[Samba] Can one set the owner of a folder to BUILTIN\Administrators?
rpenny at samba.org
Wed Feb 17 19:53:03 UTC 2016
On 17/02/16 19:47, Ian wrote:
> On 2/17/2016 10:32 AM, Rowland penny wrote:
>> On 17/02/16 18:07, Ian wrote:
>>> Actually, that works for me too. I just issued the command 'chgrp
>>> "BUILTIN\administrators" CoreLib' and it returned successfully for that
>>> folder. 'ls -la' shows:
>>> d---------+ 2 MMIA\domain admins BUILTIN\administrators 5 Dec 8 11:59
>>> Note however, that it fails if I attempt to chown instead:
>>> [root at freenas] /mnt/trunk/MM/deploy# chown "BUILTIN\Administrators"
>>> chown: BUILTIN\Administrators: illegal user name
>>> I can chown to other domain groups successfully.
>> Normally a group cannot 'own' files etc, Unix uses ugo permissions and
>> when you chown a file you would use something like this:
> In unix, yes this is the case, however in Windows a group can. For
> instance, this works:
> chown 'DOMAIN\Domain Admins' CoreLib/
> ls -lad CoreLib:
> d---------+ 2 MMIA\domain admins BUILTIN\administrators 5 Dec 8 11:59
> Using kerberos and ldap, there doesn't seem to be anything stopping
> this. However, if I understand what you're saying, the BUILTIN\* users
> and groups are part of the unix system that Samba runs on, and thus some
> type of mapping must occur with "real" unix accounts. I'm still not
> clear where this mapping occurs though -- which account/group is it
> actually mapping to?
> What I don't get is why any of the BUILTIN\* users and groups would ever
> be assigned to a group in unix.
One word 'Sysvol'
> The group file attribute in unix is
> never used by Windows, however the owner is. If every BUILTIN\* group
> mapped to a user in unix, this all would work perfectly, no?
Yes, it does on a DC.
More information about the samba