Alex Sviridov
2015-Nov-16 10:11 UTC
[Samba] Samba 4.1. creates group rights for not existing group.
I use samba 4.1 as dc with acl. I have user with uid 3000023. However, I don't have group with guid 3000023. However, when this user creates a folder samba in acl list creates permissions for group 3000023 and as result I have broken link. How to fix it? -- Alex Sviridov
Rowland Penny
2015-Nov-16 11:14 UTC
[Samba] Samba 4.1. creates group rights for not existing group.
On 16/11/15 10:11, Alex Sviridov wrote:> I use samba 4.1 as dc with acl. I have user with uid 3000023. However, I don't have group with guid 3000023. However, when this user creates a folder samba in acl list creates permissions for group 3000023 and as result I have broken link. How to fix it? > >Hi, allow me to introduce you to the concept of a user being also a group and vica-versa. If you examine idmap.ldb: ldbedit -e nano -H /usr/local/samba/private/idmap.ldb You will find lines like this: type: ID_TYPE_BOTH This means that your user can be both a user and a group It has to be like this so that the 'Administrators' group can own directories and files in sysvol. Rowland
Rowland Penny
2015-Nov-16 12:14 UTC
[Samba] Samba 4.1. creates group rights for not existing group.
On 16/11/15 11:58, Alex Sviridov wrote:> Thank you very much for your help. So, do I understand right that I > should not change such behaviour? > I mean if I change samba stops working well? > >Back on list: Well it depends on just who '3000023' really is, if it is one of the well known windows SIDs, I would leave it alone. If it is a normal user that you have added to AD, you have a couple of options, if your users are just going to get authentication from the DC, then you don't need to do anything. If your users are going to log into the DC or another Unix machine, I would give them a unique uidNumber, this will replace the xidNumber they are using now (note that you will need to remove the users 'object' from idmap.ldb) I would also, if possible, upgrade to a newer Samba version. Rowland
Michael Adam
2015-Nov-16 12:53 UTC
[Samba] Samba 4.1. creates group rights for not existing group.
On 2015-11-16 at 11:14 +0000, Rowland Penny wrote:> On 16/11/15 10:11, Alex Sviridov wrote: > > I use samba 4.1 as dc with acl. I have user with uid 3000023. However, I don't have group with guid 3000023. However, when this user creates a folder samba in acl list creates permissions for group 3000023 and as result I have broken link. How to fix it? > > > > > > Hi, allow me to introduce you to the concept of a user being also a group > and vica-versa. If you examine idmap.ldb: > > ldbedit -e nano -H /usr/local/samba/private/idmap.ldb > > You will find lines like this: > > type: ID_TYPE_BOTH > > This means that your user can be both a user and a group > > It has to be like this so that the 'Administrators' group can own > directories and files in sysvol.Very true. This can't be over-emphasized, since it seems to puzzle people: This is by design. And regarding non-existence of that group: If you do the supported thing, namely put winbind into /etc/nsswitch.conf, then this group exists. :-) Cheers - Michael -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: not available URL: <http://lists.samba.org/pipermail/samba/attachments/20151116/dcc70c69/signature.sig>