[Samba] Can one set the owner of a folder to BUILTIN\Administrators?

Ian samba at zestysoft.com
Wed Feb 17 18:07:13 UTC 2016



On 2/17/2016 9:43 AM, Rowland penny wrote:
> On 17/02/16 17:27, Ian wrote:
>>
>> On 2/17/2016 5:00 AM, Rowland penny wrote:
>>> On 17/02/16 00:03, Ian wrote:
>>>> I've recently attempted to migrate some windows server files over to
>>>> samba 4 hosted on a FreeNAS server.
>>>>
>>>> Using robocopy with the /copyall switch, I expected everything,
>>>> including ACL's and ownership information to transfer over.  For the
>>>> most part they have.  The one problem I've ran into however, is
>>>> that I'm
>>>> getting errors any time I or robocopy attempt to change the
>>>> ownership to
>>>> BUILTIN\Administrators.
>>>>
>>>> I've brought this up with the FreeNAS community, but so far it's
>>>> unclear
>>>> if this is by design, there is a configuration issue somewhere, or
>>>> there's a bug.
>>>> https://forums.freenas.org/index.php?threads/ownership-issues-migrating-data-from-windows-to-freenas.41478/#post-265384
>>>>
>>>>
>>>>
>>>> When I attempt to change ownership to Builtin\Administrators, I get an
>>>> error that I don't have the Restore Privilege required, or if I have
>>>> inheritance enabled when changing ownership, "This security ID may not
>>>> be assigned as the owner of this object."
>>>>
>>>> As mentioned in that thread I linked to (lots more details there), I
>>>> verified that I do have the Restore Privilege right.  I also verified
>>>> that I can assign any other owner successfully -- it's just
>>>> Builtin\Administrators that's giving me trouble.
>>>>
>>>> After turning up the logging in the samba configuration file and
>>>> restarting the service, this was the output when I attempted to change
>>>> ownership:
>>>>
>>>>
>>>> [2016/02/16 15:33:02.077685,  3]
>>>> ../source3/smbd/vfs.c:1137(check_reduced_name)
>>>>     check_reduced_name [CoreLib] [/mnt/trunk/MM/deploy]
>>>> [2016/02/16 15:33:02.077890,  3]
>>>> ../source3/smbd/vfs.c:1267(check_reduced_name)
>>>>     check_reduced_name: CoreLib reduced to
>>>> /mnt/trunk/MM/deploy/CoreLib
>>>> [2016/02/16 15:33:02.078111,  3]
>>>> ../source3/smbd/dosmode.c:163(unix_mode)
>>>>     unix_mode(CoreLib) returning 0666
>>>> [2016/02/16 15:33:02.080039,  3]
>>>> ../source3/smbd/posix_acls.c:1204(unpack_nt_owners)
>>>>     unpack_nt_owners: unable to validate owner sid for S-1-5-32-544
>>>> [2016/02/16 15:33:04.251911,  3]
>>>> ../source3/smbd/service.c:1130(close_cnum)
>>>>     192.168.0.119 (ipv4:192.168.0.119:58406) closed connection to
>>>> service IPC$
>>>>
>>>> Googling for "unable to validate owner sid for S-1-5-32-544" brings
>>>> up a
>>>> thread a decade old:
>>>> https://lists.samba.org/archive/samba-technical/2006-October/050007.html
>>>>
>>>>
>>>> There was some discussion about sid/gid conflicts and ACLs with some
>>>> futher discussion about fixing it.   Since there's so little found
>>>> when
>>>> Googling, I have to believe that this has been fixed since I would
>>>> expect there to be a lot more complaints from people like myself
>>>> who are
>>>> migrating files from windows to samba.
>>>>
>>>> Any feedback is welcome, even if the advice is to change ownership to
>>>> something other than builtin\Administrators because that's broken.  :)
>>>>
>>> Does 'getent group BUILTIN\\Administrators'  give any result ?
>>> If smb.conf is setup correctly, you should get something like:
>>>
>>> BUILTIN\administrators:x:2001:
>>>
>>> If you do not get anything, then you need to change smb.conf, in which
>>> case, can you post your smb.conf.
>>>
>>> Rowland
>>>
>>>
>> Rowland,
>>
>> 'getent group BUILTIN\Administrators' returns nothing.  Yes, this is a
>> domain member, not AD.
>
> Well, I think that explains it, on a domain member in my domain, it
> returns a result and I (as root) can chgrp a file to
> 'BUILTIN\Administrators'

