[Samba] Admin UID changed with upgrade to 4.8.2

Mark Foley mfoley at ohprs.org
Fri Jun 15 16:00:28 UTC 2018 

On Fri, 15 Jun 2018 12:24:21 +0200 L.P.H. van Belle wrote:
>
> Mark, 
>
>
> See below. 
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Mark 
> > Foley via samba
> > Verzonden: donderdag 14 juni 2018 22:04
> > Aan: samba at lists.samba.org
> >....... 
>
> I see funny things here. 
> For example, 
> > drwxrwxr-x+ 34   10001 10000 4096 2018-06-10 22:51 mark/
> > drwxrwx---+  5 3000038 10000 4096 2015-09-03 07:39 doris/
>
> The 2 things are, i see a UID from a RID backend setup and i see an UID from an AD backend.
> 10000 is the default for AD backend.
> 3000000 is the default for RID backend
> Now this dont have to be wrong, i just nodited this. 

This is a long story sorted out a few years ago for me by Rowland.  The initial provision for
samba 4.1 defaulted to creating UIDs in the range 30000xx (msSFU30MaxUidNumber).  When I went
to create domain member workstations for these users, that range gave me problems.  I forget
exactly why without looking up the thread in this list.  Rowland advised me to change the range
and that info was incorporated into https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
(see block bordered in amber). 

So, I've been gradually changing users' UID/GID when I've had occasion to do something with
them such as move them to a Linux domain member workstations or whatever. In this case, I
simply haven't gotten around to changing doris yet.

[deleted]

