[Samba] Can one set the owner of a folder to BUILTIN\Administrators?
Rowland penny
rpenny at samba.org
Wed Feb 17 17:43:36 UTC 2016
On 17/02/16 17:27, Ian wrote:
>
> On 2/17/2016 5:00 AM, Rowland penny wrote:
>> On 17/02/16 00:03, Ian wrote:
>>> I've recently attempted to migrate some windows server files over to
>>> samba 4 hosted on a FreeNAS server.
>>>
>>> Using robocopy with the /copyall switch, I expected everything,
>>> including ACL's and ownership information to transfer over. For the
>>> most part they have. The one problem I've ran into however, is that I'm
>>> getting errors any time I or robocopy attempt to change the ownership to
>>> BUILTIN\Administrators.
>>>
>>> I've brought this up with the FreeNAS community, but so far it's unclear
>>> if this is by design, there is a configuration issue somewhere, or
>>> there's a bug.
>>> https://forums.freenas.org/index.php?threads/ownership-issues-migrating-data-from-windows-to-freenas.41478/#post-265384
>>>
>>>
>>> When I attempt to change ownership to Builtin\Administrators, I get an
>>> error that I don't have the Restore Privilege required, or if I have
>>> inheritance enabled when changing ownership, "This security ID may not
>>> be assigned as the owner of this object."
>>>
>>> As mentioned in that thread I linked to (lots more details there), I
>>> verified that I do have the Restore Privilege right. I also verified
>>> that I can assign any other owner successfully -- it's just
>>> Builtin\Administrators that's giving me trouble.
>>>
>>> After turning up the logging in the samba configuration file and
>>> restarting the service, this was the output when I attempted to change
>>> ownership:
>>>
>>>
>>> [2016/02/16 15:33:02.077685, 3]
>>> ../source3/smbd/vfs.c:1137(check_reduced_name)
>>> check_reduced_name [CoreLib] [/mnt/trunk/MM/deploy]
>>> [2016/02/16 15:33:02.077890, 3]
>>> ../source3/smbd/vfs.c:1267(check_reduced_name)
>>> check_reduced_name: CoreLib reduced to /mnt/trunk/MM/deploy/CoreLib
>>> [2016/02/16 15:33:02.078111, 3]
>>> ../source3/smbd/dosmode.c:163(unix_mode)
>>> unix_mode(CoreLib) returning 0666
>>> [2016/02/16 15:33:02.080039, 3]
>>> ../source3/smbd/posix_acls.c:1204(unpack_nt_owners)
>>> unpack_nt_owners: unable to validate owner sid for S-1-5-32-544
>>> [2016/02/16 15:33:04.251911, 3]
>>> ../source3/smbd/service.c:1130(close_cnum)
>>> 192.168.0.119 (ipv4:192.168.0.119:58406) closed connection to
>>> service IPC$
>>>
>>> Googling for "unable to validate owner sid for S-1-5-32-544" brings up a
>>> thread a decade old:
>>> https://lists.samba.org/archive/samba-technical/2006-October/050007.html
>>>
>>> There was some discussion about sid/gid conflicts and ACLs with some
>>> futher discussion about fixing it. Since there's so little found when
>>> Googling, I have to believe that this has been fixed since I would
>>> expect there to be a lot more complaints from people like myself who are
>>> migrating files from windows to samba.
>>>
>>> Any feedback is welcome, even if the advice is to change ownership to
>>> something other than builtin\Administrators because that's broken. :)
>>>
>> Does 'getent group BUILTIN\\Administrators' give any result ?
>> If smb.conf is setup correctly, you should get something like:
>>
>> BUILTIN\administrators:x:2001:
>>
>> If you do not get anything, then you need to change smb.conf, in which
>> case, can you post your smb.conf.
>>
>> Rowland
>>
>>
> Rowland,
>
> 'getent group BUILTIN\Administrators' returns nothing. Yes, this is a
> domain member, not AD.
Well, I think that explains it, on a domain member in my domain, it
returns a result and I (as root) can chgrp a file to
'BUILTIN\Administrators'
I know very little about freebsd (I think freenas runs on freebsd) but
does it use PAM ? because I think this is your problem, winbind isn't
returning the BUILTIN info, is libnss_winbind setup ? does freenas use
libnss_winbind ?
Rowland
>
> My /usr/local/etc/smb4.conf file should be "default" for FreeNAS
> FreeNAS-9.3-STABLE-201602031011. I believe the gui is the only
> recommended way to alter it ( think any hand editing gets wiped at
> reboot?). The only changes I've made through the GUI is to disable
> oplocks for one of the shares [applied]. The share I've been testing
> from however is [deploy].
