getfacl and sysvol

[steve]

On Mon, 2014-08-18 at 17:11 +0100, Rowland Penny wrote:
> On 18/08/14 16:13, Adam Tauno Williams wrote:
> >> OK, I wonder if somebody could explain this to me, if I run getfacl on
> >> /var/lib/samba/sysvol, I get this:
> > This is a question more appropriate for samba at lists.samba.org
> 
> Why ? I considered before posting here and decided, that as this was a 
> technical question, this was the place to post.
> 
> >
> >> getfacl: Removing leading '/' from absolute path names
> >> # file: var/lib/samba/sysvol
> >> # owner: root
> >> # group: 3000000
> >> user::rwx
> >> user:root:rwx
> >> group::rwx
> >> group:3000000:rwx
> >> group:3000001:r-x
> >> group:3000002:rwx
> >> group:3000003:r-x
> >> mask::rwx
> >> other::---
> >> default:user::rwx
> >> default:user:root:rwx
> >> default:group::---
> >> default:group:3000000:rwx
> >> default:group:3000001:r-x
> >> default:group:3000002:rwx
> >> default:group:3000003:r-x
> >> default:mask::rwx
> >> default:other::---
> >> If I examine idmap.ldb, I find that the numbers above are mapped to
> >> windows well known RID's:
> >> 3000000: CN=S-1-5-32-544
> >> 3000001: CN=S-1-5-32-549
> >> 3000002: CN=S-1-5-18
> >> 3000003: CN=S-1-5-11
> >> A quick search on the internet turns up a microsoft page that tells me
> >> what the RID's are:
> >> CN=S-1-5-32-544  Administrators
> >> CN=S-1-5-32-549  Server Operators
> >> CN=S-1-5-18         Local System
> >> CN=S-1-5-11         Authenticated Users
> >> So we come to the questions.
> >> Why, if three of the four are groups and the other is an account, are
> >> they ALL described in idmap.ldb as ID_TYPE_BOTH ?
> >> I take it that ID_TYPE_BOTH means that the object is both a user and a
> >> group, how can something be both a user AND a group ?
> >> Finally, will it break something if I give them a gidNumber or uidNumber ?
> > I do not see why.  I am considering *trying* the same thing as `hidden`
> > identities can be confusing.
> Don't bother, you cannot give 'CN=S-1-5-18' anything because it does not 
> exist in AD, 'CN=S-1-5-18' is a   foreignSecurityPrincipal and will not 
> accept either a uidNumber or gidNumber and giving 'Administrators' a 
> gidNumber does not seem to have any effect, I gave up here ;-)
> 
> >
> > BTW, I see the same ACLs on my sysvol.  These are set I believe by the
> > sysvolreset command via samba-tool.
> >
> They may be, but seeing as I haven't run sysvolreset on sysvol, they 
> must be the standard ACL's. I wanted to try and give the groups 
> gidNumbers to stop having to copy idmap.ldb from the first DC to any 
> further DC's.
> 
> None of this explains just how an object can be both a user and a group, 
> this is confusing me, but I cannot seem to find anything that explains why.
> 
> Rowland

It is more appropriate here. The devs have discussed what to do about
the builtins before. One suggestion was to have a hard wired db with
e.g. Administrators at 3000000. That would be for all DCs. Not just the
first one.

I don't know whether this will get into 4.2, but it would be a great
help to those suffering GPO problems. Those of us who have by accident
discovered the idmap db copy-over would greatly appreciate not changing
the the values produced at the moment upon installation of the first DC
in the domain. This would ease the changeover on upgrade.

Thanks,
Steve