[Samba] Admin UID changed with upgrade to 4.8.2

Rowland Penny rpenny at samba.org
Thu Jun 14 20:37:58 UTC 2018 

On Thu, 14 Jun 2018 16:03:35 -0400
Mark Foley via samba <samba at lists.samba.org> wrote:

> Nevertheless, 'ls' does give names though I don't seem to have either
> libnss-winbind or libpam-winbind files on my AD/DC.

I keep forgetting that you use slackware, I suppose it uses something
different, but do you have any file like: libnss_winbind.so.2

> 
> Circling back to the OP, with 4.4.16 I got:  
> 
> > ls -l
> /var/lib/samba/sysvol/hprs.local/policies/\{B78D19CB-914B-48F4-AA63-FD8708A553D7\}/Machine/
> total 16
> drwxrwx--- 3 BUILTIN\administrators users 4096 2014-09-13 03:22
> Microsoft/ -rwxrwx--- 1 BUILTIN\administrators users  958 2014-09-13
> 04:01 Registry.pol* drwxrwx--- 4 BUILTIN\administrators users 4096
> 2014-09-13 03:22 Scripts/
> 
> Now, with 4.8.2, doing the same ls gives me:
> 
> > ls -l
> /var/lib/samba/sysvol/hprs.local/policies/\{B78D19CB-914B-48F4-AA63-FD8708A553D7\}/Machine/
> total 16
> drwxrwx--- 3 3000000 users 4096 2014-09-13 03:22 Microsoft/
> -rwxrwx--- 1 3000000 users  958 2014-09-13 04:01 Registry.pol*
> drwxrwx--- 4 3000000 users 4096 2014-09-13 03:22 Scripts/
> 
> I'm still not sure I've gleaned an answer. I'll check sam.ldb and
> imap.ldb for clues.

For some reason, nsswitch (and/or idmap.ldb) isn't mapping '3000000' to
'Administrators'

> 
> > > With 4.8.2 on my DC's i see: 
> > > ls -al sysvol/
> > > drwxrwx---+ 5 root BUILTIN\administrators 4096 Dec 21 13:14
> > > internal.domain.tld 
> 
> Funny you should mention that. I was going to post the same thing,
> mine is:
> 
> rwxrwxr--+ 3 root BUILTIN\administrators   4096 2014-09-03 00:46
> sysvol/
> 
> I thought it strange that it would list the 300000 groupname, but for
> files owned by 300000 it will only list the UID number, not the
> username. 

AH-Ha, the only place that maps an ID to a user AND a group is
idmap.ldb, where it get 'ID_TYPE_BOTH'. Have you given
'Administrators' a uidNumber ? or is it being mapped to 'ID_TYPE_UID'
in idmap.ldb ?



> 
> and am missing Louis':
> group:3000002:rwx
> group:3000003:r-x
> 
> whereas Louis has:
> group:BUILTIN\134server\040operators:r-x
> 
> For 'other' I have "other::r--" whereas Louis has "other::---"
> 
> For default I am again missing user 3000001 and my 3000003 is rwx
> rather than Louis' r-x. My 'default-group' is "r-x", Louis' "---".
> Same group difference with 'default' as mentioned above with my
> 040AUTHORITY and Louis' 040operators.
> My "default:other::r-x", Louis' "default:other::---"
> 
> Are my different settings bad?

Not necessarily, different DC's get different ID's for the
users/groups.

> 
> > And Louis also uses 'acl_xattr:ignore system acls = yes', 
> 
> How do you know that? I don't see that listed in Louis' message?

I just do ;-)

Try reading 'man vfs_acl_xattr'

> 
> > this means that you can ignore the system ACL and what getfacl
> > produces.
> >
> > The permissions you set from windows is actually stored in in
> > 'security.NTACL'
> >
> > To see the contents of this attr:
> >
> > getfattr -n security.NTACL /home/testdata
> > getfattr: Removing leading '/' from absolute path names
> > # file: home/testdata
> > security.NTACL=0sAwA [deleted] KCAAA
> >
> > Not very readable is it ?
> 
> Tried that on /var/lib/samba/sysvol. Yup, gobbledygook!

Just set them from Windows and ignore the Unix acls

Rowland

More information about the samba mailing list