samba - Feb 2016 - Can one set the owner of a folder to BUILTIN\Administrators?

On 2/17/2016 5:00 AM, Rowland penny wrote:
> On 17/02/16 00:03, Ian wrote:
>> I've recently attempted to migrate some windows server files over
to
>> samba 4 hosted on a FreeNAS server.
>>
>> Using robocopy with the /copyall switch, I expected everything,
>> including ACL's and ownership information to transfer over.  For
the
>> most part they have.  The one problem I've ran into however, is
that I'm
>> getting errors any time I or robocopy attempt to change the ownership
to
>> BUILTIN\Administrators.
>>
>> I've brought this up with the FreeNAS community, but so far
it's unclear
>> if this is by design, there is a configuration issue somewhere, or
>> there's a bug.
>>
https://forums.freenas.org/index.php?threads/ownership-issues-migrating-data-from-windows-to-freenas.41478/#post-265384
>>
>>
>> When I attempt to change ownership to Builtin\Administrators, I get an
>> error that I don't have the Restore Privilege required, or if I
have
>> inheritance enabled when changing ownership, "This security ID may
not
>> be assigned as the owner of this object."
>>
>> As mentioned in that thread I linked to (lots more details there), I
>> verified that I do have the Restore Privilege right.  I also verified
>> that I can assign any other owner successfully -- it's just
>> Builtin\Administrators that's giving me trouble.
>>
>> After turning up the logging in the samba configuration file and
>> restarting the service, this was the output when I attempted to change
>> ownership:
>>
>>
>> [2016/02/16 15:33:02.077685,  3]
>> ../source3/smbd/vfs.c:1137(check_reduced_name)
>>    check_reduced_name [CoreLib] [/mnt/trunk/MM/deploy]
>> [2016/02/16 15:33:02.077890,  3]
>> ../source3/smbd/vfs.c:1267(check_reduced_name)
>>    check_reduced_name: CoreLib reduced to /mnt/trunk/MM/deploy/CoreLib
>> [2016/02/16 15:33:02.078111,  3]
>> ../source3/smbd/dosmode.c:163(unix_mode)
>>    unix_mode(CoreLib) returning 0666
>> [2016/02/16 15:33:02.080039,  3]
>> ../source3/smbd/posix_acls.c:1204(unpack_nt_owners)
>>    unpack_nt_owners: unable to validate owner sid for S-1-5-32-544
>> [2016/02/16 15:33:04.251911,  3]
>> ../source3/smbd/service.c:1130(close_cnum)
>>    192.168.0.119 (ipv4:192.168.0.119:58406) closed connection to
>> service IPC$
>>
>> Googling for "unable to validate owner sid for S-1-5-32-544"
brings up a
>> thread a decade old:
>>
https://lists.samba.org/archive/samba-technical/2006-October/050007.html
>>
>> There was some discussion about sid/gid conflicts and ACLs with some
>> futher discussion about fixing it.   Since there's so little found
when
>> Googling, I have to believe that this has been fixed since I would
>> expect there to be a lot more complaints from people like myself who
are
>> migrating files from windows to samba.
>>
>> Any feedback is welcome, even if the advice is to change ownership to
>> something other than builtin\Administrators because that's broken. 
:)
>>
>
> Does 'getent group BUILTIN\\Administrators'  give any result ?
> If smb.conf is setup correctly, you should get something like:
>
> BUILTIN\administrators:x:2001:
>
> If you do not get anything, then you need to change smb.conf, in which
> case, can you post your smb.conf.
>
> Rowland
>
>
Rowland,

'getent group BUILTIN\Administrators' returns nothing.  Yes, this is a
domain member, not AD.

My /usr/local/etc/smb4.conf file should be "default" for FreeNAS
FreeNAS-9.3-STABLE-201602031011.  I believe the gui is the only
recommended way to alter it ( think any hand editing gets wiped at
reboot?). The only changes I've made through the GUI is to disable
oplocks for one of the shares [applied]. The share I've been testing
from however is [deploy].