> > Nevertheless, 'ls' does give names ...
> > 
>
> > .........  
> > Funny you should mention that. I was going to post the same 
> > thing, mine is:
> > 
> > rwxrwxr--+ 3 root BUILTIN\administrators   4096 2014-09-03 
> > 00:46 sysvol/
> > 
> > I thought it strange that it would list the 300000 groupname, 
> > but for files owned by 300000 it
> > will only list the UID number, not the username. 
>
> Yes, this is what helps here and thats intended in my script. 
> Since you cant set an GID as UID in linux, you set the UID as number and dont use the name. 
> It works the same in the end, ( from the windows point of view ) 
> Linux side, it only sees the numbers and thats ok. 
>
> > 
> > > > Note the ^^^ (+) in above line, then use getfacl to see all ACL's
> > > > If you use chmod, you might destroy your very needed 
> > windows ACL's 
> > > > 
> > > > And i see with getfacl
> > 
> > (sorry Rowland - I restored Louis' getfacl for comparison with mine)
> > 
> > > > # file: var/lib/samba/sysvol/internal.domain.tld
> > > > # owner: root
> > > > # group: BUILTIN\134administrators
> > > > user::rwx
> > > > user:root:rwx
> > > > user:3000000:rwx
> > > > user:3000001:r-x
> > > > user:3000002:rwx
> > > > user:3000003:r-x
> > > > group::rwx
> > > > group:BUILTIN\134administrators:rwx
> > > > group:BUILTIN\134server\040operators:r-x
> > > > group:3000002:rwx
> > > > group:3000003:r-x
> > > > mask::rwx
> > > > other::---
> > > > default:user::rwx
> > > > default:user:root:rwx
> > > > default:user:3000000:rwx
> > > > default:user:3000001:r-x
> > > > default:user:3000002:rwx
> > > > default:user:3000003:r-x
> > > > default:group::---
> > > > default:group:BUILTIN\134administrators:rwx
> > > > default:group:BUILTIN\134server\040operators:r-x
> > > > default:group:3000002:rwx
> > > > default:group:3000003:r-x
> > > > default:mask::rwx
> > > > default:other::---
> > 
> > My getfacl is:
> > 
> > $ getfacl /var/lib/samba/sysvol
> > getfacl: Removing leading '/' from absolute path names
> > # file: var/lib/samba/sysvol
> > # owner: root
> > # group: BUILTIN\134administrators
> > user::rwx
> > user:root:rwx
> > user:3000000:rwx
> > user:3000002:rwx
> > user:3000003:rwx
> > group::rwx
> > group:BUILTIN\134administrators:rwx
> > group:NT\040AUTHORITY\134system:rwx
> > group:NT\040AUTHORITY\134authenticated\040users:rwx
> > mask::rwx
> > other::r--
> > default:user::rwx
> > default:user:root:rwx
> > default:user:3000000:rwx
> > default:user:3000002:rwx
> > default:user:3000003:rwx
> > default:group::r-x
> > default:group:BUILTIN\134administrators:rwx
> > default:group:NT\040AUTHORITY\134system:rwx
> > default:group:NT\040AUTHORITY\134authenticated\040users:rwx
> > default:mask::rwx
> > default:other::r-x
> > 
> > Differences between Louis' facl and mine:
> > 
> > I'm missing user 3000001. 
> > 
> > In group, I have:
> > 
> > group:NT\040AUTHORITY\134system:rwx
> > group:NT\040AUTHORITY\134authenticated\040users:rwx
> > 
> > and am missing Louis':
> > group:3000002:rwx
> > group:3000003:r-x
> > 
> > whereas Louis has:
> > group:BUILTIN\134server\040operators:r-x
> > 
> > For 'other' I have "other::r--" whereas Louis has "other::---"
> > 
> > For default I am again missing user 3000001 and my 3000003 is 
> > rwx rather than Louis' r-x.
> > My 'default-group' is "r-x", Louis' "---".
> > Same group difference with 'default' as mentioned above with 
> > my 040AUTHORITY and Louis'
> > 040operators.
> > My "default:other::r-x", Louis' "default:other::---"
> > 
> > Are my different settings bad?
> Yes. 
> I'll explain a bit more here. 
>
> The numbers you see, are for you and me not the same, if it is, then its pure luck. 
> That is why i made the script. 
> The script looks up all SID/UID/GID and try to match the names with it. 
> Your 3000002 may be mine 3000001 or 3000003 
>
> So dont look to much at the UID numbers. 
>
> > 
> > > And Louis also uses 'acl_xattr:ignore system acls = yes', 
> > 
> > How do you know that? I don't see that listed in Louis' message?
> Yes, that because Rowland and im are some time here, we know once setup. 
> Now, yes, i use that, but if you set with the script, it works the same. 
> The script sets the rights as they are shown from a windows point of view, 
> But without the ignore system acls. 
>
> The main difference is in SYSTEM. 
>
> When are things going wrong with sysvol.
> 1) people use chmod.
> 2) people forget to set a correct ACL on the SYSVOL Share.  ( the SHARE ACL ) 
> 3) then they change the rights from CLI. 
>
> The order MUST be.
> 1) Set the base right on linux.
> 2) set the share rights from within windows. 
> 3) set the folder rights from within windows. 
> 4) NEVER chmod again from CLI.
>
> If that did not help. 
> Then add : the ignore system acl to the sysvol share. 
>
> Now from above order howto setup.
> If you done 1,2,3 and then you change 2, then you also much check 3 again. 
>
> If you add the ignore system acl to the sysvol share. 
> The redo set 2 and 3. 
> And remember setup 4. 

I have never manually set the permissions on these folders in linux.

I did do step 2 from the previous message where you showed me how to do share permissions. I've
just now redone step 3 according to your previous messaage:

Set your sysvol FOLDER permissions as followed.
Authenticated Users: Read & Exec, Show folder content, Read
(BUILTIN or NTDOM)\Administrators: FULL CONTROL
(BUILTIN or NTDOM)\SYSTEM, FULL CONTROL

[stuff on securityNTACL deleted, for now ]

I've restarted Samba and I will additionally follow up on your suggestions in the "Fixing
sysvol permissions" thread and post results. 

--Mark

More information about the samba mailing list