[Samba] Admin UID changed with upgrade to 4.8.2
Rowland Penny
rpenny at samba.org
Thu Jun 14 20:37:58 UTC 2018
On Thu, 14 Jun 2018 16:03:35 -0400
Mark Foley via samba <samba at lists.samba.org> wrote:
> Nevertheless, 'ls' does give names though I don't seem to have either
> libnss-winbind or libpam-winbind files on my AD/DC.
I keep forgetting that you use slackware, I suppose it uses something
different, but do you have any file like: libnss_winbind.so.2
>
> Circling back to the OP, with 4.4.16 I got:
>
> > ls -l
> /var/lib/samba/sysvol/hprs.local/policies/\{B78D19CB-914B-48F4-AA63-FD8708A553D7\}/Machine/
> total 16
> drwxrwx--- 3 BUILTIN\administrators users 4096 2014-09-13 03:22
> Microsoft/ -rwxrwx--- 1 BUILTIN\administrators users 958 2014-09-13
> 04:01 Registry.pol* drwxrwx--- 4 BUILTIN\administrators users 4096
> 2014-09-13 03:22 Scripts/
>
> Now, with 4.8.2, doing the same ls gives me:
>
> > ls -l
> /var/lib/samba/sysvol/hprs.local/policies/\{B78D19CB-914B-48F4-AA63-FD8708A553D7\}/Machine/
> total 16
> drwxrwx--- 3 3000000 users 4096 2014-09-13 03:22 Microsoft/
> -rwxrwx--- 1 3000000 users 958 2014-09-13 04:01 Registry.pol*
> drwxrwx--- 4 3000000 users 4096 2014-09-13 03:22 Scripts/
>
> I'm still not sure I've gleaned an answer. I'll check sam.ldb and
> imap.ldb for clues.
For some reason, nsswitch (and/or idmap.ldb) isn't mapping '3000000' to
'Administrators'
>
> > > With 4.8.2 on my DC's i see:
> > > ls -al sysvol/
> > > drwxrwx---+ 5 root BUILTIN\administrators 4096 Dec 21 13:14
> > > internal.domain.tld
>
> Funny you should mention that. I was going to post the same thing,
> mine is:
>
> rwxrwxr--+ 3 root BUILTIN\administrators 4096 2014-09-03 00:46
> sysvol/
>
> I thought it strange that it would list the 300000 groupname, but for
> files owned by 300000 it will only list the UID number, not the
> username.
AH-Ha, the only place that maps an ID to a user AND a group is
idmap.ldb, where it get 'ID_TYPE_BOTH'. Have you given
'Administrators' a uidNumber ? or is it being mapped to 'ID_TYPE_UID'
in idmap.ldb ?
>
> and am missing Louis':
> group:3000002:rwx
> group:3000003:r-x
>
> whereas Louis has:
> group:BUILTIN\134server\040operators:r-x
>
> For 'other' I have "other::r--" whereas Louis has "other::---"
>
> For default I am again missing user 3000001 and my 3000003 is rwx
> rather than Louis' r-x. My 'default-group' is "r-x", Louis' "---".
> Same group difference with 'default' as mentioned above with my
> 040AUTHORITY and Louis' 040operators.
> My "default:other::r-x", Louis' "default:other::---"
>
> Are my different settings bad?
Not necessarily, different DC's get different ID's for the
users/groups.
>
> > And Louis also uses 'acl_xattr:ignore system acls = yes',
>
> How do you know that? I don't see that listed in Louis' message?
I just do ;-)
Try reading 'man vfs_acl_xattr'
>
> > this means that you can ignore the system ACL and what getfacl
> > produces.
> >
> > The permissions you set from windows is actually stored in in
> > 'security.NTACL'
> >
> > To see the contents of this attr:
> >
> > getfattr -n security.NTACL /home/testdata
> > getfattr: Removing leading '/' from absolute path names
> > # file: home/testdata
> > security.NTACL=0sAwA [deleted] KCAAA
> >
> > Not very readable is it ?
>
> Tried that on /var/lib/samba/sysvol. Yup, gobbledygook!
Just set them from Windows and ignore the Unix acls
Rowland
More information about the samba
mailing list