[Samba] Admin UID changed with upgrade to 4.8.2

L.P.H. van Belle belle at bazuin.nl
Fri Jun 15 10:24:21 UTC 2018


Mark, 


See below. 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Mark 
> Foley via samba
> Verzonden: donderdag 14 juni 2018 22:04
> Aan: samba at lists.samba.org
>....... 

I see funny things here. 
For example, 
> drwxrwxr-x+ 34   10001 10000 4096 2018-06-10 22:51 mark/
> drwxrwx---+  5 3000038 10000 4096 2015-09-03 07:39 doris/

The 2 things are, i see a UID from a RID backend setup and i see an UID from an AD backend.
10000 is the default for AD backend.
3000000 is the default for RID backend
Now this dont have to be wrong, i just nodited this. 

> 
> In the first list, users showing HPRS\username are domain 
> users. Their UIDs are shown in the
> 2nd list. UIDs 3000038 and 3000050 are from my initial 
> provisioning before you (Rowland) told
> me not to use that default range and rather use range 
> 10000-10099 instead (12/1/2017 03:58AM,
> subject: "getent passwd does not show correct UID.GID"). I 
> had to change the others in
> idmap.ldb. I have not yet changed doris and summitoh.
> 
> Nevertheless, 'ls' does give names though I don't seem to 
> have either libnss-winbind or
> libpam-winbind files on my AD/DC.
> 

> .........  
> Funny you should mention that. I was going to post the same 
> thing, mine is:
> 
> rwxrwxr--+ 3 root BUILTIN\administrators   4096 2014-09-03 
> 00:46 sysvol/
> 
> I thought it strange that it would list the 300000 groupname, 
> but for files owned by 300000 it
> will only list the UID number, not the username. 

Yes, this is what helps here and thats intended in my script. 
Since you cant set an GID as UID in linux, you set the UID as number and dont use the name. 
It works the same in the end, ( from the windows point of view ) 
Linux side, it only sees the numbers and thats ok. 

> 
> > > Note the ^^^ (+) in above line, then use getfacl to see all ACL's
> > > If you use chmod, you might destroy your very needed 
> windows ACL's 
> > > 
> > > And i see with getfacl
> 
> (sorry Rowland - I restored Louis' getfacl for comparison with mine)
> 
> > > # file: var/lib/samba/sysvol/internal.domain.tld
> > > # owner: root
> > > # group: BUILTIN\134administrators
> > > user::rwx
> > > user:root:rwx
> > > user:3000000:rwx
> > > user:3000001:r-x
> > > user:3000002:rwx
> > > user:3000003:r-x
> > > group::rwx
> > > group:BUILTIN\134administrators:rwx
> > > group:BUILTIN\134server\040operators:r-x
> > > group:3000002:rwx
> > > group:3000003:r-x
> > > mask::rwx
> > > other::---
> > > default:user::rwx
> > > default:user:root:rwx
> > > default:user:3000000:rwx
> > > default:user:3000001:r-x
> > > default:user:3000002:rwx
> > > default:user:3000003:r-x
> > > default:group::---
> > > default:group:BUILTIN\134administrators:rwx
> > > default:group:BUILTIN\134server\040operators:r-x
> > > default:group:3000002:rwx
> > > default:group:3000003:r-x
> > > default:mask::rwx
> > > default:other::---
> 
> My getfacl is:
> 
> $ getfacl /var/lib/samba/sysvol
> getfacl: Removing leading '/' from absolute path names
> # file: var/lib/samba/sysvol
> # owner: root
> # group: BUILTIN\134administrators
> user::rwx
> user:root:rwx
> user:3000000:rwx
> user:3000002:rwx
> user:3000003:rwx
> group::rwx
> group:BUILTIN\134administrators:rwx
> group:NT\040AUTHORITY\134system:rwx
> group:NT\040AUTHORITY\134authenticated\040users:rwx
> mask::rwx
> other::r--
> default:user::rwx
> default:user:root:rwx
> default:user:3000000:rwx
> default:user:3000002:rwx
> default:user:3000003:rwx
> default:group::r-x
> default:group:BUILTIN\134administrators:rwx
> default:group:NT\040AUTHORITY\134system:rwx
> default:group:NT\040AUTHORITY\134authenticated\040users:rwx
> default:mask::rwx
> default:other::r-x
> 
> Differences between Louis' facl and mine:
> 
> I'm missing user 3000001. 
> 
> In group, I have:
> 
> group:NT\040AUTHORITY\134system:rwx
> group:NT\040AUTHORITY\134authenticated\040users:rwx
> 
> and am missing Louis':
> group:3000002:rwx
> group:3000003:r-x
> 
> whereas Louis has:
> group:BUILTIN\134server\040operators:r-x
> 
> For 'other' I have "other::r--" whereas Louis has "other::---"
> 
> For default I am again missing user 3000001 and my 3000003 is 
> rwx rather than Louis' r-x.
> My 'default-group' is "r-x", Louis' "---".
> Same group difference with 'default' as mentioned above with 
> my 040AUTHORITY and Louis'
> 040operators.
> My "default:other::r-x", Louis' "default:other::---"
> 
> Are my different settings bad?
Yes. 
I'll explain a bit more here. 

The numbers you see, are for you and me not the same, if it is, then its pure luck. 
That is why i made the script. 
The script looks up all SID/UID/GID and try to match the names with it. 
Your 3000002 may be mine 3000001 or 3000003 

So dont look to much at the UID numbers. 

> 
> > And Louis also uses 'acl_xattr:ignore system acls = yes', 
> 
> How do you know that? I don't see that listed in Louis' message?
Yes, that because Rowland and im are some time here, we know once setup. 
Now, yes, i use that, but if you set with the script, it works the same. 
The script sets the rights as they are shown from a windows point of view, 
But without the ignore system acls. 

The main difference is in SYSTEM. 

When are things going wrong with sysvol.
1) people use chmod.
2) people forget to set a correct ACL on the SYSVOL Share.  ( the SHARE ACL ) 
3) then they change the rights from CLI. 

The order MUST be.
1) Set the base right on linux.
2) set the share rights from within windows. 
3) set the folder rights from within windows. 
4) NEVER chmod again from CLI.

If that did not help. 
Then add : the ignore system acl to the sysvol share. 

Now from above order howto setup.
If you done 1,2,3 and then you change 2, then you also much check 3 again. 

If you add the ignore system acl to the sysvol share. 
The redo set 2 and 3. 
And remember setup 4. 


> 
> > this means that you can ignore the system ACL and what 
> getfacl produces.
> >
> > The permissions you set from windows is actually stored in in
> > 'security.NTACL'
> >
> > To see the contents of this attr:
> >
> > getfattr -n security.NTACL /home/testdata
> > getfattr: Removing leading '/' from absolute path names
> > # file: home/testdata
> > security.NTACL=0sAwA [deleted] KCAAA
> >
> > Not very readable is it ?
> 
> Tried that on /var/lib/samba/sysvol. Yup, gobbledygook!
> 
> 
> > > 
> > > Id you dont get you id's
> > > Try adding Domain and Local-Realms to : /etc/idmapd.conf 
> > > 
> >
> > Don't understand the above, what has an NFS conf file got do with
> > Samba ?
> >
> > Rowland
> 
> I'll not mess with this yet.
> 
> --Mark

Yes, something you really get logs and i trow in everything. 
I'll watch out for that next time. 

Greetz, 

Louis




More information about the samba mailing list