If it helps, 'net groupmap list verbose' returns this:

Administrators
        SID       : S-1-5-32-544
        Unix gid  : 90000001
        Unix group: BUILTIN\administrators
        Group type: Local Group
        Comment   :
Users
        SID       : S-1-5-32-545
        Unix gid  : 90000002
        Unix group: BUILTIN\users
        Group type: Local Group
        Comment   :

Here's the smb4.conf file contents:
[global]
    server max protocol = SMB2
    encrypt passwords = yes
    dns proxy = no
    strict locking = no
    oplocks = yes
    deadtime = 15
    max log size = 51200
    max open files = 942185
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes
    getwd cache = yes
    guest account = nobody
    map to guest = Bad User
    obey pam restrictions = yes
    directory name cache size = 0
    kernel change notify = no
    panic action = /usr/local/libexec/samba/samba-backtrace
    nsupdate command = /usr/local/bin/samba-nsupdate -g
    server string = FreeNAS Server
    ea support = yes
    store dos attributes = yes
    lm announce = yes
    hostname lookups = yes
    acl allow execute always = true
    acl check permissions = true
    dos filemode = yes
    multicast dns register = yes
    domain logons = no
    idmap config *: backend = tdb
    idmap config *: range = 90000001-100000000
    server role = member server
    netbios name = FREENAS
    workgroup = MMIA
    realm = INTRANET.MITCHELLANDMITCHELL.COM
    security = ADS
    client use spnego = yes
    cache directory = /var/tmp/.cache/.samba
    local master = no
    domain master = no
    preferred master = no
    ads dns update = yes
    winbind cache time = 7200
    winbind offline logon = yes
    winbind enum users = yes
    winbind enum groups = yes
    winbind nested groups = yes
    winbind use default domain = no
    winbind refresh tickets = yes
    idmap config MMIA: backend = rid
    idmap config MMIA: range = 20000-90000000
    allow trusted domains = no
    client ldap sasl wrapping = plain
    template shell = /bin/sh
    template homedir = /home/%D/%U
    pid directory = /var/run/samba
    create mask = 0666
    directory mask = 0777
    client ntlmv2 auth = yes
    dos charset = CP437
    unix charset = UTF-8
    log level = 1


[applied]
    path = /mnt/trunk/MM/applied
    printable = no
    veto files = /.snapshot/.windows/.mac/.zfs/
    writeable = yes
    browseable = yes
    shadow:snapdir = .zfs/snapshot
    shadow:sort = desc
    shadow:localtime = yes
    shadow:format = auto-%Y%m%d.%H%M-1w
    shadow:snapdirseverywhere = yes
    vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread streams_xattr
    hide dot files = yes
    guest ok = no
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare
    veto oplock files = /*.dbf/*.DBF/*.ndx/*.NDX/


[deploy]
    path = /mnt/trunk/MM/deploy
    printable = no
    veto files = /.snapshot/.windows/.mac/.zfs/
    writeable = yes
    browseable = yes
    shadow:snapdir = .zfs/snapshot
    shadow:sort = desc
    shadow:localtime = yes
    shadow:format = auto-%Y%m%d.%H%M-1w
    shadow:snapdirseverywhere = yes
    vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread streams_xattr
    hide dot files = yes
    guest ok = no
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare


[eim]
    path = /mnt/trunk/MM/applied/EIM
    printable = no
    veto files = /.snapshot/.windows/.mac/.zfs/
    writeable = yes
    browseable = yes
    shadow:snapdir = .zfs/snapshot
    shadow:sort = desc
    shadow:localtime = yes
    shadow:format = auto-%Y%m%d.%H%M-1w
    shadow:snapdirseverywhere = yes
    vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread streams_xattr
    hide dot files = yes
    guest ok = no
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare


[home]
    path = /mnt/trunk/MM/home
    printable = no
    veto files = /.snapshot/.windows/.mac/.zfs/
    writeable = yes
    browseable = yes
    shadow:snapdir = .zfs/snapshot
    shadow:sort = desc
    shadow:localtime = yes
    shadow:format = auto-%Y%m%d.%H%M-1w
    shadow:snapdirseverywhere = yes
    vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread streams_xattr
    hide dot files = yes
    guest ok = no
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare


[profiles]
    path = /mnt/trunk/MM/profiles
    printable = no
    veto files = /.snapshot/.windows/.mac/.zfs/
    writeable = yes
    browseable = yes
    shadow:snapdir = .zfs/snapshot
    shadow:sort = desc
    shadow:localtime = yes
    shadow:format = auto-%Y%m%d.%H%M-1w
    shadow:snapdirseverywhere = yes
    vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread streams_xattr
    hide dot files = yes
    guest ok = no
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare


[shared]
    path = /mnt/trunk/MM/shared
    printable = no
    veto files = /.snapshot/.windows/.mac/.zfs/
    writeable = yes
    browseable = yes
    shadow:snapdir = .zfs/snapshot
    shadow:sort = desc
    shadow:localtime = yes
    shadow:format = auto-%Y%m%d.%H%M-1w
    shadow:snapdirseverywhere = yes
    vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread streams_xattr
    hide dot files = yes
    guest ok = no
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare


Appreciate any insight.  Note that this server is not "live" yet, so
I'm
game to experiment with any ideas you may have.

