[Samba] Can one set the owner of a folder to BUILTIN\Administrators?

Rowland penny rpenny at samba.org
Wed Feb 17 13:00:15 UTC 2016 

On 17/02/16 00:03, Ian wrote:
> I've recently attempted to migrate some windows server files over to
> samba 4 hosted on a FreeNAS server.
>
> Using robocopy with the /copyall switch, I expected everything,
> including ACL's and ownership information to transfer over.  For the
> most part they have.  The one problem I've ran into however, is that I'm
> getting errors any time I or robocopy attempt to change the ownership to
> BUILTIN\Administrators.
>
> I've brought this up with the FreeNAS community, but so far it's unclear
> if this is by design, there is a configuration issue somewhere, or
> there's a bug.
> https://forums.freenas.org/index.php?threads/ownership-issues-migrating-data-from-windows-to-freenas.41478/#post-265384
>
> When I attempt to change ownership to Builtin\Administrators, I get an
> error that I don't have the Restore Privilege required, or if I have
> inheritance enabled when changing ownership, "This security ID may not
> be assigned as the owner of this object."
>
> As mentioned in that thread I linked to (lots more details there), I
> verified that I do have the Restore Privilege right.  I also verified
> that I can assign any other owner successfully -- it's just
> Builtin\Administrators that's giving me trouble.
>
> After turning up the logging in the samba configuration file and
> restarting the service, this was the output when I attempted to change
> ownership:
>
>
> [2016/02/16 15:33:02.077685,  3]
> ../source3/smbd/vfs.c:1137(check_reduced_name)
>    check_reduced_name [CoreLib] [/mnt/trunk/MM/deploy]
> [2016/02/16 15:33:02.077890,  3]
> ../source3/smbd/vfs.c:1267(check_reduced_name)
>    check_reduced_name: CoreLib reduced to /mnt/trunk/MM/deploy/CoreLib
> [2016/02/16 15:33:02.078111,  3] ../source3/smbd/dosmode.c:163(unix_mode)
>    unix_mode(CoreLib) returning 0666
> [2016/02/16 15:33:02.080039,  3]
> ../source3/smbd/posix_acls.c:1204(unpack_nt_owners)
>    unpack_nt_owners: unable to validate owner sid for S-1-5-32-544
> [2016/02/16 15:33:04.251911,  3] ../source3/smbd/service.c:1130(close_cnum)
>    192.168.0.119 (ipv4:192.168.0.119:58406) closed connection to service IPC$
>
> Googling for "unable to validate owner sid for S-1-5-32-544" brings up a
> thread a decade old:
> https://lists.samba.org/archive/samba-technical/2006-October/050007.html
>
> There was some discussion about sid/gid conflicts and ACLs with some
> futher discussion about fixing it.   Since there's so little found when
> Googling, I have to believe that this has been fixed since I would
> expect there to be a lot more complaints from people like myself who are
> migrating files from windows to samba.
>
> Any feedback is welcome, even if the advice is to change ownership to
> something other than builtin\Administrators because that's broken.  :)
>

Does 'getent group BUILTIN\\Administrators'  give any result ?
If smb.conf is setup correctly, you should get something like:

BUILTIN\administrators:x:2001:

If you do not get anything, then you need to change smb.conf, in which 
case, can you post your smb.conf.

Rowland

More information about the samba mailing list