[Samba] Can one set the owner of a folder to BUILTIN\Administrators?

L.P.H. van Belle belle at bazuin.nl
Wed Feb 17 13:14:00 UTC 2016


Rowland, 
If this is a DC.. and like me with config :   
     idmap config * : range = 2000-9999 

getent group BUILTIN\\Administrators
BUILTIN\Administrators:*:3000000: 


Looks like about the same problem. 

Greetz 

Louis




> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny
> Verzonden: woensdag 17 februari 2016 14:00
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Can one set the owner of a folder to
> BUILTIN\Administrators?
> 
> On 17/02/16 00:03, Ian wrote:
> > I've recently attempted to migrate some windows server files over to
> > samba 4 hosted on a FreeNAS server.
> >
> > Using robocopy with the /copyall switch, I expected everything,
> > including ACL's and ownership information to transfer over.  For the
> > most part they have.  The one problem I've ran into however, is that I'm
> > getting errors any time I or robocopy attempt to change the ownership to
> > BUILTIN\Administrators.
> >
> > I've brought this up with the FreeNAS community, but so far it's unclear
> > if this is by design, there is a configuration issue somewhere, or
> > there's a bug.
> > https://forums.freenas.org/index.php?threads/ownership-issues-migrating-
> data-from-windows-to-freenas.41478/#post-265384
> >
> > When I attempt to change ownership to Builtin\Administrators, I get an
> > error that I don't have the Restore Privilege required, or if I have
> > inheritance enabled when changing ownership, "This security ID may not
> > be assigned as the owner of this object."
> >
> > As mentioned in that thread I linked to (lots more details there), I
> > verified that I do have the Restore Privilege right.  I also verified
> > that I can assign any other owner successfully -- it's just
> > Builtin\Administrators that's giving me trouble.
> >
> > After turning up the logging in the samba configuration file and
> > restarting the service, this was the output when I attempted to change
> > ownership:
> >
> >
> > [2016/02/16 15:33:02.077685,  3]
> > ../source3/smbd/vfs.c:1137(check_reduced_name)
> >    check_reduced_name [CoreLib] [/mnt/trunk/MM/deploy]
> > [2016/02/16 15:33:02.077890,  3]
> > ../source3/smbd/vfs.c:1267(check_reduced_name)
> >    check_reduced_name: CoreLib reduced to /mnt/trunk/MM/deploy/CoreLib
> > [2016/02/16 15:33:02.078111,  3]
> ../source3/smbd/dosmode.c:163(unix_mode)
> >    unix_mode(CoreLib) returning 0666
> > [2016/02/16 15:33:02.080039,  3]
> > ../source3/smbd/posix_acls.c:1204(unpack_nt_owners)
> >    unpack_nt_owners: unable to validate owner sid for S-1-5-32-544
> > [2016/02/16 15:33:04.251911,  3]
> ../source3/smbd/service.c:1130(close_cnum)
> >    192.168.0.119 (ipv4:192.168.0.119:58406) closed connection to service
> IPC$
> >
> > Googling for "unable to validate owner sid for S-1-5-32-544" brings up a
> > thread a decade old:
> > https://lists.samba.org/archive/samba-technical/2006-October/050007.html
> >
> > There was some discussion about sid/gid conflicts and ACLs with some
> > futher discussion about fixing it.   Since there's so little found when
> > Googling, I have to believe that this has been fixed since I would
> > expect there to be a lot more complaints from people like myself who are
> > migrating files from windows to samba.
> >
> > Any feedback is welcome, even if the advice is to change ownership to
> > something other than builtin\Administrators because that's broken.  :)
> >
> 
> Does 'getent group BUILTIN\\Administrators'  give any result ?
> If smb.conf is setup correctly, you should get something like:
> 
> BUILTIN\administrators:x:2001:
> 
> If you do not get anything, then you need to change smb.conf, in which
> case, can you post your smb.conf.
> 
> Rowland
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba





More information about the samba mailing list