[Samba] Can one set the owner of a folder to BUILTIN\Administrators?

[Rowland penny]

On 17/02/16 19:47, Ian wrote:
> On 2/17/2016 10:32 AM, Rowland penny wrote:
>> On 17/02/16 18:07, Ian wrote:
>>> Actually, that works for me too.  I just issued the command 'chgrp
>>> "BUILTIN\administrators" CoreLib' and it returned successfully for that
>>> folder.  'ls -la' shows:
>>> d---------+ 2 MMIA\domain admins  BUILTIN\administrators  5 Dec  8 11:59
>>> CoreLib//
>>>
>>> Note however, that it fails if I attempt to chown instead:
>>> [root at freenas] /mnt/trunk/MM/deploy# chown "BUILTIN\Administrators"
>>> CoreLib
>>> chown: BUILTIN\Administrators: illegal user name
>>>
>>> I can chown to other domain groups successfully.
>> Normally a group cannot 'own' files etc, Unix uses ugo permissions and
>> when you chown a file you would use something like this:
> In unix, yes this is the case, however in Windows a group can.  For
> instance, this works:
> chown 'DOMAIN\Domain Admins' CoreLib/
> ls -lad CoreLib:
> d---------+ 2 MMIA\domain admins  BUILTIN\administrators  5 Dec  8 11:59
> CoreLib//
>
> Using kerberos and ldap, there doesn't seem to be anything stopping
> this.  However, if I understand what you're saying, the BUILTIN\* users
> and groups are part of the unix system that Samba runs on, and thus some
> type of mapping must occur with "real" unix accounts.  I'm still not
> clear where this mapping occurs though -- which account/group is it
> actually mapping to?
>
> What I don't get is why any of the BUILTIN\* users and groups would ever
> be assigned to a group in unix.


One word 'Sysvol'


> The group file attribute in unix is
> never used by Windows, however the owner is.  If every BUILTIN\* group
> mapped to a user in unix, this all would work perfectly, no?
>
>

Yes, it does on a DC.

Rowland