[Samba] Can one set the owner of a folder to BUILTIN\Administrators?

Ian samba at zestysoft.com
Wed Feb 17 17:27:18 UTC 2016 


On 2/17/2016 5:00 AM, Rowland penny wrote:
> On 17/02/16 00:03, Ian wrote:
>> I've recently attempted to migrate some windows server files over to
>> samba 4 hosted on a FreeNAS server.
>>
>> Using robocopy with the /copyall switch, I expected everything,
>> including ACL's and ownership information to transfer over.  For the
>> most part they have.  The one problem I've ran into however, is that I'm
>> getting errors any time I or robocopy attempt to change the ownership to
>> BUILTIN\Administrators.
>>
>> I've brought this up with the FreeNAS community, but so far it's unclear
>> if this is by design, there is a configuration issue somewhere, or
>> there's a bug.
>> https://forums.freenas.org/index.php?threads/ownership-issues-migrating-data-from-windows-to-freenas.41478/#post-265384
>>
>>
>> When I attempt to change ownership to Builtin\Administrators, I get an
>> error that I don't have the Restore Privilege required, or if I have
>> inheritance enabled when changing ownership, "This security ID may not
>> be assigned as the owner of this object."
>>
>> As mentioned in that thread I linked to (lots more details there), I
>> verified that I do have the Restore Privilege right.  I also verified
>> that I can assign any other owner successfully -- it's just
>> Builtin\Administrators that's giving me trouble.
>>
>> After turning up the logging in the samba configuration file and
>> restarting the service, this was the output when I attempted to change
>> ownership:
>>
>>
>> [2016/02/16 15:33:02.077685,  3]
>> ../source3/smbd/vfs.c:1137(check_reduced_name)
>>    check_reduced_name [CoreLib] [/mnt/trunk/MM/deploy]
>> [2016/02/16 15:33:02.077890,  3]
>> ../source3/smbd/vfs.c:1267(check_reduced_name)
>>    check_reduced_name: CoreLib reduced to /mnt/trunk/MM/deploy/CoreLib
>> [2016/02/16 15:33:02.078111,  3]
>> ../source3/smbd/dosmode.c:163(unix_mode)
>>    unix_mode(CoreLib) returning 0666
>> [2016/02/16 15:33:02.080039,  3]
>> ../source3/smbd/posix_acls.c:1204(unpack_nt_owners)
>>    unpack_nt_owners: unable to validate owner sid for S-1-5-32-544
>> [2016/02/16 15:33:04.251911,  3]
>> ../source3/smbd/service.c:1130(close_cnum)
>>    192.168.0.119 (ipv4:192.168.0.119:58406) closed connection to
>> service IPC$
>>
>> Googling for "unable to validate owner sid for S-1-5-32-544" brings up a
>> thread a decade old:
>> https://lists.samba.org/archive/samba-technical/2006-October/050007.html
>>
>> There was some discussion about sid/gid conflicts and ACLs with some
>> futher discussion about fixing it.   Since there's so little found when
>> Googling, I have to believe that this has been fixed since I would
>> expect there to be a lot more complaints from people like myself who are
>> migrating files from windows to samba.
>>
>> Any feedback is welcome, even if the advice is to change ownership to
>> something other than builtin\Administrators because that's broken.  :)
>>
>
> Does 'getent group BUILTIN\\Administrators'  give any result ?
> If smb.conf is setup correctly, you should get something like:
>
> BUILTIN\administrators:x:2001:
>
> If you do not get anything, then you need to change smb.conf, in which
> case, can you post your smb.conf.
>
> Rowland
>
>
Rowland,

'getent group BUILTIN\Administrators' returns nothing.  Yes, this is a
domain member, not AD.

My /usr/local/etc/smb4.conf file should be "default" for FreeNAS
FreeNAS-9.3-STABLE-201602031011.  I believe the gui is the only
recommended way to alter it ( think any hand editing gets wiped at
reboot?). The only changes I've made through the GUI is to disable
oplocks for one of the shares [applied]. The share I've been testing
from however is [deploy].

