[Samba] Admin UID changed with upgrade to 4.8.2

Mark Foley mfoley at ohprs.org
Thu Jun 14 20:03:35 UTC 2018 

On Thu, 14 Jun 2018 10:50:15 +0100 Rowland Penny wrote:
>
> On Thu, 14 Jun 2018 09:39:46 +0200
> "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
>
> > And i did read the Comment to for Rowland below, 
> > On debian you need :
> > libnss-winbind libpam-winbind to be installed. 
> > I think you miss one of these. 
>
> They are the glue that connects Samba to nsswitch and allows 'getent
> passwd username' to work. Without the 'glue' checking for ownership etc
> of file with 'ls -l' will only show numbers, this is because the OS
> doesn't know who the numbers are.

Well, my getent *does* work on both the AD/DC and domain members. Also, my 'ls' does show
names, not just numbers. Example:

> ls -l /redirectedFolders/Users/
total 88
drwxrwx---+  6 root          domusers 4096 2015-09-03 13:13 Administrator/
drwxrwx---+  5       3000038 domusers 4096 2015-09-03 07:39 doris/
drwxrwx---+  5 HPRS\hcarr    domusers 4096 2015-09-03 07:37 hcarr/
drwxrwxr-x+ 34 HPRS\mark     domusers 4096 2018-06-10 22:51 mark/
drwxrwx---+  5 HPRS\shay     domusers 4096 2016-07-15 22:58 shay/
drwxrwx---+  5 HPRS\summitoh domusers 4096 2015-09-11 09:57 summitoh/

> ls -ln /redirectedFolders/Users/
total 88
drwxrwx---+  6       0 10000 4096 2015-09-03 13:13 Administrator/
drwxrwx---+  5 3000038 10000 4096 2015-09-03 07:39 doris/
drwxrwx---+  5   10004 10000 4096 2015-09-03 07:37 hcarr/
drwxrwxr-x+ 34   10001 10000 4096 2018-06-10 22:51 mark/
drwxrwx---+  5   10010 10000 4096 2016-07-15 22:58 shay/
drwxrwx---+  5 3000050 10000 4096 2015-09-11 09:57 summitoh/

In the first list, users showing HPRS\username are domain users. Their UIDs are shown in the
2nd list. UIDs 3000038 and 3000050 are from my initial provisioning before you (Rowland) told
me not to use that default range and rather use range 10000-10099 instead (12/1/2017 03:58AM,
subject: "getent passwd does not show correct UID.GID"). I had to change the others in
idmap.ldb. I have not yet changed doris and summitoh.

Nevertheless, 'ls' does give names though I don't seem to have either libnss-winbind or
libpam-winbind files on my AD/DC.

Circling back to the OP, with 4.4.16 I got:

> ls -l
/var/lib/samba/sysvol/hprs.local/policies/\{B78D19CB-914B-48F4-AA63-FD8708A553D7\}/Machine/
total 16
drwxrwx--- 3 BUILTIN\administrators users 4096 2014-09-13 03:22 Microsoft/
-rwxrwx--- 1 BUILTIN\administrators users  958 2014-09-13 04:01 Registry.pol*
drwxrwx--- 4 BUILTIN\administrators users 4096 2014-09-13 03:22 Scripts/

Now, with 4.8.2, doing the same ls gives me:

> ls -l
/var/lib/samba/sysvol/hprs.local/policies/\{B78D19CB-914B-48F4-AA63-FD8708A553D7\}/Machine/
total 16
drwxrwx--- 3 3000000 users 4096 2014-09-13 03:22 Microsoft/
-rwxrwx--- 1 3000000 users  958 2014-09-13 04:01 Registry.pol*
drwxrwx--- 4 3000000 users 4096 2014-09-13 03:22 Scripts/

I'm still not sure I've gleaned an answer. I'll check sam.ldb and imap.ldb for clues.

