[Samba] Can one set the owner of a folder to BUILTIN\Administrators?

Ian samba at zestysoft.com
Mon Feb 22 00:52:26 UTC 2016



On 2/17/2016 12:54 PM, Ian wrote:
> On 2/17/2016 11:53 AM, Rowland penny wrote:
>> On 17/02/16 19:47, Ian wrote:
>>> On 2/17/2016 10:32 AM, Rowland penny wrote:
>>>> On 17/02/16 18:07, Ian wrote:
>>>> One word 'Sysvol' 
> Okay, so a domain member needs to directly deal with sysvol somehow, and
> this requires using unix groups,
>>> The group file attribute in unix is
>>> never used by Windows, however the owner is.  If every BUILTIN\* group
>>> mapped to a user in unix, this all would work perfectly, no?
>>>
>>>
>> Yes, it does on a DC.
>>
> but a DC that has its own sysvol can still use BUILTIN\Administrators as
> a user.
>
> Just so I'm clear:
>
> getent group 'DOMAIN\Domain Admins'
> returns
> DOMAIN\domain admins:x:20512:(along with all the users that are member
> of this group.)
>
> Yet, even though unix see this is a group, I can use this id for the
> owner of a folder?  Hmm..
>
> ls -lnd CoreLib/
> d---------+ 2 20512  90000001  5 Dec  8 11:59 CoreLib//
>
> If I do a reverse lookup of the numeric id as both a user or group, I
> see why this works
>
> id -u 'DOMAIN\Domain Admins'
> 20512
> id -g 'DOMAIN\Domain Admins'
> 20512
>
> It's not using a group id, it's using a user id that's the same as the
> group id.
>
> However, getent group 'BUILTIN\Administrators' returns this:
> BUILTIN\administrators:x:90000001
>
> Doing a reverse lookup here shows the problem:
> id -u 'BUILTIN\administrators'
> id: BUILTIN\administrators: no such user
> id -g 'BUILTIN\administrators'
> BUILTIN\administrators:x:90000001
>
> So while the system is perfectly fine doing something like this:
>  chgrp 'DOMAIN\Domain Admins' CoreLib/
> ls -lnd CoreLib/
> d---rwx---+ 2 20512  20512  5 Dec  8 11:59 CoreLib//
>
> ls -lad CoreLib/
> d---rwx---+ 2 DOMAIN\domain admins  DOMAIN\domain admins  5 Dec  8 11:59
> CoreLib//
>
> The same is impossible because there is no mirrored
> BUILTIN\administrators user internal to Samba.  However, as has been
> show, this doesn't seem to be a unix limitation.
>
>
No reply?

Maybe I should mention why this is even a "thing."

Microsoft's default behavior is to assign "Administrators" as the owner
of any file or folder when that file or folder is created with an
administrative account (Any member of Administrators).  In an AD
environment,  this includes the "Domain Admins" group and all of its
members too because any time a computer account is joined to the domain,
one of the things that happens during this process is to add "Domain
Admins" to the local computer's Administrator's group.  (Source:
https://technet.microsoft.com/en-us/library/cc961992.aspx)

This behavior is the reason why we have a large number of files and
folders that are owned by that builtin\Administrators group.

Samba, while happy to replace mapped group ID's with user ID's when
assigning ownership of non-builtin groups, refuses to do so for the
builtin groups, but it's not clear why.

Can anyone explain what is tying Samba's hands behind its back here?  Or
was there a policy decision against this behavior?



More information about the samba mailing list