If it helps, 'net groupmap list verbose' returns this:

Administrators
        SID       : S-1-5-32-544
        Unix gid  : 90000001
        Unix group: BUILTIN\administrators
        Group type: Local Group
        Comment   :
Users
        SID       : S-1-5-32-545
        Unix gid  : 90000002
        Unix group: BUILTIN\users
        Group type: Local Group
        Comment   :

Here's the smb4.conf file contents:
[global]
    server max protocol = SMB2
    encrypt passwords = yes
    dns proxy = no
    strict locking = no
    oplocks = yes
    deadtime = 15
    max log size = 51200
    max open files = 942185
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes
    getwd cache = yes
    guest account = nobody
    map to guest = Bad User
    obey pam restrictions = yes
    directory name cache size = 0
    kernel change notify = no
    panic action = /usr/local/libexec/samba/samba-backtrace
    nsupdate command = /usr/local/bin/samba-nsupdate -g
    server string = FreeNAS Server
    ea support = yes
    store dos attributes = yes
    lm announce = yes
    hostname lookups = yes
    acl allow execute always = true
    acl check permissions = true
    dos filemode = yes
    multicast dns register = yes
    domain logons = no
    idmap config *: backend = tdb
    idmap config *: range = 90000001-100000000
    server role = member server
    netbios name = FREENAS
    workgroup = MMIA
    realm = INTRANET.MITCHELLANDMITCHELL.COM
    security = ADS
    client use spnego = yes
    cache directory = /var/tmp/.cache/.samba
    local master = no
    domain master = no
    preferred master = no
    ads dns update = yes
    winbind cache time = 7200
    winbind offline logon = yes
    winbind enum users = yes
    winbind enum groups = yes
    winbind nested groups = yes
    winbind use default domain = no
    winbind refresh tickets = yes
    idmap config MMIA: backend = rid
    idmap config MMIA: range = 20000-90000000
    allow trusted domains = no
    client ldap sasl wrapping = plain
    template shell = /bin/sh
    template homedir = /home/%D/%U
    pid directory = /var/run/samba
    create mask = 0666
    directory mask = 0777
    client ntlmv2 auth = yes
    dos charset = CP437
    unix charset = UTF-8
    log level = 1


[applied]
    path = /mnt/trunk/MM/applied
    printable = no
    veto files = /.snapshot/.windows/.mac/.zfs/
    writeable = yes
    browseable = yes
    shadow:snapdir = .zfs/snapshot
    shadow:sort = desc
    shadow:localtime = yes
    shadow:format = auto-%Y%m%d.%H%M-1w
    shadow:snapdirseverywhere = yes
    vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread streams_xattr
    hide dot files = yes
    guest ok = no
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare
    veto oplock files = /*.dbf/*.DBF/*.ndx/*.NDX/


[deploy]
    path = /mnt/trunk/MM/deploy
    printable = no
    veto files = /.snapshot/.windows/.mac/.zfs/
    writeable = yes
    browseable = yes
    shadow:snapdir = .zfs/snapshot
    shadow:sort = desc
    shadow:localtime = yes
    shadow:format = auto-%Y%m%d.%H%M-1w
    shadow:snapdirseverywhere = yes
    vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread streams_xattr
    hide dot files = yes
    guest ok = no
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare


[eim]
    path = /mnt/trunk/MM/applied/EIM
    printable = no
    veto files = /.snapshot/.windows/.mac/.zfs/
    writeable = yes
    browseable = yes
    shadow:snapdir = .zfs/snapshot
    shadow:sort = desc
    shadow:localtime = yes
    shadow:format = auto-%Y%m%d.%H%M-1w
    shadow:snapdirseverywhere = yes
    vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread streams_xattr
    hide dot files = yes
    guest ok = no
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare


[home]
    path = /mnt/trunk/MM/home
    printable = no
    veto files = /.snapshot/.windows/.mac/.zfs/
    writeable = yes
    browseable = yes
    shadow:snapdir = .zfs/snapshot
    shadow:sort = desc
    shadow:localtime = yes
    shadow:format = auto-%Y%m%d.%H%M-1w
    shadow:snapdirseverywhere = yes
    vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread streams_xattr
    hide dot files = yes
    guest ok = no
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare


[profiles]
    path = /mnt/trunk/MM/profiles
    printable = no
    veto files = /.snapshot/.windows/.mac/.zfs/
    writeable = yes
    browseable = yes
    shadow:snapdir = .zfs/snapshot
    shadow:sort = desc
    shadow:localtime = yes
    shadow:format = auto-%Y%m%d.%H%M-1w
    shadow:snapdirseverywhere = yes
    vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread streams_xattr
    hide dot files = yes
    guest ok = no
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare


[shared]
    path = /mnt/trunk/MM/shared
    printable = no
    veto files = /.snapshot/.windows/.mac/.zfs/
    writeable = yes
    browseable = yes
    shadow:snapdir = .zfs/snapshot
    shadow:sort = desc
    shadow:localtime = yes
    shadow:format = auto-%Y%m%d.%H%M-1w
    shadow:snapdirseverywhere = yes
    vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread streams_xattr
    hide dot files = yes
    guest ok = no
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare


Appreciate any insight.  Note that this server is not "live" yet, so I'm
game to experiment with any ideas you may have.

More information about the samba mailing list