[Samba] Samba4 DC/AD documents created in redirected folders with bogus UID

Mark Foley mfoley at novatec-inc.com
Tue Aug 25 04:31:11 UTC 2015 

Turns out Rowland hit the nail on the head. I confirmed that the affected users
were in the 'Administrators' Group. When I removed them from that group, all new
files were then created with their *real* UID.

As to whether this is "correct" behavior (L.P.H. van Belle's comment), Rowland's
suggested link: http://serverfault.com/questions/19311/file-ownership-for-new-files-with-administrator-why-is-it-giving-ownership-to
gives a more-or-less explanation. My short version: another Windows security
hack to try and shore-up a fundamentally unsecure OS. 

Whether or not the behavior seems correct to [U|Li]nix users matters not. Active
Directory is Microsoft's sandbox and we have to play by Microsoft's rules.

Very helpful thread. I doubt I would have figured this out on my own.

Thanks all --Mark

-----Original Message-----
> From: Mark Foley <mfoley at novatec-inc.com>
> Date: Thu, 20 Aug 2015 15:33:39 -0400
> Organization: Novatec Software Engineering, LLC
> To: samba at lists.samba.org
>
> Oooo!! You may have something there! I don't know whether these users are in the
> admin group, but they could be.  I have been messing around with admin priv in
> order to allow users to be admins on their own workstations.  I've got a Group
> Policy method with computer startup script and have also created a login on the
> user's workstation with the same name as the user, but as local admin. 
>
> I'll check all this out and report back. I won't be near that computer until
> Monday.
>
> btw - how did you know 3000000 is the Administrators group? Where is that and
> the 'S-1-5-32-544' thing defined.
>
> --Mark
>
> -----Original Message-----
> > Date: Thu, 20 Aug 2015 15:56:15 +0100
> > From: Rowland Penny <rowlandpenny241155 at gmail.com>
> > To: samba at lists.samba.org
> > Subject: Re: [Samba] Samba4 DC/AD documents created in redirected folders with bogus UID
> >
> > Are you sure this is a Samba problem ? '3000000' is the UID/GID (yes it 
> > is both) for 'S-1-5-32-544' which is the Administrators group. Are the 
> > problem users also members of the Administrators group? As far as I am 
> > aware there is nothing in Samba that sets the permissions of a share 
> > (apart from Sysvol and this is a special case), you have to set the 
> > ownership etc somewhere, from the windows security tab for instance, or 
> > directly on the share dir on the Samba server. I would check the windows 
> > machines, you may find that the problem lies there.
> >
> > Rowland
> >
> >
> > -- 
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> > On 20/08/15 15:24, Mark Foley wrote:
> > > Guilherme Boing, on 19 Aug 2015 14:31 you wrote:
> > >
> > >> I just noticed that my fresh install of Samba 4.2.3 has the same behaviour.
> > > Did you get a solution?
> > >
> > > Odd, but this topic doesn't seem to be getting much traction.  I wonder what
> > > people are using Samba4 for.  Outside of hard-cord samba-junkies who love
> > > spending hours testing all kinds of esoteric features, I think most serious
> > > Samba4 AD/DC users are like me: small office, single domain with a dozen-ish
> > > Windows workstations.  We don't have forests and trees scattered all over the
> > > planet.  For us, AD/DC is used for: DNS, DHCP, mail server, Windows
> > > Authenticated login so users can log into any workstation, and redirected
> > > folders so users' desktops follow them to any workstation.
> > >
> > > Those are the fundamentals. Other than Windows Authentication and redirected
> > > folders, I don't really see the point of Active Directory.
> > >
> > > Therefore, for what I consider to be core, real-world Samba4 usage, this problem
