samba - Feb 2016 - Can one set the owner of a folder to BUILTIN\Administrators?

I've recently attempted to migrate some windows server files over to
samba 4 hosted on a FreeNAS server.

Using robocopy with the /copyall switch, I expected everything,
including ACL's and ownership information to transfer over.  For the
most part they have.  The one problem I've ran into however, is that I'm
getting errors any time I or robocopy attempt to change the ownership to
BUILTIN\Administrators.

I've brought this up with the FreeNAS community, but so far it's unclear
if this is by design, there is a configuration issue somewhere, or
there's a bug. 
https://forums.freenas.org/index.php?threads/ownership-issues-migrating-data-from-windows-to-freenas.41478/#post-265384

When I attempt to change ownership to Builtin\Administrators, I get an
error that I don't have the Restore Privilege required, or if I have
inheritance enabled when changing ownership, "This security ID may not
be assigned as the owner of this object."

As mentioned in that thread I linked to (lots more details there), I
verified that I do have the Restore Privilege right.  I also verified
that I can assign any other owner successfully -- it's just
Builtin\Administrators that's giving me trouble.

After turning up the logging in the samba configuration file and
restarting the service, this was the output when I attempted to change
ownership:


[2016/02/16 15:33:02.077685,  3]
../source3/smbd/vfs.c:1137(check_reduced_name)
  check_reduced_name [CoreLib] [/mnt/trunk/MM/deploy]
[2016/02/16 15:33:02.077890,  3]
../source3/smbd/vfs.c:1267(check_reduced_name)
  check_reduced_name: CoreLib reduced to /mnt/trunk/MM/deploy/CoreLib
[2016/02/16 15:33:02.078111,  3] ../source3/smbd/dosmode.c:163(unix_mode)
  unix_mode(CoreLib) returning 0666
[2016/02/16 15:33:02.080039,  3]
../source3/smbd/posix_acls.c:1204(unpack_nt_owners)
  unpack_nt_owners: unable to validate owner sid for S-1-5-32-544
[2016/02/16 15:33:04.251911,  3] ../source3/smbd/service.c:1130(close_cnum)
  192.168.0.119 (ipv4:192.168.0.119:58406) closed connection to service IPC$

Googling for "unable to validate owner sid for S-1-5-32-544" brings up
a
thread a decade old: 
https://lists.samba.org/archive/samba-technical/2006-October/050007.html

There was some discussion about sid/gid conflicts and ACLs with some
futher discussion about fixing it.   Since there's so little found when
Googling, I have to believe that this has been fixed since I would
expect there to be a lot more complaints from people like myself who are
migrating files from windows to samba.

Any feedback is welcome, even if the advice is to change ownership to
something other than builtin\Administrators because that's broken.  :)

