[Samba] Can one set the owner of a folder to BUILTIN\Administrators?
Andrew Walker
walker.aj325 at gmail.com
Wed Feb 17 16:54:12 UTC 2016
My apologies. I initially responded to Rowland's email address rather than
the list address.
Based on original email, this is a FreeNAS server configured as an AD
member server. I believe the default smb.conf for a FreeNAS AD member
server contains the following:
[global]
obey pam restrictions = yes
directory name cache size = 0
kernel change notify = no
panic action = /usr/local/libexec/samba/samba-backtrace
nsupdate command = /usr/local/bin/samba-nsupdate -g
server string = FreeNAS Server
ea support = yes
store dos attributes = yes
unix extensions = no
acl allow execute always = true
acl check permissions = true
dos filemode = yes
domain logons = no
idmap config *: backend = tdb
idmap config *: range = 90000001-100000000
server role = member server
netbios name = FREENAS
workgroup = DOMAIN
realm = DOMAIN.COM <http://domain.com/>
security = ADS
client use spnego = yes
cache directory = /var/tmp/.cache/.samba
ads dns update = yes
winbind cache time = 7200
winbind offline logon = yes
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind use default domain = yes
winbind refresh tickets = yes
idmap config DOMAIN: backend = rid
idmap config DOMAIN: range = 20000-90000000
allow trusted domains = no
client ldap sasl wrapping = plain
pid directory = /var/run/samba
client ntlmv2 auth = yes
Never noticed this behavior before, but I never tried to change ownership
of files through windows explorer to BUILTIN\Administrators. On my my AD
member server there are no entries for BUILTIN groups in the "getent group"
output.
However, "net groupmap list verbose" outputs the following:
Administrators
SID : S-1-5-32-544
Unix gid : 90000001
Unix group: BUILTIN\administrators
Group type: Local Group
Comment :
Users
SID : S-1-5-32-545
Unix gid : 90000002
Unix group: BUILTIN\users
Group type: Local Group
Comment :
There aren't any groupmap entries for the remaining BUILTIN groups. There
are no entries for BUILTIN groups in "getent group" output. Don't know if
this helps identify the problem.
On Wed, Feb 17, 2016 at 7:34 AM, Rowland penny <rpenny at samba.org> wrote:
> On 17/02/16 13:14, L.P.H. van Belle wrote:
>
>> Rowland,
>> If this is a DC.. and like me with config :
>> idmap config * : range = 2000-9999
>>
>> getent group BUILTIN\\Administrators
>> BUILTIN\Administrators:*:3000000:
>>
>>
>> Looks like about the same problem.
>>
>> Greetz
>>
>> Louis
>>
>>
> That is what I get on a DC, but what you have to understand is, idmap on a
> DC works differently from a domain member.
>
> A domain member asks winbind for 'BUILTIN\Administrators' ID, this is
> obtained from AD, assigned a local ID and stored in a .tdb file, the number
> that is assigned is based on the low range in 'idmap config *:'
>
> A DC is slightly different, IDs are stored in idmap.ldb and are based on a
> range that starts at 3000000.
>
> As far as I am aware, the idmap lines that you use on DC have no affect, I
> know that 'windbind use default domain' did work on a 4.2.x DC, but I think
> this was the only one of your lines that did. I will have to check my test
> DC to find out.
>
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list