On 17/02/16 17:27, Ian wrote:
>
> On 2/17/2016 5:00 AM, Rowland penny wrote:
>> On 17/02/16 00:03, Ian wrote:
>>> I've recently attempted to migrate some windows server files
over to
>>> samba 4 hosted on a FreeNAS server.
>>>
>>> Using robocopy with the /copyall switch, I expected everything,
>>> including ACL's and ownership information to transfer over. 
For the
>>> most part they have.  The one problem I've ran into however, is
that I'm
>>> getting errors any time I or robocopy attempt to change the
ownership to
>>> BUILTIN\Administrators.
>>>
>>> I've brought this up with the FreeNAS community, but so far
it's unclear
>>> if this is by design, there is a configuration issue somewhere, or
>>> there's a bug.
>>>
https://forums.freenas.org/index.php?threads/ownership-issues-migrating-data-from-windows-to-freenas.41478/#post-265384
>>>
>>>
>>> When I attempt to change ownership to Builtin\Administrators, I get
an
>>> error that I don't have the Restore Privilege required, or if I
have
>>> inheritance enabled when changing ownership, "This security ID
may not
>>> be assigned as the owner of this object."
>>>
>>> As mentioned in that thread I linked to (lots more details there),
I
>>> verified that I do have the Restore Privilege right.  I also
verified
>>> that I can assign any other owner successfully -- it's just
>>> Builtin\Administrators that's giving me trouble.
>>>
>>> After turning up the logging in the samba configuration file and
>>> restarting the service, this was the output when I attempted to
change
>>> ownership:
>>>
>>>
>>> [2016/02/16 15:33:02.077685,  3]
>>> ../source3/smbd/vfs.c:1137(check_reduced_name)
>>>     check_reduced_name [CoreLib] [/mnt/trunk/MM/deploy]
>>> [2016/02/16 15:33:02.077890,  3]
>>> ../source3/smbd/vfs.c:1267(check_reduced_name)
>>>     check_reduced_name: CoreLib reduced to
/mnt/trunk/MM/deploy/CoreLib
>>> [2016/02/16 15:33:02.078111,  3]
>>> ../source3/smbd/dosmode.c:163(unix_mode)
>>>     unix_mode(CoreLib) returning 0666
>>> [2016/02/16 15:33:02.080039,  3]
>>> ../source3/smbd/posix_acls.c:1204(unpack_nt_owners)
>>>     unpack_nt_owners: unable to validate owner sid for S-1-5-32-544
>>> [2016/02/16 15:33:04.251911,  3]
>>> ../source3/smbd/service.c:1130(close_cnum)
>>>     192.168.0.119 (ipv4:192.168.0.119:58406) closed connection to
>>> service IPC$
>>>
>>> Googling for "unable to validate owner sid for
S-1-5-32-544" brings up a
>>> thread a decade old:
>>>
https://lists.samba.org/archive/samba-technical/2006-October/050007.html
>>>
>>> There was some discussion about sid/gid conflicts and ACLs with
some
>>> futher discussion about fixing it.   Since there's so little
found when
>>> Googling, I have to believe that this has been fixed since I would
>>> expect there to be a lot more complaints from people like myself
who are
>>> migrating files from windows to samba.
>>>
>>> Any feedback is welcome, even if the advice is to change ownership
to
>>> something other than builtin\Administrators because that's
broken.  :)
>>>
>> Does 'getent group BUILTIN\\Administrators'  give any result ?
>> If smb.conf is setup correctly, you should get something like:
>>
>> BUILTIN\administrators:x:2001:
>>
>> If you do not get anything, then you need to change smb.conf, in which
>> case, can you post your smb.conf.
>>
>> Rowland
>>
>>
> Rowland,
>
> 'getent group BUILTIN\Administrators' returns nothing.  Yes, this
is a
> domain member, not AD.
Well, I think that explains it, on a domain member in my domain, it 
returns a result and I (as root) can chgrp a file to 
'BUILTIN\Administrators'

I know very little about freebsd (I think freenas runs on freebsd) but 
does it use PAM ? because I think this is your problem, winbind isn't 
returning the BUILTIN info, is libnss_winbind setup ? does freenas use 
libnss_winbind ?