> > > of users' files getting created with the wrong UID seems to a top-priority bug.
> > >
> > > Any suggestions? Something in smb.conf, nsswitch.conf? A setting in RSAT?
> > >
> > > --Mark
> > >
> > > -----Original Message-----
> > >> Date: Wed, 19 Aug 2015 14:31:33 -0300
> > >> From: Guilherme Boing <kolt+samba at frag.com.br>
> > >> Cc: samba <samba at lists.samba.org>
> > >> Subject: Re: [Samba] Samba4 DC/AD documents created in redirected folders  with bogus UID
> > >>
> > >> I just noticed that my fresh install of Samba 4.2.3 has the same behaviour.
> > >>
> > >> I have a share (\\samba\it_share)) and some users when creating files have
> > >> the UID as 3000000 and some have their correct UIDs.
> > >> Share permissons are being controlled by Windows ACLs.
> > >>
> > >> On Wed, Aug 19, 2015 at 1:58 PM, Mark Foley <mfoley at novatec-inc.com> wrote:
> > >>
> > >>> More information,
> > >>>
> > >>> It appears I've had this issue since installing Samba 4.1.0 about 6 months
> > >>> ago.
> > >>> When I add a domain user, the DC resisdent redirected folder gets
> > >>> synchronized
> > >>> with the user's desktop with the correct UID.
> > >>>
> > >>> For some users, but not all, new "My Documents" get created with UID
> > >>> 3000000 on
> > >>> the DC, not the user's correct ID as shown by wbinfo.  I haven't been able
> > >>> to
> > >>> see a configuration difference between users who are able to create the
> > >>> files
> > >>> with the correct UID and those not.
> > >>>
> > >>> I need to figure this out soon. Otherwise, the users get error messages
> > >>> like
> > >>> "Protected View. This file came from the Internet ..." when trying to open
> > >>> files
> > >>> originally sync'd with the correct UID.
> > >>>
> > >>> --Mark
> > >>>
> > >>> -----Original Message-----
> > >>>> From: Mark Foley <mfoley at novatec-inc.com>
> > >>>> Date: Wed, 19 Aug 2015 01:14:03 -0400
> > >>>> To: samba at lists.samba.org
> > >>>>
> > >>>> My up-front apologies if this topic has been covered. This is my first
> > >>> time
> > >>>> using this list and I don't know how to search for existing topics yet
> > >>> ...
> > >>>> I installed Samba4 on Linux Slackware 64 version 14.1 about 6 months
> > >>> ago. I set
> > >>>> up redirected folders for the Windows 7 Workstation users. All worked
> > >>> fine until
> > >>>> recently. Now, when several of the users create documents and folders on
> > >>> their
> > >>>> "Desktop" (redirected to the DC) they are being created with UID
> > >>> 3000000, which
> > >>>> is not a configured UID. For example:
> > >>>>
> > >>>> $ ls -ltrn "/redirectedFolders/Users/matkeson/My Documents"
> > >>>> -rwxrwx---+ 1 3000045 100  27648 2015-07-30 07:17 Accounts\
> > >>> 7-1-2015.docx*
> > >>>> drwxrwx---+ 2 3000045 100   4096 2015-08-11 09:27 Correspondence/
> > >>>> -rwxrwx---+ 1 3000000 100  11423 2015-08-18 11:04 testMark.docx*
> > >>>>
> > >>>> This user's actual UID is 3000045, as created months ago via Windows
> > >>> RSAT.
> > >>>> Confirmed by:
> > >>>>
> > >>>> $ wbinfo -i matkeson
> > >>>> HPRS\matkeson:*:3000045:100:Mark Atkeson:/home/HPRS/matkeson:/bin/false
> > >>>>
> > >>>> I did recently upgrade Samba from the originally installed 4.1.0 to
> > >>> 4.1.17 a
> > >>>> couple of weeks ago, but I can't really confirm that is when the problem
> > >>> started
> > >>>> showing up.  I find files with this 3000000 UID on backups before the
> > >>> upgrade (I
> > >>>> think).
> > >>>>
> > >>>> This does not affect all users. I find 3 for sure it happens to and 3
> > >>> for sure
> > >>>> it does not happen to.
> > >>>>
> > >>>> I do have "idmap_ldb:use rfc2307 = yes" set in smb.conf
> > >>>>
> > >>>> THX
> > >>>>
> >
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list