[Samba] Can one set the owner of a folder to BUILTIN\Administrators?

Andrew Walker walker.aj325 at gmail.com
Wed Feb 17 16:54:12 UTC 2016

My apologies. I initially responded to Rowland's email address rather than
the list address.

Based on original email, this is a FreeNAS server configured as an AD
member server. I believe the default smb.conf for a FreeNAS AD member
server contains the following:
    obey pam restrictions = yes
    directory name cache size = 0
    kernel change notify = no
    panic action = /usr/local/libexec/samba/samba-backtrace
    nsupdate command = /usr/local/bin/samba-nsupdate -g
    server string = FreeNAS Server
    ea support = yes
    store dos attributes = yes
    unix extensions = no
    acl allow execute always = true
    acl check permissions = true
    dos filemode = yes
    domain logons = no
    idmap config *: backend = tdb
    idmap config *: range = 90000001-100000000
    server role = member server
    netbios name = FREENAS
    workgroup = DOMAIN
    realm = DOMAIN.COM <http://domain.com/>
    security = ADS
    client use spnego = yes
    cache directory = /var/tmp/.cache/.samba
    ads dns update = yes
    winbind cache time = 7200
    winbind offline logon = yes
    winbind enum users = yes
    winbind enum groups = yes
    winbind nested groups = yes
    winbind use default domain = yes
    winbind refresh tickets = yes
    idmap config DOMAIN: backend = rid
    idmap config DOMAIN: range = 20000-90000000
    allow trusted domains = no
    client ldap sasl wrapping = plain
    pid directory = /var/run/samba
    client ntlmv2 auth = yes

Never noticed this behavior before, but I never tried to change ownership
of files through windows explorer to BUILTIN\Administrators. On my my AD
member server there are no entries for BUILTIN groups in the "getent group"

However, "net groupmap list verbose" outputs the following:
        SID       : S-1-5-32-544
        Unix gid  : 90000001
        Unix group: BUILTIN\administrators
        Group type: Local Group
        Comment   :
        SID       : S-1-5-32-545
        Unix gid  : 90000002
        Unix group: BUILTIN\users
        Group type: Local Group
        Comment   :

There aren't any groupmap entries for the remaining BUILTIN groups. There
are no entries for BUILTIN groups in "getent group" output. Don't know if
this helps identify the problem.

On Wed, Feb 17, 2016 at 7:34 AM, Rowland penny <rpenny at samba.org> wrote:

> On 17/02/16 13:14, L.P.H. van Belle wrote:
>> Rowland,
>> If this is a DC.. and like me with config :
>>       idmap config * : range = 2000-9999
>> getent group BUILTIN\\Administrators
>> BUILTIN\Administrators:*:3000000:
>> Looks like about the same problem.
>> Greetz
>> Louis
> That is what I get on a DC, but what you have to understand is, idmap on a
> DC works differently from a domain member.
> A domain member asks winbind for 'BUILTIN\Administrators' ID, this is
> obtained from AD, assigned a local ID and stored in a .tdb file, the number
> that is assigned is based on the low range in 'idmap config *:'
> A DC is slightly different, IDs are stored in idmap.ldb and are based on a
> range that starts at 3000000.
> As far as I am aware, the idmap lines that you use on DC have no affect, I
> know that 'windbind use default domain' did work on a 4.2.x DC, but I think
> this was the only one of your lines that did. I will have to check my test
> DC to find out.
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list