Actually, that works for me too.  I just issued the command 'chgrp
"BUILTIN\administrators" CoreLib' and it returned successfully for that
folder.  'ls -la' shows:
d---------+ 2 MMIA\domain admins  BUILTIN\administrators  5 Dec  8 11:59
CoreLib//

Note however, that it fails if I attempt to chown instead:
[root at freenas] /mnt/trunk/MM/deploy# chown "BUILTIN\Administrators" CoreLib
chown: BUILTIN\Administrators: illegal user name

I can chown to other domain groups successfully.
>
> I know very little about freebsd (I think freenas runs on freebsd) but
> does it use PAM ? because I think this is your problem, winbind isn't
> returning the BUILTIN info, is libnss_winbind setup ? does freenas use
> libnss_winbind ?
>

Yes Freebsd.  uname -a shows: "FreeBSD 9.3-RELEASE-p31"
smbstatus shows Samba version 4.1.21

I know it's using LDAP to talk to the DC since
/usr/local/etc/openldap.ldap.conf contains my DC's info. /etc/krb5.conf
also contains my domain's info, and inside of that is a setting for pam
(forwardable = true). /etc/nsswitch.conf shows:
group: files winbind
passwd: files winbind

there is a /etc/pam.d/samba file, so I'd have to say, yes pam is part of
the system here, and winbind is tied into that.

