Daren Russell
2013-Mar-28 12:40 UTC
[Samba] Samba4: File ownership for Domain Admins members
Hi I've just installed Samba 4.0.4 on FreeBSD to test for the moment. Everything so far has gone very well: joining the domain, GPO's etc. However one thing that is happening which I find unusual, is the owner of files created by a user who is a member of the Domain Admins group as well as Domain Users. All files created by the user are owned by id 3000000 (which I believe S4 maps to BUILTIN/Administrators) and not the actual user. If they are then removed from the Domain Admins groups (and so left only in Domain Users) and the file created, the owner is the actual user. I presumed a file would be owned by the user regardless of what group they were in. These file tests were carried out on each user's home directory, which was also owned by the user. The question is: is that the way it's supposed to be? Regards Daren
Andrew Bartlett
2013-Apr-01 22:37 UTC
[Samba] Samba4: File ownership for Domain Admins members
On Thu, 2013-03-28 at 12:40 +0000, Daren Russell wrote:> Hi > > I've just installed Samba 4.0.4 on FreeBSD to test for the moment. > > Everything so far has gone very well: joining the domain, GPO's etc. > However one thing that is happening which I find unusual, is the owner > of files created by a user who is a member of the Domain Admins group as > well as Domain Users. All files created by the user are owned by id > 3000000 (which I believe S4 maps to BUILTIN/Administrators) and not the > actual user. If they are then removed from the Domain Admins groups > (and so left only in Domain Users) and the file created, the owner is > the actual user. > > I presumed a file would be owned by the user regardless of what group > they were in. These file tests were carried out on each user's home > directory, which was also owned by the user. The question is: is that > the way it's supposed to be?Yes, I think it is, so that no particular domain administrator is 'special' above other domain administrators. I'm not sure of the exact semantics, or how it manages to happen, but it's not unprecedented. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org