Rowland
>
> My /usr/local/etc/smb4.conf file should be "default" for FreeNAS
> FreeNAS-9.3-STABLE-201602031011.  I believe the gui is the only
> recommended way to alter it ( think any hand editing gets wiped at
> reboot?). The only changes I've made through the GUI is to disable
> oplocks for one of the shares [applied]. The share I've been testing
> from however is [deploy].
>
> If it helps, 'net groupmap list verbose' returns this:
>
> Administrators
>          SID       : S-1-5-32-544
>          Unix gid  : 90000001
>          Unix group: BUILTIN\administrators
>          Group type: Local Group
>          Comment   :
> Users
>          SID       : S-1-5-32-545
>          Unix gid  : 90000002
>          Unix group: BUILTIN\users
>          Group type: Local Group
>          Comment   :
>
> Here's the smb4.conf file contents:
> [global]
>      server max protocol = SMB2
>      encrypt passwords = yes
>      dns proxy = no
>      strict locking = no
>      oplocks = yes
>      deadtime = 15
>      max log size = 51200
>      max open files = 942185
>      load printers = no
>      printing = bsd
>      printcap name = /dev/null
>      disable spoolss = yes
>      getwd cache = yes
>      guest account = nobody
>      map to guest = Bad User
>      obey pam restrictions = yes
>      directory name cache size = 0
>      kernel change notify = no
>      panic action = /usr/local/libexec/samba/samba-backtrace
>      nsupdate command = /usr/local/bin/samba-nsupdate -g
>      server string = FreeNAS Server
>      ea support = yes
>      store dos attributes = yes
>      lm announce = yes
>      hostname lookups = yes
>      acl allow execute always = true
>      acl check permissions = true
>      dos filemode = yes
>      multicast dns register = yes
>      domain logons = no
>      idmap config *: backend = tdb
>      idmap config *: range = 90000001-100000000
>      server role = member server
>      netbios name = FREENAS
>      workgroup = MMIA
>      realm = INTRANET.MITCHELLANDMITCHELL.COM
>      security = ADS
>      client use spnego = yes
>      cache directory = /var/tmp/.cache/.samba
>      local master = no
>      domain master = no
>      preferred master = no
>      ads dns update = yes
>      winbind cache time = 7200
>      winbind offline logon = yes
>      winbind enum users = yes
>      winbind enum groups = yes
>      winbind nested groups = yes
>      winbind use default domain = no
>      winbind refresh tickets = yes
>      idmap config MMIA: backend = rid
>      idmap config MMIA: range = 20000-90000000
>      allow trusted domains = no
>      client ldap sasl wrapping = plain
>      template shell = /bin/sh
>      template homedir = /home/%D/%U
>      pid directory = /var/run/samba
>      create mask = 0666
>      directory mask = 0777
>      client ntlmv2 auth = yes
>      dos charset = CP437
>      unix charset = UTF-8
>      log level = 1
>
>
> [applied]
>      path = /mnt/trunk/MM/applied
>      printable = no
>      veto files = /.snapshot/.windows/.mac/.zfs/
>      writeable = yes
>      browseable = yes
>      shadow:snapdir = .zfs/snapshot
>      shadow:sort = desc
>      shadow:localtime = yes
>      shadow:format = auto-%Y%m%d.%H%M-1w
>      shadow:snapdirseverywhere = yes
>      vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread streams_xattr
>      hide dot files = yes
>      guest ok = no
>      nfs4:mode = special
>      nfs4:acedup = merge
>      nfs4:chown = true
>      zfsacl:acesort = dontcare
>      veto oplock files = /*.dbf/*.DBF/*.ndx/*.NDX/
>
>
> [deploy]
>      path = /mnt/trunk/MM/deploy
>      printable = no
>      veto files = /.snapshot/.windows/.mac/.zfs/
>      writeable = yes
>      browseable = yes
>      shadow:snapdir = .zfs/snapshot
>      shadow:sort = desc
>      shadow:localtime = yes
>      shadow:format = auto-%Y%m%d.%H%M-1w
>      shadow:snapdirseverywhere = yes
>      vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread streams_xattr
>      hide dot files = yes
>      guest ok = no
>      nfs4:mode = special
>      nfs4:acedup = merge
>      nfs4:chown = true
>      zfsacl:acesort = dontcare
>
>
> [eim]
>      path = /mnt/trunk/MM/applied/EIM
>      printable = no
>      veto files = /.snapshot/.windows/.mac/.zfs/
>      writeable = yes
>      browseable = yes
>      shadow:snapdir = .zfs/snapshot
>      shadow:sort = desc
>      shadow:localtime = yes
>      shadow:format = auto-%Y%m%d.%H%M-1w
>      shadow:snapdirseverywhere = yes
>      vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread streams_xattr
>      hide dot files = yes
>      guest ok = no
>      nfs4:mode = special
>      nfs4:acedup = merge
>      nfs4:chown = true
>      zfsacl:acesort = dontcare
>
>
> [home]
>      path = /mnt/trunk/MM/home
>      printable = no
>      veto files = /.snapshot/.windows/.mac/.zfs/
>      writeable = yes
>      browseable = yes
>      shadow:snapdir = .zfs/snapshot
>      shadow:sort = desc
>      shadow:localtime = yes
>      shadow:format = auto-%Y%m%d.%H%M-1w
>      shadow:snapdirseverywhere = yes
>      vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread streams_xattr
>      hide dot files = yes
>      guest ok = no
>      nfs4:mode = special
>      nfs4:acedup = merge
>      nfs4:chown = true
>      zfsacl:acesort = dontcare
>
>
> [profiles]
>      path = /mnt/trunk/MM/profiles
>      printable = no
>      veto files = /.snapshot/.windows/.mac/.zfs/
>      writeable = yes
>      browseable = yes
>      shadow:snapdir = .zfs/snapshot
>      shadow:sort = desc
>      shadow:localtime = yes
>      shadow:format = auto-%Y%m%d.%H%M-1w
>      shadow:snapdirseverywhere = yes
>      vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread streams_xattr
>      hide dot files = yes
>      guest ok = no
>      nfs4:mode = special
>      nfs4:acedup = merge
>      nfs4:chown = true
>      zfsacl:acesort = dontcare
>
>
> [shared]
>      path = /mnt/trunk/MM/shared
>      printable = no
>      veto files = /.snapshot/.windows/.mac/.zfs/
>      writeable = yes
>      browseable = yes
>      shadow:snapdir = .zfs/snapshot
>      shadow:sort = desc
>      shadow:localtime = yes
>      shadow:format = auto-%Y%m%d.%H%M-1w
>      shadow:snapdirseverywhere = yes
>      vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread streams_xattr
>      hide dot files = yes
>      guest ok = no
>      nfs4:mode = special
>      nfs4:acedup = merge
>      nfs4:chown = true
>      zfsacl:acesort = dontcare
>
>
> Appreciate any insight.  Note that this server is not "live" yet,
so I'm
> game to experiment with any ideas you may have.
>
>