On 17/02/16 00:03, Ian wrote:
> I've recently attempted to migrate some windows server files over to
> samba 4 hosted on a FreeNAS server.
>
> Using robocopy with the /copyall switch, I expected everything,
> including ACL's and ownership information to transfer over.  For the
> most part they have.  The one problem I've ran into however, is that
I'm
> getting errors any time I or robocopy attempt to change the ownership to
> BUILTIN\Administrators.
>
> I've brought this up with the FreeNAS community, but so far it's
unclear
> if this is by design, there is a configuration issue somewhere, or
> there's a bug.
>
https://forums.freenas.org/index.php?threads/ownership-issues-migrating-data-from-windows-to-freenas.41478/#post-265384
>
> When I attempt to change ownership to Builtin\Administrators, I get an
> error that I don't have the Restore Privilege required, or if I have
> inheritance enabled when changing ownership, "This security ID may not
> be assigned as the owner of this object."
>
> As mentioned in that thread I linked to (lots more details there), I
> verified that I do have the Restore Privilege right.  I also verified
> that I can assign any other owner successfully -- it's just
> Builtin\Administrators that's giving me trouble.
>
> After turning up the logging in the samba configuration file and
> restarting the service, this was the output when I attempted to change
> ownership:
>
>
> [2016/02/16 15:33:02.077685,  3]
> ../source3/smbd/vfs.c:1137(check_reduced_name)
>    check_reduced_name [CoreLib] [/mnt/trunk/MM/deploy]
> [2016/02/16 15:33:02.077890,  3]
> ../source3/smbd/vfs.c:1267(check_reduced_name)
>    check_reduced_name: CoreLib reduced to /mnt/trunk/MM/deploy/CoreLib
> [2016/02/16 15:33:02.078111,  3] ../source3/smbd/dosmode.c:163(unix_mode)
>    unix_mode(CoreLib) returning 0666
> [2016/02/16 15:33:02.080039,  3]
> ../source3/smbd/posix_acls.c:1204(unpack_nt_owners)
>    unpack_nt_owners: unable to validate owner sid for S-1-5-32-544
> [2016/02/16 15:33:04.251911,  3] ../source3/smbd/service.c:1130(close_cnum)
>    192.168.0.119 (ipv4:192.168.0.119:58406) closed connection to service
IPC$
>
> Googling for "unable to validate owner sid for S-1-5-32-544"
brings up a
> thread a decade old:
> https://lists.samba.org/archive/samba-technical/2006-October/050007.html
>
> There was some discussion about sid/gid conflicts and ACLs with some
> futher discussion about fixing it.   Since there's so little found when
> Googling, I have to believe that this has been fixed since I would
> expect there to be a lot more complaints from people like myself who are
> migrating files from windows to samba.
>
> Any feedback is welcome, even if the advice is to change ownership to
> something other than builtin\Administrators because that's broken.  :)
>
Does 'getent group BUILTIN\\Administrators'  give any result ?
If smb.conf is setup correctly, you should get something like:

BUILTIN\administrators:x:2001:

If you do not get anything, then you need to change smb.conf, in which 
case, can you post your smb.conf.

Rowland

Rowland, 
If this is a DC.. and like me with config :   
     idmap config * : range = 2000-9999 

getent group BUILTIN\\Administrators
BUILTIN\Administrators:*:3000000: 


Looks like about the same problem. 

