[Samba] Domain Admins default ownership is BUILTIN\Administrators

Rob Mason rob at acasta.co.uk
Sun Dec 2 10:14:10 UTC 2018


So, a little bit more investigation shows a problem with idmap ->

User - BUILTIN\Administrator uid = 30000
Group - BUILTIN\Administrators gid = 3000000
Group - SAMDOM\Domain Admins gid = 60000

POSIX file ownership is becoming 3000000:60000

It seems that the Administrators group group is set as the owner. What's more, 'Administrators' group name is not mapped when I list the directory:

ls -l
total 7.9M
drwxr-xr-x   7 JohnDoe Domain Users 4.0K Aug 24 20:47 ./
drwxr-xr-x  11 root    root         4.0K Dec  1 16:50 ../
-rw-r--r--   1 JohnDoe Domain Users 439K Aug 14  2013 Book.xlsx
-rw-r--r--   1 JohnDoe Domain Users  30K Mar  4  2012 planner.xls
-rwxr-xr-x+  1 3000000 Domain Users 4.2M Feb 10  2017 acasta.ics*

Any ideas how to fix this?

--
Rob Mason
07770 578764

From: Rob Mason
Sent: 30 November 2018 18:28
To: 'samba at lists.samba.org' <samba at lists.samba.org>
Subject: Domain Admins default ownership is BUILTIN\Administrators

I've now spun up a second DC ready for a migration from an old DC. Just checking over a few things and have hit this problem:

Objects created by Domain Admins members default to ownership by BUILTIN\Administrators.  So, when JohnDoe is logged on as JohnDoe and creates a file, its ownership becomes BUILTIN\Administrators.

I've played with perms for over an hour and cannot make any sense of this? I cannot see where/why it is defaulting to this account??

\data is chmod 2755 owned by "SAMDOM\JohnDoe":"SAMDOM\Domain Admins".   Resulting files are 755 owned by "BUILTIN\Administrators":"SAMDOM\Domain Admins"


[global]
        netbios name = SAGAN
        realm = SAMDOM.INTRA
        server role = active directory domain controller
        workgroup = SAMDOM
        idmap_ldb:use rfc2307 = yes

template shell = /bin/bash
   winbind use default domain = true
   winbind offline logon = false
   winbind nss info = rfc2307
        winbind enum users = yes
        winbind enum groups = yes


[netlogon]
        path = /var/lib/samba/sysvol/acasta.intra/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[data]
        path = /data
        read only = No


--
Rob Mason


Acasta Ltd - A Crown Commercial Service Supplier. CyberEssentials Certified QGCE013.
Registered in England 6619191. 42 Pitt Street, Barnsley, S70 1BB. VAT Registered 934 6797 75.


More information about the samba mailing list