> > With 4.8.2 on my DC's i see: 
> > ls -al sysvol/
> > drwxrwx---+ 5 root BUILTIN\administrators 4096 Dec 21 13:14
> > internal.domain.tld 

Funny you should mention that. I was going to post the same thing, mine is:

rwxrwxr--+ 3 root BUILTIN\administrators   4096 2014-09-03 00:46 sysvol/

I thought it strange that it would list the 300000 groupname, but for files owned by 300000 it
will only list the UID number, not the username. 

> > Note the ^^^ (+) in above line, then use getfacl to see all ACL's
> > If you use chmod, you might destroy your very needed windows ACL's 
> > 
> > And i see with getfacl

(sorry Rowland - I restored Louis' getfacl for comparison with mine)

> > # file: var/lib/samba/sysvol/internal.domain.tld
> > # owner: root
> > # group: BUILTIN\134administrators
> > user::rwx
> > user:root:rwx
> > user:3000000:rwx
> > user:3000001:r-x
> > user:3000002:rwx
> > user:3000003:r-x
> > group::rwx
> > group:BUILTIN\134administrators:rwx
> > group:BUILTIN\134server\040operators:r-x
> > group:3000002:rwx
> > group:3000003:r-x
> > mask::rwx
> > other::---
> > default:user::rwx
> > default:user:root:rwx
> > default:user:3000000:rwx
> > default:user:3000001:r-x
> > default:user:3000002:rwx
> > default:user:3000003:r-x
> > default:group::---
> > default:group:BUILTIN\134administrators:rwx
> > default:group:BUILTIN\134server\040operators:r-x
> > default:group:3000002:rwx
> > default:group:3000003:r-x
> > default:mask::rwx
> > default:other::---

My getfacl is:

$ getfacl /var/lib/samba/sysvol
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol
# owner: root
# group: BUILTIN\134administrators
user::rwx
user:root:rwx
user:3000000:rwx
user:3000002:rwx
user:3000003:rwx
group::rwx
group:BUILTIN\134administrators:rwx
group:NT\040AUTHORITY\134system:rwx
group:NT\040AUTHORITY\134authenticated\040users:rwx
mask::rwx
other::r--
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000002:rwx
default:user:3000003:rwx
default:group::r-x
default:group:BUILTIN\134administrators:rwx
default:group:NT\040AUTHORITY\134system:rwx
default:group:NT\040AUTHORITY\134authenticated\040users:rwx
default:mask::rwx
default:other::r-x

Differences between Louis' facl and mine:

I'm missing user 3000001. 

In group, I have:

group:NT\040AUTHORITY\134system:rwx
group:NT\040AUTHORITY\134authenticated\040users:rwx

and am missing Louis':
group:3000002:rwx
group:3000003:r-x

whereas Louis has:
group:BUILTIN\134server\040operators:r-x

For 'other' I have "other::r--" whereas Louis has "other::---"

For default I am again missing user 3000001 and my 3000003 is rwx rather than Louis' r-x.
My 'default-group' is "r-x", Louis' "---".
Same group difference with 'default' as mentioned above with my 040AUTHORITY and Louis'
040operators.
My "default:other::r-x", Louis' "default:other::---"

Are my different settings bad?

> And Louis also uses 'acl_xattr:ignore system acls = yes', 

How do you know that? I don't see that listed in Louis' message?

> this means that you can ignore the system ACL and what getfacl produces.
>
> The permissions you set from windows is actually stored in in
> 'security.NTACL'
>
> To see the contents of this attr:
>
> getfattr -n security.NTACL /home/testdata
> getfattr: Removing leading '/' from absolute path names
> # file: home/testdata
> security.NTACL=0sAwA [deleted] KCAAA
>
> Not very readable is it ?

Tried that on /var/lib/samba/sysvol. Yup, gobbledygook!


> > 
> > Id you dont get you id's
> > Try adding Domain and Local-Realms to : /etc/idmapd.conf 
> > 
>
> Don't understand the above, what has an NFS conf file got do with
> Samba ?
>
> Rowland

I'll not mess with this yet.

--Mark

More information about the samba mailing list