Greetz 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny
> Verzonden: woensdag 17 februari 2016 14:00
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Can one set the owner of a folder to
> BUILTIN\Administrators?
> 
> On 17/02/16 00:03, Ian wrote:
> > I've recently attempted to migrate some windows server files over
to
> > samba 4 hosted on a FreeNAS server.
> >
> > Using robocopy with the /copyall switch, I expected everything,
> > including ACL's and ownership information to transfer over.  For
the
> > most part they have.  The one problem I've ran into however, is
that I'm
> > getting errors any time I or robocopy attempt to change the ownership
to
> > BUILTIN\Administrators.
> >
> > I've brought this up with the FreeNAS community, but so far
it's unclear
> > if this is by design, there is a configuration issue somewhere, or
> > there's a bug.
> >
https://forums.freenas.org/index.php?threads/ownership-issues-migrating-
> data-from-windows-to-freenas.41478/#post-265384
> >
> > When I attempt to change ownership to Builtin\Administrators, I get an
> > error that I don't have the Restore Privilege required, or if I
have
> > inheritance enabled when changing ownership, "This security ID
may not
> > be assigned as the owner of this object."
> >
> > As mentioned in that thread I linked to (lots more details there), I
> > verified that I do have the Restore Privilege right.  I also verified
> > that I can assign any other owner successfully -- it's just
> > Builtin\Administrators that's giving me trouble.
> >
> > After turning up the logging in the samba configuration file and
> > restarting the service, this was the output when I attempted to change
> > ownership:
> >
> >
> > [2016/02/16 15:33:02.077685,  3]
> > ../source3/smbd/vfs.c:1137(check_reduced_name)
> >    check_reduced_name [CoreLib] [/mnt/trunk/MM/deploy]
> > [2016/02/16 15:33:02.077890,  3]
> > ../source3/smbd/vfs.c:1267(check_reduced_name)
> >    check_reduced_name: CoreLib reduced to /mnt/trunk/MM/deploy/CoreLib
> > [2016/02/16 15:33:02.078111,  3]
> ../source3/smbd/dosmode.c:163(unix_mode)
> >    unix_mode(CoreLib) returning 0666
> > [2016/02/16 15:33:02.080039,  3]
> > ../source3/smbd/posix_acls.c:1204(unpack_nt_owners)
> >    unpack_nt_owners: unable to validate owner sid for S-1-5-32-544
> > [2016/02/16 15:33:04.251911,  3]
> ../source3/smbd/service.c:1130(close_cnum)
> >    192.168.0.119 (ipv4:192.168.0.119:58406) closed connection to
service
> IPC$
> >
> > Googling for "unable to validate owner sid for S-1-5-32-544"
brings up a
> > thread a decade old:
> >
https://lists.samba.org/archive/samba-technical/2006-October/050007.html
> >
> > There was some discussion about sid/gid conflicts and ACLs with some
> > futher discussion about fixing it.   Since there's so little found
when
> > Googling, I have to believe that this has been fixed since I would
> > expect there to be a lot more complaints from people like myself who
are
> > migrating files from windows to samba.
> >
> > Any feedback is welcome, even if the advice is to change ownership to
> > something other than builtin\Administrators because that's broken.
:)
> >
> 
> Does 'getent group BUILTIN\\Administrators'  give any result ?
> If smb.conf is setup correctly, you should get something like:
> 
> BUILTIN\administrators:x:2001:
> 
> If you do not get anything, then you need to change smb.conf, in which
> case, can you post your smb.conf.
> 
> Rowland
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On 17/02/16 13:14, L.P.H. van Belle wrote:
> Rowland,
> If this is a DC.. and like me with config :
>       idmap config * : range = 2000-9999
>
> getent group BUILTIN\\Administrators
> BUILTIN\Administrators:*:3000000:
>
>
> Looks like about the same problem.
>
> Greetz
>
> Louis
>
That is what I get on a DC, but what you have to understand is, idmap on 
a DC works differently from a domain member.

A domain member asks winbind for 'BUILTIN\Administrators' ID, this is 
obtained from AD, assigned a local ID and stored in a .tdb file, the 
number that is assigned is based on the low range in 'idmap config *:'

A DC is slightly different, IDs are stored in idmap.ldb and are based on 
a range that starts at 3000000.

As far as I am aware, the idmap lines that you use on DC have no affect, 
I know that 'windbind use default domain' did work on a 4.2.x DC, but I 
think this was the only one of your lines that did. I will have to check 
my test DC to find out.

