frag.com.br
> <mailto:kolt%2Bsamba at frag.com.br>>
> Cc: samba <samba at lists.samba.org
> <mailto:samba at lists.samba.org>>
> Subject: Re: [Samba] Samba4 DC/AD documents
> created in
>
> redirected folders with bogus UID
>
> I just noticed that my fresh install of Samba
> 4.2.3 has the
>
> same behaviour.
>
> I have a share (\\samba\it_share)) and some
> users when
>
> creating files have
>
> the UID as 3000000 and some have their correct
> UIDs.
> Share permissons are being controlled by
> Windows ACLs.
>
> On Wed, Aug 19, 2015 at 1:58 PM, Mark Foley
>
> <mfoley at novatec-inc.com
> <mailto:mfoley at novatec-inc.com>> wrote:
>
> More information,
>
> It appears I've had this issue since
> installing Samba
>
> 4.1.0 about 6 months
>
> ago.
> When I add a domain user, the DC resisdent
> redirected folder gets
> synchronized
> with the user's desktop with the correct UID.
>
> For some users, but not all, new "My
> Documents" get
>
> created with UID
>
> 3000000 on
> the DC, not the user's correct ID as shown
> by wbinfo. I
>
> haven't been able
>
> to
> see a configuration difference between
> users who are able
>
> to create the
>
> files
> with the correct UID and those not.
>
> I need to figure this out soon. Otherwise,
> the users get
>
> error messages
>
> like
> "Protected View. This file came from the
> Internet ..."
>
> when trying to open
>
> files
> originally sync'd with the correct UID.
>
> --Mark
>
> -----Original Message-----
>
> From: Mark Foley
> <mfoley at novatec-inc.com
> <mailto:mfoley at novatec-inc.com>>
> Date: Wed, 19 Aug 2015 01:14:03 -0400
> To: samba at lists.samba.org
> <mailto:samba at lists.samba.org>
>
> My up-front apologies if this topic
> has been covered.
>
> This is my first
>
> time
>
> using this list and I don't know how
> to search for
>
> existing topics yet
>
> ...
>
> I installed Samba4 on Linux Slackware
> 64 version 14.1
>
> about 6 months
>
> ago. I set
>
> up redirected folders for the Windows
> 7 Workstation
>
> users. All worked
>
> fine until
>
> recently. Now, when several of the
> users create documents
>
> and folders on
>
> their
>
> "Desktop" (redirected to the DC) they
> are being created with UID
>
> 3000000, which
>
> is not a configured UID. For example:
>
> $ ls -ltrn
> "/redirectedFolders/Users/matkeson/My
> Documents"
> -rwxrwx---+ 1 3000045 100 27648
> 2015-07-30 07:17 Accounts\
>
> 7-1-2015.docx*
>
> drwxrwx---+ 2 3000045 100 4096
> 2015-08-11 09:27 Correspondence/
> -rwxrwx---+ 1 3000000 100 11423
> 2015-08-18 11:04 testMark.docx*
>
> This user's actual UID is 3000045, as
> created months ago
>
> via Windows
>
> RSAT.
>
> Confirmed by:
>
> $ wbinfo -i matkeson
> HPRS\matkeson:*:3000045:100:Mark
>
> Atkeson:/home/HPRS/matkeson:/bin/false
>
> I did recently upgrade Samba from the
> originally
>
> installed 4.1.0 to
>
> 4.1.17 a
>
> couple of weeks ago, but I can't
> really confirm that is
>
> when the problem
>
> started
>
> showing up. I find files with this
> 3000000 UID on
>
> backups before the
>
> upgrade (I
>
> think).
>
> This does not affect all users. I find
> 3 for sure it
>
> happens to and 3
>
> for sure
>
> it does not happen to.
>
> I do have "idmap_ldb:use rfc2307 =
> yes" set in smb.conf
>
> THX
>
> Are you sure this is a Samba problem ? '3000000' is the
> UID/GID (yes it
> is both) for 'S-1-5-32-544' which is the
> Administrators group. Are the
> problem users also members of the Administrators
> group? As far as I am
> aware there is nothing in Samba that sets the
> permissions of a share
> (apart from Sysvol and this is a special case), you
> have to set the
> ownership etc somewhere, from the windows security tab for
> instance, or
> directly on the share dir on the Samba server. I would
> check
> the windows
> machines, you may find that the problem lies there.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL
> and read the
> instructions:
> https://lists.samba.org/mailman/options/samba
>
>
> Ah..
> If thats the case..
>
> I bet, the following, these 2 users... the speak of..
>
> one has "Domain Admins" as primary group
> the other "Domain Users" as primary group
>
> If that the case, set all user to "Domain Users" as
> primary group in the
> UNIX tab
>
> and NEVER work as Admin/Administrator, always as a user.
> If you for some reason are working as Admin/Administrator,
> then your doing something wrong, is it not needed, ever imo !
>
> and if your only using windows computer/users,
> set this in your shares :
> acl_xattr:ignore system acl = yes
> read the man smb.conf what it does.
>
>
> Greet,
>
> Louis
>
>
> --
> To unsubscribe from this list go to the following URL and
> read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
The problem is that on windows a group can own files, this is something
that cannot happen on Unix, also a group can be a member of another
group. So, as in this case, a user who is a member of 'Domain Admins'
ends up creating a file belonging to the 'Administrators' group because
windows decided it was a good idea!
Rowland
More information about the samba
mailing list