On 2/17/2016 9:43 AM, Rowland penny wrote:
> On 17/02/16 17:27, Ian wrote:
>>
>> On 2/17/2016 5:00 AM, Rowland penny wrote:
>>> On 17/02/16 00:03, Ian wrote:
>>>> I've recently attempted to migrate some windows server
files over to
>>>> samba 4 hosted on a FreeNAS server.
>>>>
>>>> Using robocopy with the /copyall switch, I expected everything,
>>>> including ACL's and ownership information to transfer over.
For the
>>>> most part they have.  The one problem I've ran into
however, is
>>>> that I'm
>>>> getting errors any time I or robocopy attempt to change the
>>>> ownership to
>>>> BUILTIN\Administrators.
>>>>
>>>> I've brought this up with the FreeNAS community, but so far
it's
>>>> unclear
>>>> if this is by design, there is a configuration issue somewhere,
or
>>>> there's a bug.
>>>>
https://forums.freenas.org/index.php?threads/ownership-issues-migrating-data-from-windows-to-freenas.41478/#post-265384
>>>>
>>>>
>>>>
>>>> When I attempt to change ownership to Builtin\Administrators, I
get an
>>>> error that I don't have the Restore Privilege required, or
if I have
>>>> inheritance enabled when changing ownership, "This
security ID may not
>>>> be assigned as the owner of this object."
>>>>
>>>> As mentioned in that thread I linked to (lots more details
there), I
>>>> verified that I do have the Restore Privilege right.  I also
verified
>>>> that I can assign any other owner successfully -- it's just
>>>> Builtin\Administrators that's giving me trouble.
>>>>
>>>> After turning up the logging in the samba configuration file
and
>>>> restarting the service, this was the output when I attempted to
change
>>>> ownership:
>>>>
>>>>
>>>> [2016/02/16 15:33:02.077685,  3]
>>>> ../source3/smbd/vfs.c:1137(check_reduced_name)
>>>>     check_reduced_name [CoreLib] [/mnt/trunk/MM/deploy]
>>>> [2016/02/16 15:33:02.077890,  3]
>>>> ../source3/smbd/vfs.c:1267(check_reduced_name)
>>>>     check_reduced_name: CoreLib reduced to
>>>> /mnt/trunk/MM/deploy/CoreLib
>>>> [2016/02/16 15:33:02.078111,  3]
>>>> ../source3/smbd/dosmode.c:163(unix_mode)
>>>>     unix_mode(CoreLib) returning 0666
>>>> [2016/02/16 15:33:02.080039,  3]
>>>> ../source3/smbd/posix_acls.c:1204(unpack_nt_owners)
>>>>     unpack_nt_owners: unable to validate owner sid for
S-1-5-32-544
>>>> [2016/02/16 15:33:04.251911,  3]
>>>> ../source3/smbd/service.c:1130(close_cnum)
>>>>     192.168.0.119 (ipv4:192.168.0.119:58406) closed connection
to
>>>> service IPC$
>>>>
>>>> Googling for "unable to validate owner sid for
S-1-5-32-544" brings
>>>> up a
>>>> thread a decade old:
>>>>
https://lists.samba.org/archive/samba-technical/2006-October/050007.html
>>>>
>>>>
>>>> There was some discussion about sid/gid conflicts and ACLs with
some
>>>> futher discussion about fixing it.   Since there's so
little found
>>>> when
>>>> Googling, I have to believe that this has been fixed since I
would
>>>> expect there to be a lot more complaints from people like
myself
>>>> who are
>>>> migrating files from windows to samba.
>>>>
>>>> Any feedback is welcome, even if the advice is to change
ownership to
>>>> something other than builtin\Administrators because that's
broken.  :)
>>>>
>>> Does 'getent group BUILTIN\\Administrators'  give any
result ?
>>> If smb.conf is setup correctly, you should get something like:
>>>
>>> BUILTIN\administrators:x:2001:
>>>
>>> If you do not get anything, then you need to change smb.conf, in
which
>>> case, can you post your smb.conf.
>>>
>>> Rowland
>>>
>>>
>> Rowland,
>>
>> 'getent group BUILTIN\Administrators' returns nothing.  Yes,
this is a
>> domain member, not AD.
>
> Well, I think that explains it, on a domain member in my domain, it
> returns a result and I (as root) can chgrp a file to
> 'BUILTIN\Administrators'
Actually, that works for me too.  I just issued the command 'chgrp
"BUILTIN\administrators" CoreLib' and it returned successfully for
that
folder.  'ls -la' shows:
d---------+ 2 MMIA\domain admins  BUILTIN\administrators  5 Dec  8 11:59
CoreLib//

