Hey all, I decided to use the default ranges in the smb.conf of my member server, so I changed my smb.conf and it looks like that: =================================================[global] netbios name = MEMBERSRV workgroup = MYDOM security = ADS realm = MYDOM.EXAMPLE.COM encrypt passwords = yes idmap config MYDOM:backend = ad idmap config MYDOM:schema_mode = rfc2307 idmap config MYDOM:range = 500-40000 idmap config *:backend = tdb idmap config *:range = 70001-80000 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes template shell = /bin/false username map = /etc/samba/smbmap vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes ================================================= I am irritated at the moment because of a strange behaviour I never realized before... I am creating a new share on linux prompt with "mkdir -p /some/share". The directory /some/share has mode 755 and root:root. Now through a Windows host I connect to that member server and define following: [Share] settings: ------------------------------- Domain Users => Full Domain Admins => Full SYSTEM => Full [Security settings: ------------------------------- Domain Users => Read/Execute (this folder only) Domain Admins => Full (this folder, subfolder and files) SYSTEM => Full (this folder, subfolders and files) Creator/Owner => Full (Subfolders and files) and I unchecked the "inherit" box. So far so good, when I look at the POSIX ACLs at the linux prompt of the member server, I get following output: root at membersrv:~$ getfacl /some/share # file: share/ # owner: root # group: root user::rwx user:root:rwx group::--- group:root:--- group:domain\040admins:rwx group:domain\040users:r-x group:70006:rwx mask::rwx other::--- default:user::rwx default:user:root:rwx default:group::--- default:group:root:--- default:group:domain\040admins:rwx default:group:70006:rwx default:mask::rwx default:other::--- I am confused about gid=70006. I did some tests and found out, that this is listed in POSIX ACLs when I add "SYSTEM" to the windows security settings. So SYSTEM seems to carry this strange gid 70006. But why? Is that something static inside Windows ? And why cannot my member server resolve gid 70006 then? Please anyone give me some explanation and advice. I am not sure, if this is correct. I never realized the 70006 gid before and I am not sure if something's wrong with the idmap stuff on my member server. I want to add, that after I adjusted my smb.conf at memberserver I restarted samba+winbind and I also tried to delete /var/lib/samba/winbind* and restart sama+winbind again. It didn't change anything, 70006 is still unresolved listed. Thanks in advance, Mirco
On 29/10/14 21:26, ?icro MEGAS wrote:> I am confused about gid=70006. I did some tests and found out, that this is listed in POSIX ACLs when I add "SYSTEM" to the windows security settings. So SYSTEM seems to carry this strange gid 70006. But why? Is that something static inside Windows ?Yes. And why cannot my member server resolve gid 70006 then? Please anyone give me some explanation and advice. It is a BUILTIN group which you have no control over. Very few of us ever notice it's there. There's nothing you can do. If you're having problems with it, the best way is to just remove the system acl and work around it some other way.
On 29/10/14 20:26, ?icro MEGAS wrote:> Hey all, > > I decided to use the default ranges in the smb.conf of my member server, so I changed my smb.conf and it looks like that: > =================================================> [global] > netbios name = MEMBERSRV > workgroup = MYDOM > security = ADS > realm = MYDOM.EXAMPLE.COM > encrypt passwords = yes > > idmap config MYDOM:backend = ad > idmap config MYDOM:schema_mode = rfc2307 > idmap config MYDOM:range = 500-40000 > > idmap config *:backend = tdb > idmap config *:range = 70001-80000 > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > template shell = /bin/false > > username map = /etc/samba/smbmap > > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > =================================================> > I am irritated at the moment because of a strange behaviour I never realized before... > > I am creating a new share on linux prompt with "mkdir -p /some/share". The directory /some/share has mode 755 and root:root. > Now through a Windows host I connect to that member server and define following: > > [Share] settings: > ------------------------------- > Domain Users => Full > Domain Admins => Full > SYSTEM => Full > > [Security settings: > ------------------------------- > Domain Users => Read/Execute (this folder only) > Domain Admins => Full (this folder, subfolder and files) > SYSTEM => Full (this folder, subfolders and files) > Creator/Owner => Full (Subfolders and files) > > and I unchecked the "inherit" box. > > So far so good, when I look at the POSIX ACLs at the linux prompt of the member server, I get following output: > > root at membersrv:~$ getfacl /some/share > > # file: share/ > # owner: root > # group: root > user::rwx > user:root:rwx > group::--- > group:root:--- > group:domain\040admins:rwx > group:domain\040users:r-x > group:70006:rwx > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:group::--- > default:group:root:--- > default:group:domain\040admins:rwx > default:group:70006:rwx > default:mask::rwx > default:other::--- > > I am confused about gid=70006. I did some tests and found out, that this is listed in POSIX ACLs when I add "SYSTEM" to the windows security settings. So SYSTEM seems to carry this strange gid 70006. But why? Is that something static inside Windows ? And why cannot my member server resolve gid 70006 then? Please anyone give me some explanation and advice. I am not sure, if this is correct. I never realized the 70006 gid before and I am not sure if something's wrong with the idmap stuff on my member server. I want to add, that after I adjusted my smb.conf at memberserver I restarted samba+winbind and I also tried to delete /var/lib/samba/winbind* and restart sama+winbind again. It didn't change anything, 70006 is still unresolved listed. > > Thanks in advance, > MircoHi, as Steve said, there is not much you can do about it and there is nothing to worry about. You are getting this number because you have this in smb.conf: idmap config *:backend = tdb idmap config *:range = 70001-80000 '*' is the BUILTIN windows users & groups and what the above means is: Store the builtin users & groups in a .tdb file using the range 70001-80000, starting at 70001, so now can you see where 70006 comes from ? and why getent doesn't map it to a name? Rowland
Possibly Parallel Threads
- domain user mapped to unix/root via smbmap
- roaming profile does not work for "Domain Admins"
- roaming profile does not work for "Domain Admins"
- Samba4: Setting up share/security permissions for shares on member server
- DC2 denies access when saving through the Group Policy Management Console