Rowland

On 2/17/2016 5:00 AM, Rowland penny wrote:
> On 17/02/16 00:03, Ian wrote:
>> I've recently attempted to migrate some windows server files over
to
>> samba 4 hosted on a FreeNAS server.
>>
>> Using robocopy with the /copyall switch, I expected everything,
>> including ACL's and ownership information to transfer over.  For
the
>> most part they have.  The one problem I've ran into however, is
that I'm
>> getting errors any time I or robocopy attempt to change the ownership
to
>> BUILTIN\Administrators.
>>
>> I've brought this up with the FreeNAS community, but so far
it's unclear
>> if this is by design, there is a configuration issue somewhere, or
>> there's a bug.
>>
https://forums.freenas.org/index.php?threads/ownership-issues-migrating-data-from-windows-to-freenas.41478/#post-265384
>>
>>
>> When I attempt to change ownership to Builtin\Administrators, I get an
>> error that I don't have the Restore Privilege required, or if I
have
>> inheritance enabled when changing ownership, "This security ID may
not
>> be assigned as the owner of this object."
>>
>> As mentioned in that thread I linked to (lots more details there), I
>> verified that I do have the Restore Privilege right.  I also verified
>> that I can assign any other owner successfully -- it's just
>> Builtin\Administrators that's giving me trouble.
>>
>> After turning up the logging in the samba configuration file and
>> restarting the service, this was the output when I attempted to change
>> ownership:
>>
>>
>> [2016/02/16 15:33:02.077685,  3]
>> ../source3/smbd/vfs.c:1137(check_reduced_name)
>>    check_reduced_name [CoreLib] [/mnt/trunk/MM/deploy]
>> [2016/02/16 15:33:02.077890,  3]
>> ../source3/smbd/vfs.c:1267(check_reduced_name)
>>    check_reduced_name: CoreLib reduced to /mnt/trunk/MM/deploy/CoreLib
>> [2016/02/16 15:33:02.078111,  3]
>> ../source3/smbd/dosmode.c:163(unix_mode)
>>    unix_mode(CoreLib) returning 0666
>> [2016/02/16 15:33:02.080039,  3]
>> ../source3/smbd/posix_acls.c:1204(unpack_nt_owners)
>>    unpack_nt_owners: unable to validate owner sid for S-1-5-32-544
>> [2016/02/16 15:33:04.251911,  3]
>> ../source3/smbd/service.c:1130(close_cnum)
>>    192.168.0.119 (ipv4:192.168.0.119:58406) closed connection to
>> service IPC$
>>
>> Googling for "unable to validate owner sid for S-1-5-32-544"
brings up a
>> thread a decade old:
>>
https://lists.samba.org/archive/samba-technical/2006-October/050007.html
>>
>> There was some discussion about sid/gid conflicts and ACLs with some
>> futher discussion about fixing it.   Since there's so little found
when
>> Googling, I have to believe that this has been fixed since I would
>> expect there to be a lot more complaints from people like myself who
are
>> migrating files from windows to samba.
>>
>> Any feedback is welcome, even if the advice is to change ownership to
>> something other than builtin\Administrators because that's broken. 
:)
>>
>
> Does 'getent group BUILTIN\\Administrators'  give any result ?
> If smb.conf is setup correctly, you should get something like:
>
> BUILTIN\administrators:x:2001:
>
> If you do not get anything, then you need to change smb.conf, in which
> case, can you post your smb.conf.
>
> Rowland
>
>
Rowland,

'getent group BUILTIN\Administrators' returns nothing.  Yes, this is a
domain member, not AD.

My /usr/local/etc/smb4.conf file should be "default" for FreeNAS
FreeNAS-9.3-STABLE-201602031011.  I believe the gui is the only
recommended way to alter it ( think any hand editing gets wiped at
reboot?). The only changes I've made through the GUI is to disable
oplocks for one of the shares [applied]. The share I've been testing
from however is [deploy].

If it helps, 'net groupmap list verbose' returns this:

Administrators
        SID       : S-1-5-32-544
        Unix gid  : 90000001
        Unix group: BUILTIN\administrators
        Group type: Local Group
        Comment   :
Users
        SID       : S-1-5-32-545
        Unix gid  : 90000002
        Unix group: BUILTIN\users
        Group type: Local Group
        Comment   :

Here's the smb4.conf file contents:
[global]
    server max protocol = SMB2
    encrypt passwords = yes
    dns proxy = no
    strict locking = no
    oplocks = yes
    deadtime = 15
    max log size = 51200
    max open files = 942185
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes
    getwd cache = yes
    guest account = nobody
    map to guest = Bad User
    obey pam restrictions = yes
    directory name cache size = 0
    kernel change notify = no
    panic action = /usr/local/libexec/samba/samba-backtrace
    nsupdate command = /usr/local/bin/samba-nsupdate -g
    server string = FreeNAS Server
    ea support = yes
    store dos attributes = yes
    lm announce = yes
    hostname lookups = yes
    acl allow execute always = true
    acl check permissions = true
    dos filemode = yes
    multicast dns register = yes
    domain logons = no
    idmap config *: backend = tdb
    idmap config *: range = 90000001-100000000
    server role = member server
    netbios name = FREENAS
    workgroup = MMIA
    realm = INTRANET.MITCHELLANDMITCHELL.COM
    security = ADS
    client use spnego = yes
    cache directory = /var/tmp/.cache/.samba
    local master = no
    domain master = no
    preferred master = no
    ads dns update = yes
    winbind cache time = 7200
    winbind offline logon = yes
    winbind enum users = yes
    winbind enum groups = yes
    winbind nested groups = yes
    winbind use default domain = no
    winbind refresh tickets = yes
    idmap config MMIA: backend = rid
    idmap config MMIA: range = 20000-90000000
    allow trusted domains = no
    client ldap sasl wrapping = plain
    template shell = /bin/sh
    template homedir = /home/%D/%U
    pid directory = /var/run/samba
    create mask = 0666
    directory mask = 0777
    client ntlmv2 auth = yes
    dos charset = CP437
    unix charset = UTF-8
    log level = 1


