[Samba] Can one set the owner of a folder to BUILTIN\Administrators?
Ian
samba at zestysoft.com
Wed Feb 17 20:54:10 UTC 2016
On 2/17/2016 11:53 AM, Rowland penny wrote:
> On 17/02/16 19:47, Ian wrote:
>> On 2/17/2016 10:32 AM, Rowland penny wrote:
>>> On 17/02/16 18:07, Ian wrote:
>>>> Actually, that works for me too. I just issued the command 'chgrp
>>>> "BUILTIN\administrators" CoreLib' and it returned successfully for
>>>> that
>>>> folder. 'ls -la' shows:
>>>> d---------+ 2 MMIA\domain admins BUILTIN\administrators 5 Dec 8
>>>> 11:59
>>>> CoreLib//
>>>>
>>>> Note however, that it fails if I attempt to chown instead:
>>>> [root at freenas] /mnt/trunk/MM/deploy# chown "BUILTIN\Administrators"
>>>> CoreLib
>>>> chown: BUILTIN\Administrators: illegal user name
>>>>
>>>> I can chown to other domain groups successfully.
>>> Normally a group cannot 'own' files etc, Unix uses ugo permissions and
>>> when you chown a file you would use something like this:
>> In unix, yes this is the case, however in Windows a group can. For
>> instance, this works:
>> chown 'DOMAIN\Domain Admins' CoreLib/
>> ls -lad CoreLib:
>> d---------+ 2 MMIA\domain admins BUILTIN\administrators 5 Dec 8 11:59
>> CoreLib//
>>
>> Using kerberos and ldap, there doesn't seem to be anything stopping
>> this. However, if I understand what you're saying, the BUILTIN\* users
>> and groups are part of the unix system that Samba runs on, and thus some
>> type of mapping must occur with "real" unix accounts. I'm still not
>> clear where this mapping occurs though -- which account/group is it
>> actually mapping to?
>>
>> What I don't get is why any of the BUILTIN\* users and groups would ever
>> be assigned to a group in unix.
>
>
> One word 'Sysvol'
>
Okay, so a domain member needs to directly deal with sysvol somehow, and
this requires using unix groups,
>
>> The group file attribute in unix is
>> never used by Windows, however the owner is. If every BUILTIN\* group
>> mapped to a user in unix, this all would work perfectly, no?
>>
>>
>
> Yes, it does on a DC.
>
but a DC that has its own sysvol can still use BUILTIN\Administrators as
a user.
Just so I'm clear:
getent group 'DOMAIN\Domain Admins'
returns
DOMAIN\domain admins:x:20512:(along with all the users that are member
of this group.)
Yet, even though unix see this is a group, I can use this id for the
owner of a folder? Hmm..
ls -lnd CoreLib/
d---------+ 2 20512 90000001 5 Dec 8 11:59 CoreLib//
If I do a reverse lookup of the numeric id as both a user or group, I
see why this works
id -u 'DOMAIN\Domain Admins'
20512
id -g 'DOMAIN\Domain Admins'
20512
It's not using a group id, it's using a user id that's the same as the
group id.
However, getent group 'BUILTIN\Administrators' returns this:
BUILTIN\administrators:x:90000001
Doing a reverse lookup here shows the problem:
id -u 'BUILTIN\administrators'
id: BUILTIN\administrators: no such user
id -g 'BUILTIN\administrators'
BUILTIN\administrators:x:90000001
So while the system is perfectly fine doing something like this:
chgrp 'DOMAIN\Domain Admins' CoreLib/
ls -lnd CoreLib/
d---rwx---+ 2 20512 20512 5 Dec 8 11:59 CoreLib//
ls -lad CoreLib/
d---rwx---+ 2 DOMAIN\domain admins DOMAIN\domain admins 5 Dec 8 11:59
CoreLib//
The same is impossible because there is no mirrored
BUILTIN\administrators user internal to Samba. However, as has been
show, this doesn't seem to be a unix limitation.
More information about the samba
mailing list