[Samba] Samba4 DC/AD documents created in redirected folders with bogus UID

Rowland Penny rowlandpenny241155 at gmail.com
Thu Aug 20 19:44:59 UTC 2015 

On 20/08/15 20:33, Mark Foley wrote:
> Oooo!! You may have something there! I don't know whether these users are in the
> admin group, but they could be.  I have been messing around with admin priv in
> order to allow users to be admins on their own workstations.  I've got a Group
> Policy method with computer startup script and have also created a login on the
> user's workstation with the same name as the user, but as local admin.
>
> I'll check all this out and report back. I won't be near that computer until
> Monday.
>
> btw - how did you know 3000000 is the Administrators group? Where is that and
> the 'S-1-5-32-544' thing defined.

 From experience '3000000' is the only UID/GID number you can rely on to 
always be the same on Samba 4 DCs. They are stored in idmap.ldb, you can 
find this in /var/lib/samba/private (on debian at least), you can read 
it with 'ldbedit -e nano -H /var/lib/samba/private/idmap.ldb

The 'S-1-5-32-544' thing is also known as a 'well known RID'

Rowland

>
> --Mark
>
> -----Original Message-----
>> Date: Thu, 20 Aug 2015 15:56:15 +0100
>> From: Rowland Penny <rowlandpenny241155 at gmail.com>
>> To: samba at lists.samba.org
>> Subject: Re: [Samba] Samba4 DC/AD documents created in redirected folders with bogus UID
>>
>> Are you sure this is a Samba problem ? '3000000' is the UID/GID (yes it
>> is both) for 'S-1-5-32-544' which is the Administrators group. Are the
>> problem users also members of the Administrators group? As far as I am
>> aware there is nothing in Samba that sets the permissions of a share
>> (apart from Sysvol and this is a special case), you have to set the
>> ownership etc somewhere, from the windows security tab for instance, or
>> directly on the share dir on the Samba server. I would check the windows
>> machines, you may find that the problem lies there.
>>
>> Rowland
>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>> On 20/08/15 15:24, Mark Foley wrote:
>>> Guilherme Boing, on 19 Aug 2015 14:31 you wrote:
>>>
>>>> I just noticed that my fresh install of Samba 4.2.3 has the same behaviour.
>>> Did you get a solution?
>>>
>>> Odd, but this topic doesn't seem to be getting much traction.  I wonder what
>>> people are using Samba4 for.  Outside of hard-cord samba-junkies who love
>>> spending hours testing all kinds of esoteric features, I think most serious
>>> Samba4 AD/DC users are like me: small office, single domain with a dozen-ish
>>> Windows workstations.  We don't have forests and trees scattered all over the
>>> planet.  For us, AD/DC is used for: DNS, DHCP, mail server, Windows
>>> Authenticated login so users can log into any workstation, and redirected
>>> folders so users' desktops follow them to any workstation.
>>>
>>> Those are the fundamentals. Other than Windows Authentication and redirected
>>> folders, I don't really see the point of Active Directory.
>>>
>>> Therefore, for what I consider to be core, real-world Samba4 usage, this problem
>>> of users' files getting created with the wrong UID seems to a top-priority bug.
>>>
>>> Any suggestions? Something in smb.conf, nsswitch.conf? A setting in RSAT?
>>>
>>> --Mark
>>>
>>> -----Original Message-----
>>>> Date: Wed, 19 Aug 2015 14:31:33 -0300
>>>> From: Guilherme Boing <kolt+samba at frag.com.br>
>>>> Cc: samba <samba at lists.samba.org>
>>>> Subject: Re: [Samba] Samba4 DC/AD documents created in redirected folders  with bogus UID
>>>>
>>>> I just noticed that my fresh install of Samba 4.2.3 has the same behaviour.
>>>>
>>>> I have a share (\\samba\it_share)) and some users when creating files have
>>>> the UID as 3000000 and some have their correct UIDs.
>>>> Share permissons are being controlled by Windows ACLs.
>>>>
>>>> On Wed, Aug 19, 2015 at 1:58 PM, Mark Foley <mfoley at novatec-inc.com> wrote:
>>>>
>>>>> More information,
>>>>>
>>>>> It appears I've had this issue since installing Samba 4.1.0 about 6 months
>>>>> ago.
>>>>> When I add a domain user, the DC resisdent redirected folder gets
>>>>> synchronized
>>>>> with the user's desktop with the correct UID.
>>>>>
>>>>> For some users, but not all, new "My Documents" get created with UID
>>>>> 3000000 on
>>>>> the DC, not the user's correct ID as shown by wbinfo.  I haven't been able
>>>>> to
>>>>> see a configuration difference between users who are able to create the
>>>>> files
>>>>> with the correct UID and those not.
>>>>>
>>>>> I need to figure this out soon. Otherwise, the users get error messages
>>>>> like
>>>>> "Protected View. This file came from the Internet ..." when trying to open
>>>>> files
>>>>> originally sync'd with the correct UID.
>>>>>
>>>>> --Mark
>>>>>
>>>>> -----Original Message-----
>>>>>> From: Mark Foley <mfoley at novatec-inc.com>
>>>>>> Date: Wed, 19 Aug 2015 01:14:03 -0400
>>>>>> To: samba at lists.samba.org
>>>>>>
>>>>>> My up-front apologies if this topic has been covered. This is my first
>>>>> time
>>>>>> using this list and I don't know how to search for existing topics yet
>>>>> ...
>>>>>> I installed Samba4 on Linux Slackware 64 version 14.1 about 6 months
>>>>> ago. I set
>>>>>> up redirected folders for the Windows 7 Workstation users. All worked
>>>>> fine until
>>>>>> recently. Now, when several of the users create documents and folders on
>>>>> their
>>>>>> "Desktop" (redirected to the DC) they are being created with UID
>>>>> 3000000, which
>>>>>> is not a configured UID. For example:
>>>>>>
>>>>>> $ ls -ltrn "/redirectedFolders/Users/matkeson/My Documents"
>>>>>> -rwxrwx---+ 1 3000045 100  27648 2015-07-30 07:17 Accounts\
>>>>> 7-1-2015.docx*
>>>>>> drwxrwx---+ 2 3000045 100   4096 2015-08-11 09:27 Correspondence/
>>>>>> -rwxrwx---+ 1 3000000 100  11423 2015-08-18 11:04 testMark.docx*
>>>>>>
>>>>>> This user's actual UID is 3000045, as created months ago via Windows
>>>>> RSAT.
>>>>>> Confirmed by:
>>>>>>
>>>>>> $ wbinfo -i matkeson
>>>>>> HPRS\matkeson:*:3000045:100:Mark Atkeson:/home/HPRS/matkeson:/bin/false
>>>>>>
>>>>>> I did recently upgrade Samba from the originally installed 4.1.0 to
>>>>> 4.1.17 a
>>>>>> couple of weeks ago, but I can't really confirm that is when the problem
>>>>> started
>>>>>> showing up.  I find files with this 3000000 UID on backups before the
>>>>> upgrade (I
>>>>>> think).
>>>>>>
>>>>>> This does not affect all users. I find 3 for sure it happens to and 3
>>>>> for sure
>>>>>> it does not happen to.
>>>>>>
>>>>>> I do have "idmap_ldb:use rfc2307 = yes" set in smb.conf
>>>>>>
>>>>>> THX
>>>>>>

More information about the samba mailing list