[applied]
    path = /mnt/trunk/MM/applied
    printable = no
    veto files = /.snapshot/.windows/.mac/.zfs/
    writeable = yes
    browseable = yes
    shadow:snapdir = .zfs/snapshot
    shadow:sort = desc
    shadow:localtime = yes
    shadow:format = auto-%Y%m%d.%H%M-1w
    shadow:snapdirseverywhere = yes
    vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread streams_xattr
    hide dot files = yes
    guest ok = no
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare
    veto oplock files = /*.dbf/*.DBF/*.ndx/*.NDX/


[deploy]
    path = /mnt/trunk/MM/deploy
    printable = no
    veto files = /.snapshot/.windows/.mac/.zfs/
    writeable = yes
    browseable = yes
    shadow:snapdir = .zfs/snapshot
    shadow:sort = desc
    shadow:localtime = yes
    shadow:format = auto-%Y%m%d.%H%M-1w
    shadow:snapdirseverywhere = yes
    vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread streams_xattr
    hide dot files = yes
    guest ok = no
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare


[eim]
    path = /mnt/trunk/MM/applied/EIM
    printable = no
    veto files = /.snapshot/.windows/.mac/.zfs/
    writeable = yes
    browseable = yes
    shadow:snapdir = .zfs/snapshot
    shadow:sort = desc
    shadow:localtime = yes
    shadow:format = auto-%Y%m%d.%H%M-1w
    shadow:snapdirseverywhere = yes
    vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread streams_xattr
    hide dot files = yes
    guest ok = no
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare


[home]
    path = /mnt/trunk/MM/home
    printable = no
    veto files = /.snapshot/.windows/.mac/.zfs/
    writeable = yes
    browseable = yes
    shadow:snapdir = .zfs/snapshot
    shadow:sort = desc
    shadow:localtime = yes
    shadow:format = auto-%Y%m%d.%H%M-1w
    shadow:snapdirseverywhere = yes
    vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread streams_xattr
    hide dot files = yes
    guest ok = no
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare


[profiles]
    path = /mnt/trunk/MM/profiles
    printable = no
    veto files = /.snapshot/.windows/.mac/.zfs/
    writeable = yes
    browseable = yes
    shadow:snapdir = .zfs/snapshot
    shadow:sort = desc
    shadow:localtime = yes
    shadow:format = auto-%Y%m%d.%H%M-1w
    shadow:snapdirseverywhere = yes
    vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread streams_xattr
    hide dot files = yes
    guest ok = no
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare


[shared]
    path = /mnt/trunk/MM/shared
    printable = no
    veto files = /.snapshot/.windows/.mac/.zfs/
    writeable = yes
    browseable = yes
    shadow:snapdir = .zfs/snapshot
    shadow:sort = desc
    shadow:localtime = yes
    shadow:format = auto-%Y%m%d.%H%M-1w
    shadow:snapdirseverywhere = yes
    vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread streams_xattr
    hide dot files = yes
    guest ok = no
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare


Appreciate any insight.  Note that this server is not "live" yet, so
I'm
game to experiment with any ideas you may have.