Is this a bug or a feature?
Rowland Penny
repenny241155 at gmail.com
Thu Mar 9 09:54:52 UTC 2017
Hi, If I look in idmap.ldb for the RID '512', I find this:
dn: CN=S-1-5-21-1768301897-3342589593-1064908849-512
cn: S-1-5-21-1768301897-3342589593-1064908849-512
objectClass: sidMap
objectSid: S-1-5-21-1768301897-3342589593-1064908849-512
type: ID_TYPE_BOTH
xidNumber: 3000013
distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-512
As you can see, the 'type' is 'ID_TYPE_BOTH', from my understanding,
this means that RID '512' (Domain Admins) will treated as if it is both
a user and a group.
Domain Admins does not have a gidNumber attribute.
If I add a GPO and then run getfacl on the GPO dir in sysvol, I get
this:
getfacl /usr/local/samba/var/locks/sysvol/samdom.example.com/Policies/\{C0B1355A-6915-4396-B8B1-1F120B1316FB\}/
getfacl: Removing leading '/' from absolute path names
# file: usr/local/samba/var/locks/sysvol/samdom.example.com/Policies/{C0B1355A-6915-4396-B8B1-1F120B1316FB}/
# owner: 3000013
# group: SAMDOM\134domain\040admins
# flags: -s-
user::rwx
user:3000008:r-x
user:3000014:rwx
user:3000015:rwx
user:3000018:r-x
group::rwx
group:3000008:r-x
group:SAMDOM\134domain\040admins:rwx
group:SAMDOM\134enterprise\040admins:rwx
group:3000015:rwx
group:3000018:r-x
mask::rwx
other::---
default:user::rwx
default:user:3000008:r-x
default:user:3000013:rwx
default:user:3000014:rwx
default:user:3000015:rwx
default:user:3000018:r-x
default:group::---
default:group:3000008:r-x
default:group:SAMDOM\134domain\040admins:rwx
default:group:SAMDOM\134enterprise\040admins:rwx
default:group:3000015:rwx
default:group:3000018:r-x
default:mask::rwx
default:other::---
This is who the numbers are (taken from idmap.ldb):
3000008: S-1-5-11 : Authenticated Users
3000013: S-1-5-21-1768301897-3342589593-1064908849-512 : Domain Admins
3000014: S-1-5-21-1768301897-3342589593-1064908849-519 : Enterprise Admins
3000015: S-1-5-18 : Local System
3000018: S-1-5-9 : Enterprise Domain Controllers
They are all 'ID_TYPE_BOTH', but whilst 'Domain Admins' and 'Enterprise
Admins' are shown as groups, they are only shown as users by number.
The OS only knows the group as a group by name, it does not know the
group as a user by name.
As, the subject, is this a bug or a feature ??
Rowland
More information about the samba-technical
mailing list