[Samba] Samba4, idmap.ldb & ID_TYPE_BOTH
Rowland Penny
rowlandpenny at googlemail.com
Thu Feb 19 10:15:26 MST 2015
OK, there is a discussion over on samba-technical about nss_winbind and
the question about Administrator being mapped to 0 was raised. Now I
have always thought that it should, but in fairness, I decided to see
what happens when it isn't, so I removed Administrator from idmap.ldb
and restarted samba. Before restarting samba, I checked a few things, on
the DC, getfacl returned this for /var/lib/samba/sysvol/
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol/
# owner: root
# group: 3000000
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---
And the settings as seen from a windows client:
Share permissions: Everyone
Security:
root
Authenticated Users
Server Operators (EXAMPLE\Server Operators)
SYSTEM
After samba restarted, I went to sysvol permissions on a windows client
as Administrator, but couldn't change anything, as the 'Add' button was
greyed out, going to the 'share permissions' tab and adding
Administrator with full permissions cured this.
Once this was done, getfacl now returns:
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol/
# owner: EXAMPLE\134Administrator
# group: 3000000
user::rwx
user:3000000:rwx S-1-5-32-544 Administrators group
user:3000001:r-x S-1-5-32-549 Server Operators builtin group
user:3000002:rwx S-1-5-18
Local System account
user:3000003:r-x S-1-5-11
Authenticated Users group
user:EXAMPLE\134Administrator:rwx
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:user:EXAMPLE\134Administrator:rwx
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---
'root' had been replaced with 'EXAMPLE\134Administrator'
Now this lead me to start thinking, why is a user also a group and
vice-versa ?
Checking idmap.ldb, I found that the 4 user/groups?? were all described
as 'ID_TYPE_BOTH', so I altered them to be what they actually are i.e. a
UID or GID
reset sysvol 'samba-tool ntacl sysvolreset' and getfacl now returns:
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol/
# owner: EXAMPLE\134Administrator
# group: 3000000
user::rwx
user:3000002:rwx
user:EXAMPLE\134Administrator:rwx
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:3000002:rwx
default:user:EXAMPLE\134Administrator:rwx
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000003:r-x
default:mask::rwx
default:other::---
Which to me is more like what windows expects it to be.
What the numbers mean:
3000002 = S-1-5-18 Local System account
3000000 = S-1-5-32-544 Administrators group
3000001 = S-1-5-32-549 Server Operators builtin group
3000003 = S-1-5-11 Authenticated Users group
This all leads me to my questions, why, when it comes to idmap.ldb, can
a user also be a group and a group can also be a user and why was it
setup like this in the first place ? , there must be a reason for it.
Rowland
More information about the samba
mailing list