> Rowland
>
>>
>> My /usr/local/etc/smb4.conf file should be "default" for FreeNAS
>> FreeNAS-9.3-STABLE-201602031011.  I believe the gui is the only
>> recommended way to alter it ( think any hand editing gets wiped at
>> reboot?). The only changes I've made through the GUI is to disable
>> oplocks for one of the shares [applied]. The share I've been testing
>> from however is [deploy].
>>
>> If it helps, 'net groupmap list verbose' returns this:
>>
>> Administrators
>>          SID       : S-1-5-32-544
>>          Unix gid  : 90000001
>>          Unix group: BUILTIN\administrators
>>          Group type: Local Group
>>          Comment   :
>> Users
>>          SID       : S-1-5-32-545
>>          Unix gid  : 90000002
>>          Unix group: BUILTIN\users
>>          Group type: Local Group
>>          Comment   :
>>
>> Here's the smb4.conf file contents:
>> [global]
>>      server max protocol = SMB2
>>      encrypt passwords = yes
>>      dns proxy = no
>>      strict locking = no
>>      oplocks = yes
>>      deadtime = 15
>>      max log size = 51200
>>      max open files = 942185
>>      load printers = no
>>      printing = bsd
>>      printcap name = /dev/null
>>      disable spoolss = yes
>>      getwd cache = yes
>>      guest account = nobody
>>      map to guest = Bad User
>>      obey pam restrictions = yes
>>      directory name cache size = 0
>>      kernel change notify = no
>>      panic action = /usr/local/libexec/samba/samba-backtrace
>>      nsupdate command = /usr/local/bin/samba-nsupdate -g
>>      server string = FreeNAS Server
>>      ea support = yes
>>      store dos attributes = yes
>>      lm announce = yes
>>      hostname lookups = yes
>>      acl allow execute always = true
>>      acl check permissions = true
>>      dos filemode = yes
>>      multicast dns register = yes
>>      domain logons = no
>>      idmap config *: backend = tdb
>>      idmap config *: range = 90000001-100000000
>>      server role = member server
>>      netbios name = FREENAS
>>      workgroup = MMIA
>>      realm = INTRANET.MITCHELLANDMITCHELL.COM
>>      security = ADS
>>      client use spnego = yes
>>      cache directory = /var/tmp/.cache/.samba
>>      local master = no
>>      domain master = no
>>      preferred master = no
>>      ads dns update = yes
>>      winbind cache time = 7200
>>      winbind offline logon = yes
>>      winbind enum users = yes
>>      winbind enum groups = yes
>>      winbind nested groups = yes
>>      winbind use default domain = no
>>      winbind refresh tickets = yes
>>      idmap config MMIA: backend = rid
>>      idmap config MMIA: range = 20000-90000000
>>      allow trusted domains = no
>>      client ldap sasl wrapping = plain
>>      template shell = /bin/sh
>>      template homedir = /home/%D/%U
>>      pid directory = /var/run/samba
>>      create mask = 0666
>>      directory mask = 0777
>>      client ntlmv2 auth = yes
>>      dos charset = CP437
>>      unix charset = UTF-8
>>      log level = 1
>>
>>
>> [applied]
>>      path = /mnt/trunk/MM/applied
>>      printable = no
>>      veto files = /.snapshot/.windows/.mac/.zfs/
>>      writeable = yes
>>      browseable = yes
>>      shadow:snapdir = .zfs/snapshot
>>      shadow:sort = desc
>>      shadow:localtime = yes
>>      shadow:format = auto-%Y%m%d.%H%M-1w
>>      shadow:snapdirseverywhere = yes
>>      vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread
>> streams_xattr
>>      hide dot files = yes
>>      guest ok = no
>>      nfs4:mode = special
>>      nfs4:acedup = merge
>>      nfs4:chown = true
>>      zfsacl:acesort = dontcare
>>      veto oplock files = /*.dbf/*.DBF/*.ndx/*.NDX/
>>
>>
>> [deploy]
>>      path = /mnt/trunk/MM/deploy
>>      printable = no
>>      veto files = /.snapshot/.windows/.mac/.zfs/
>>      writeable = yes
>>      browseable = yes
>>      shadow:snapdir = .zfs/snapshot
>>      shadow:sort = desc
>>      shadow:localtime = yes
>>      shadow:format = auto-%Y%m%d.%H%M-1w
>>      shadow:snapdirseverywhere = yes
>>      vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread
>> streams_xattr
>>      hide dot files = yes
>>      guest ok = no
>>      nfs4:mode = special
>>      nfs4:acedup = merge
>>      nfs4:chown = true
>>      zfsacl:acesort = dontcare
>>
>>
>> [eim]
>>      path = /mnt/trunk/MM/applied/EIM
>>      printable = no
>>      veto files = /.snapshot/.windows/.mac/.zfs/
>>      writeable = yes
>>      browseable = yes
>>      shadow:snapdir = .zfs/snapshot
>>      shadow:sort = desc
>>      shadow:localtime = yes
>>      shadow:format = auto-%Y%m%d.%H%M-1w
>>      shadow:snapdirseverywhere = yes
>>      vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread
>> streams_xattr
>>      hide dot files = yes
>>      guest ok = no
>>      nfs4:mode = special
>>      nfs4:acedup = merge
>>      nfs4:chown = true
>>      zfsacl:acesort = dontcare
>>
>>
>> [home]
>>      path = /mnt/trunk/MM/home
>>      printable = no
>>      veto files = /.snapshot/.windows/.mac/.zfs/
>>      writeable = yes
>>      browseable = yes
>>      shadow:snapdir = .zfs/snapshot
>>      shadow:sort = desc
>>      shadow:localtime = yes
>>      shadow:format = auto-%Y%m%d.%H%M-1w
>>      shadow:snapdirseverywhere = yes
>>      vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread
>> streams_xattr
>>      hide dot files = yes
>>      guest ok = no
>>      nfs4:mode = special
>>      nfs4:acedup = merge
>>      nfs4:chown = true
>>      zfsacl:acesort = dontcare
>>
>>
>> [profiles]
>>      path = /mnt/trunk/MM/profiles
>>      printable = no
>>      veto files = /.snapshot/.windows/.mac/.zfs/
>>      writeable = yes
>>      browseable = yes
>>      shadow:snapdir = .zfs/snapshot
>>      shadow:sort = desc
>>      shadow:localtime = yes
>>      shadow:format = auto-%Y%m%d.%H%M-1w
>>      shadow:snapdirseverywhere = yes
>>      vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread
>> streams_xattr
>>      hide dot files = yes
>>      guest ok = no
>>      nfs4:mode = special
>>      nfs4:acedup = merge
>>      nfs4:chown = true
>>      zfsacl:acesort = dontcare
>>
>>
>> [shared]
>>      path = /mnt/trunk/MM/shared
>>      printable = no
>>      veto files = /.snapshot/.windows/.mac/.zfs/
>>      writeable = yes
>>      browseable = yes
>>      shadow:snapdir = .zfs/snapshot
>>      shadow:sort = desc
>>      shadow:localtime = yes
>>      shadow:format = auto-%Y%m%d.%H%M-1w
>>      shadow:snapdirseverywhere = yes
>>      vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread
>> streams_xattr
>>      hide dot files = yes
>>      guest ok = no
>>      nfs4:mode = special
>>      nfs4:acedup = merge
>>      nfs4:chown = true
>>      zfsacl:acesort = dontcare
>>
>>
>> Appreciate any insight.  Note that this server is not "live" yet, so I'm
>> game to experiment with any ideas you may have.
>>
>>
>
>




More information about the samba mailing list