On 27/02/15 11:29, John wrote:> I am trying to understand the difference between files created on a
> Samba share via Windows and directly the server's file system.
>
>
Some further information that led to my question that might be of interest.
While investigating various things over the past day or so, I noticed
that files created on Windows by the administrator (logged in as
mydomain\administrator) are owned by the "administrators" group and
not
the administrator user.
I discovered that Windows by default assigns the owner of files created
by members of the administrators group to the group rather than the user.
(aparently this behaviour can be changed via "gpedit.msc" under
"Computer Configuration->Windows Setting->Security Settings->Local
Policies->Security Options" - the option is called "System objects:
Default owner for objects created by members of the Administrators
group" - but it's missing on my Win7 test box).
There is no equivalent to this behaviour on *nix. Owner assignment in
Windows uses a SID and both users and groups are represented as SIDs, so
it works there. On the *nix side, the file is assigned a UID set to the
value of the SID's xidNumber as set in idmap.ldb.
Such files on the Samba server get a UID of 3000000, being the xidNumber
assigned in idmap.ldb to CN=S-1-5-32-544 which is the SID of the
built-in "Administrators" group (as per
http://support.microsoft.com/kb/243330/en). There is no corresponding
user with uid 3000000 on the server (neither /etc/passwd or winbind
provide one) so server-side directory listings show the numeric id.
Files owned by "root" (uid 0), such as those created directly on the
server, are displayed in Windows as being owned by
"MYDOMAIN/Administrator" because the SID in idmap.ldb with xidNumber=0
is for the domain administrator account.
I was thinking about how to make group-owned files appear nicely on the
server. I saw two options
* change the uid assigned to the "Administrators" group to 0
* add an "administrators" passwd entry on the server for uid 3000000
It was while trying out the first approach that I noticed differences
between files created on a Windows client and on the Samba server. I
naturally expected that, because there is no way map from one uid to two
SIDs, Windows would show all files owned by "root" with the same
owner.
But it doesn't: it can distinguish them and shows those created on the
server as having either an owner of "S-1-22-1-0" and those created on
Windows being owned by the "Administrators" group.
I tried to match the ACLs. I did this to the server-created file:
$ setfacl -m
"user::rwx,group::r-x,group:root:rwx,group:users:r-x,mask::rwx,other::r-x"
a.txt
but it made no difference. I then tried copying the attributes:
$ cp --attributes-only --preserve=xattr b.txt a.txt
which changed the ownership of the file on Windows to be the
"Administrators" group.
Then I noticed, with "stat" that the files had different sizes (server
created was 0 blocks/0 bytes and windows created was 8 blocks/0 bytes).
The "setfacl" did not alter the block size but the "cp" did.
So, I deduce there is something in those 8 blocks that allows Windows to
tell those files apart. I don't know if there's more to ACL than what
"getfacl" displays - I couldn't find anything when I looked for
it.
So, hence my question. Little things like these get into my head and I
like to understand what's going on. I don't know if this is interesting
to anyone else but I'd like to understand it if anyone can explain...