>
> If it helps, 'net groupmap list verbose' returns this:
>
> Administrators
> SID : S-1-5-32-544
> Unix gid : 90000001
> Unix group: BUILTIN\administrators
> Group type: Local Group
> Comment :
> Users
> SID : S-1-5-32-545
> Unix gid : 90000002
> Unix group: BUILTIN\users
> Group type: Local Group
> Comment :
>
> Here's the smb4.conf file contents:
> [global]
> server max protocol = SMB2
> encrypt passwords = yes
> dns proxy = no
> strict locking = no
> oplocks = yes
> deadtime = 15
> max log size = 51200
> max open files = 942185
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
> getwd cache = yes
> guest account = nobody
> map to guest = Bad User
> obey pam restrictions = yes
> directory name cache size = 0
> kernel change notify = no
> panic action = /usr/local/libexec/samba/samba-backtrace
> nsupdate command = /usr/local/bin/samba-nsupdate -g
> server string = FreeNAS Server
> ea support = yes
> store dos attributes = yes
> lm announce = yes
> hostname lookups = yes
> acl allow execute always = true
> acl check permissions = true
> dos filemode = yes
> multicast dns register = yes
> domain logons = no
> idmap config *: backend = tdb
> idmap config *: range = 90000001-100000000
> server role = member server
> netbios name = FREENAS
> workgroup = MMIA
> realm = INTRANET.MITCHELLANDMITCHELL.COM
> security = ADS
> client use spnego = yes
> cache directory = /var/tmp/.cache/.samba
> local master = no
> domain master = no
> preferred master = no
> ads dns update = yes
> winbind cache time = 7200
> winbind offline logon = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind nested groups = yes
> winbind use default domain = no
> winbind refresh tickets = yes
> idmap config MMIA: backend = rid
> idmap config MMIA: range = 20000-90000000
> allow trusted domains = no
> client ldap sasl wrapping = plain
> template shell = /bin/sh
> template homedir = /home/%D/%U
> pid directory = /var/run/samba
> create mask = 0666
> directory mask = 0777
> client ntlmv2 auth = yes
> dos charset = CP437
> unix charset = UTF-8
> log level = 1
>
>
> [applied]
> path = /mnt/trunk/MM/applied
> printable = no
> veto files = /.snapshot/.windows/.mac/.zfs/
> writeable = yes
> browseable = yes
> shadow:snapdir = .zfs/snapshot
> shadow:sort = desc
> shadow:localtime = yes
> shadow:format = auto-%Y%m%d.%H%M-1w
> shadow:snapdirseverywhere = yes
> vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread streams_xattr
> hide dot files = yes
> guest ok = no
> nfs4:mode = special
> nfs4:acedup = merge
> nfs4:chown = true
> zfsacl:acesort = dontcare
> veto oplock files = /*.dbf/*.DBF/*.ndx/*.NDX/
>
>
> [deploy]
> path = /mnt/trunk/MM/deploy
> printable = no
> veto files = /.snapshot/.windows/.mac/.zfs/
> writeable = yes
> browseable = yes
> shadow:snapdir = .zfs/snapshot
> shadow:sort = desc
> shadow:localtime = yes
> shadow:format = auto-%Y%m%d.%H%M-1w
> shadow:snapdirseverywhere = yes
> vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread streams_xattr
> hide dot files = yes
> guest ok = no
> nfs4:mode = special
> nfs4:acedup = merge
> nfs4:chown = true
> zfsacl:acesort = dontcare
>
>
> [eim]
> path = /mnt/trunk/MM/applied/EIM
> printable = no
> veto files = /.snapshot/.windows/.mac/.zfs/
> writeable = yes
> browseable = yes
> shadow:snapdir = .zfs/snapshot
> shadow:sort = desc
> shadow:localtime = yes
> shadow:format = auto-%Y%m%d.%H%M-1w
> shadow:snapdirseverywhere = yes
> vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread streams_xattr
> hide dot files = yes
> guest ok = no
> nfs4:mode = special
> nfs4:acedup = merge
> nfs4:chown = true
> zfsacl:acesort = dontcare
>
>
> [home]
> path = /mnt/trunk/MM/home
> printable = no
> veto files = /.snapshot/.windows/.mac/.zfs/
> writeable = yes
> browseable = yes
> shadow:snapdir = .zfs/snapshot
> shadow:sort = desc
> shadow:localtime = yes
> shadow:format = auto-%Y%m%d.%H%M-1w
> shadow:snapdirseverywhere = yes
> vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread streams_xattr
> hide dot files = yes
> guest ok = no
> nfs4:mode = special
> nfs4:acedup = merge
> nfs4:chown = true
> zfsacl:acesort = dontcare
>
>
> [profiles]
> path = /mnt/trunk/MM/profiles
> printable = no
> veto files = /.snapshot/.windows/.mac/.zfs/
> writeable = yes
> browseable = yes
> shadow:snapdir = .zfs/snapshot
> shadow:sort = desc
> shadow:localtime = yes
> shadow:format = auto-%Y%m%d.%H%M-1w
> shadow:snapdirseverywhere = yes
> vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread streams_xattr
> hide dot files = yes
> guest ok = no
> nfs4:mode = special
> nfs4:acedup = merge
> nfs4:chown = true
> zfsacl:acesort = dontcare
>
>
> [shared]
> path = /mnt/trunk/MM/shared
> printable = no
> veto files = /.snapshot/.windows/.mac/.zfs/
> writeable = yes
> browseable = yes
> shadow:snapdir = .zfs/snapshot
> shadow:sort = desc
> shadow:localtime = yes
> shadow:format = auto-%Y%m%d.%H%M-1w
> shadow:snapdirseverywhere = yes
> vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread streams_xattr
> hide dot files = yes
> guest ok = no
> nfs4:mode = special
> nfs4:acedup = merge
> nfs4:chown = true
> zfsacl:acesort = dontcare
>
>
> Appreciate any insight. Note that this server is not "live" yet, so I'm
> game to experiment with any ideas you may have.
>
>
More information about the samba
mailing list