[Samba] Samba4, idmap.ldb & ID_TYPE_BOTH
Rowland Penny
rowlandpenny at googlemail.com
Tue Feb 24 10:59:30 MST 2015
On 23/02/15 20:27, Rowland Penny wrote:
> On 22/02/15 01:02, Andrew Bartlett wrote:
>> On Sat, 2015-02-21 at 21:37 +0000, Rowland Penny wrote:
>>> On 21/02/15 19:26, Andrew Bartlett wrote:
>>>
>>>> On Thu, 2015-02-19 at 17:15 +0000, Rowland Penny wrote:
>>>>> This all leads me to my questions, why, when it comes to idmap.ldb,
>>>>> can
>>>>> a user also be a group and a group can also be a user and why was it
>>>>> setup like this in the first place ? , there must be a reason for it.
>>>> It goes like this:
>>>>
>>>> - Groups can own files (there are groups like domain administrators
>>>> that own files in sysvol)
>>> Does domain administrators own the files ? as I posted earlier, trying
>>> to reset sysvol is failing for me and the relevant part of the ACL is
>>> this:
>>>
>>> O:LAG:DAD:P(A;OICI
>> I don't recall exactly which ACL on which file, but yes, an instance of
>> a group owning a file does exist in sysvol. That group is deliberately
>> left as having an ID assigned in idmap.ldb, not mapped to a system group
>> (if that is ever a good idea is another thread), for this reason.
>>
>>> This is the start of the ACL and if we expand it for better reading
>>> 'O:LA' 'G:DA 'D:P(A;OICI'. The first part is the owner, the second is
>>> the group and the third is the start of the ACEs. So the owner (O) is
>>> LA which is 'Local Administrator' and the group (G) is DA which is
>>> 'Domain Administrators' , as I read it, Domain Administrators doesn't
>>> own the files, or am I missing something?
>>>> - We don't (eg in sidHistory, or when files are migrated, preserving
>>>> permissions, from a workstation or from a domain that is not trusted)
>>>> always know if an incoming SID is a user or group.
>>> does windows know from the SID what the object is? and if not, what
>>> does windows do?
>> In Windows, a SID is a SID, and there is no need to translate it to
>> anything else for access checking.
>>
>>>> - Working out if an arbitrary SID is a user or group takes time and
>>>> network operations, which may fail. ID_TYPE_BOTH is both fast and
>>>> deterministic in this respect.
>>> And in my opinion (which is worth very little) it is a kludge, also
>>> does a group actually try to connect (note, I do not know if this
>>> happens, which is why I am asking) and if so how ? a group doesn't
>>> have a password so how can it authenticate?
>> At the large scale, everything that can happen, will happen, and it will
>> generate a support call. Better not to have situations where random
>> network issues can change the on-disk behaviour. A group can't
>> authenticate, but a user is of course members of groups, and groups can
>> be assigned ownership of files.
>>
>>>> My view is that we should always have mapped SIDs to both a UID and
>>>> GID,
>>>> and I understand that in general, we are doing that now in new
>>>> backends.
>>>> See for example idmap_rid and idmap_autorid.
>>>>
>>>> The only tricky bit is that while a user can be put in an extra
>>>> group to
>>>> pick up any permissions assigned to it as a group, a group can't get
>>>> user-based permissions, so can't obtain the extra rights associated
>>>> with
>>>> file ownership.
>>> Again I ask, what file ownership? can you please name a file that a
>>> windows group owns, sorry if I am coming across as negative here, but
>>> I am struggling to understand just how a group can own files, I am
>>> used to files belonging to a user and members of a group being allowed
>>> access to them.
>> You can, for instance, change the owner of a file to a group.
>>
>> Andrew Bartlett
>>
>
> OK, I have found out what files/directories are owned by a group in
> sysvol, *all* of them, at least on a windows 2008r2 server they are.
>
> However on a samba4 server, only the GPOs under the Policies dir do,
> they belong to the 'Domain Administrators' group, the problem is that
> on the windows server they belong to the 'Administrators' group.
>
> On the windows server you can change the ownership to Administrator
> and as only the GPOs belong to a group and the groups access settings
> come from the ACEs, is it possible that if the ownership of all files
> and directories in sysvol was changed to 'Administrator' everything
> would work just the same??
>
> Rowland
And in reply to myself, no it doesn't matter if you change the ownership
of *everything* in sysvol to 'Administrator', GPOs can still be created
and applied, so that's one reason for using ID_TYPE_BOTH gone out the
window. As for unknown SIDs trying to connect to the domain, surely
these will get rejected as unknown SIDs.
Rowland
More information about the samba
mailing list