samba - Oct 2014 - SYSTEM gid=70006 in POSIX ACLs ?

Hey all,

I decided to use the default ranges in the smb.conf of my member server, so I
changed my smb.conf and it looks like that:
=================================================[global]
        netbios name = MEMBERSRV
        workgroup = MYDOM
        security = ADS
        realm = MYDOM.EXAMPLE.COM
        encrypt passwords = yes

        idmap config MYDOM:backend = ad
        idmap config MYDOM:schema_mode = rfc2307
        idmap config MYDOM:range = 500-40000

        idmap config *:backend = tdb
        idmap config *:range = 70001-80000

        winbind nss info = rfc2307
        winbind trusted domains only = no
        winbind use default domain = yes
        winbind enum users  = yes
        winbind enum groups = yes
        template shell = /bin/false

        username map = /etc/samba/smbmap

        vfs objects = acl_xattr
        map acl inherit = Yes
        store dos attributes = Yes
=================================================
I am irritated at the moment because of a strange behaviour I never realized
before...

I am creating a new share on linux prompt with "mkdir -p /some/share".
The directory /some/share has mode 755 and root:root.
Now through a Windows host I connect to that member server and define following:

[Share] settings:
-------------------------------
Domain Users => Full
Domain Admins => Full
SYSTEM => Full

[Security settings:
-------------------------------
Domain Users => Read/Execute (this folder only)
Domain Admins => Full (this folder, subfolder and files)
SYSTEM => Full (this folder, subfolders and files)
Creator/Owner => Full (Subfolders and files)

and I unchecked the "inherit" box.

So far so good, when I look at the POSIX ACLs at the linux prompt of the member
server, I get following output:

root at membersrv:~$ getfacl /some/share

# file: share/
# owner: root
# group: root
user::rwx
user:root:rwx
group::---
group:root:---
group:domain\040admins:rwx
group:domain\040users:r-x
group:70006:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:root:---
default:group:domain\040admins:rwx
default:group:70006:rwx
default:mask::rwx
default:other::---

I am confused about gid=70006. I did some tests and found out, that this is
listed in POSIX ACLs when I add "SYSTEM" to the windows security
settings. So SYSTEM seems to carry this strange gid 70006. But why? Is that
something static inside Windows ? And why cannot my member server resolve gid
70006 then? Please anyone give me some explanation and advice. I am not sure, if
this is correct. I never realized the 70006 gid before and I am not sure if
something's wrong with the idmap stuff on my member server. I want to add,
that after I adjusted my smb.conf at memberserver I restarted samba+winbind and
I also tried to delete /var/lib/samba/winbind* and restart sama+winbind again.
It didn't change anything, 70006 is still unresolved listed.

Thanks in advance,
Mirco

On 29/10/14 21:26, ?icro MEGAS wrote:
> I am confused about gid=70006. I did some tests and found out, that this is
listed in POSIX ACLs when I add "SYSTEM" to the windows security
settings. So SYSTEM seems to carry this strange gid 70006. But why? Is that
something static inside Windows ?
Yes.
  And why cannot my member server resolve gid 70006 then? Please anyone 
give me some explanation and advice.
It is a BUILTIN group which you have no control over.

Very few of us ever notice it's there. There's nothing you can do. If 
you're having problems with it, the best way is to just remove the 
system acl and work around it some other way.

On 29/10/14 20:26, ?icro MEGAS wrote:
> Hey all,
>
> I decided to use the default ranges in the smb.conf of my member server, so
I changed my smb.conf and it looks like that:
> =================================================> [global]
>          netbios name = MEMBERSRV
>          workgroup = MYDOM
>          security = ADS
>          realm = MYDOM.EXAMPLE.COM
>          encrypt passwords = yes
>
>          idmap config MYDOM:backend = ad
>          idmap config MYDOM:schema_mode = rfc2307
>          idmap config MYDOM:range = 500-40000
>
>          idmap config *:backend = tdb
>          idmap config *:range = 70001-80000
>
>          winbind nss info = rfc2307
>          winbind trusted domains only = no
>          winbind use default domain = yes
>          winbind enum users  = yes
>          winbind enum groups = yes
>          template shell = /bin/false
>
>          username map = /etc/samba/smbmap
>
>          vfs objects = acl_xattr
>          map acl inherit = Yes
>          store dos attributes = Yes
> =================================================>
> I am irritated at the moment because of a strange behaviour I never
realized before...
>
> I am creating a new share on linux prompt with "mkdir -p
/some/share". The directory /some/share has mode 755 and root:root.
> Now through a Windows host I connect to that member server and define
following:
>
> [Share] settings:
> -------------------------------
> Domain Users => Full
> Domain Admins => Full
> SYSTEM => Full
>
> [Security settings:
> -------------------------------
> Domain Users => Read/Execute (this folder only)
> Domain Admins => Full (this folder, subfolder and files)
> SYSTEM => Full (this folder, subfolders and files)
> Creator/Owner => Full (Subfolders and files)
>
> and I unchecked the "inherit" box.
>
> So far so good, when I look at the POSIX ACLs at the linux prompt of the
member server, I get following output:
>
> root at membersrv:~$ getfacl /some/share
>
> # file: share/
> # owner: root
> # group: root
> user::rwx
> user:root:rwx
> group::---
> group:root:---
> group:domain\040admins:rwx
> group:domain\040users:r-x
> group:70006:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:group::---
> default:group:root:---
> default:group:domain\040admins:rwx
> default:group:70006:rwx
> default:mask::rwx
> default:other::---
>
> I am confused about gid=70006. I did some tests and found out, that this is
listed in POSIX ACLs when I add "SYSTEM" to the windows security
settings. So SYSTEM seems to carry this strange gid 70006. But why? Is that
something static inside Windows ? And why cannot my member server resolve gid
70006 then? Please anyone give me some explanation and advice. I am not sure, if
this is correct. I never realized the 70006 gid before and I am not sure if
something's wrong with the idmap stuff on my member server. I want to add,
that after I adjusted my smb.conf at memberserver I restarted samba+winbind and
I also tried to delete /var/lib/samba/winbind* and restart sama+winbind again.
It didn't change anything, 70006 is still unresolved listed.
>
> Thanks in advance,
> Mirco
Hi, as Steve said, there is not much you can do about it and there is 
nothing to worry about. You are getting this number because you have 
this in smb.conf:

idmap config *:backend = tdb
idmap config *:range = 70001-80000

'*' is the BUILTIN windows users & groups and what the above means
is:

Store the builtin users & groups in a .tdb file using the range 
70001-80000, starting at 70001, so now can you see where 70006 comes 
from ? and why getent doesn't map it to a name?

Rowland