Note however, that it fails if I attempt to chown instead:
[root at freenas] /mnt/trunk/MM/deploy# chown "BUILTIN\Administrators"
CoreLib
chown: BUILTIN\Administrators: illegal user name

I can chown to other domain groups successfully.
>
> I know very little about freebsd (I think freenas runs on freebsd) but
> does it use PAM ? because I think this is your problem, winbind isn't
> returning the BUILTIN info, is libnss_winbind setup ? does freenas use
> libnss_winbind ?
>
Yes Freebsd.  uname -a shows: "FreeBSD 9.3-RELEASE-p31"
smbstatus shows Samba version 4.1.21

I know it's using LDAP to talk to the DC since
/usr/local/etc/openldap.ldap.conf contains my DC's info. /etc/krb5.conf
also contains my domain's info, and inside of that is a setting for pam
(forwardable = true). /etc/nsswitch.conf shows:
group: files winbind
passwd: files winbind

there is a /etc/pam.d/samba file, so I'd have to say, yes pam is part of
the system here, and winbind is tied into that.
> Rowland
>
>>
>> My /usr/local/etc/smb4.conf file should be "default" for
FreeNAS
>> FreeNAS-9.3-STABLE-201602031011.  I believe the gui is the only
>> recommended way to alter it ( think any hand editing gets wiped at
>> reboot?). The only changes I've made through the GUI is to disable
>> oplocks for one of the shares [applied]. The share I've been
testing
>> from however is [deploy].
>>
>> If it helps, 'net groupmap list verbose' returns this:
>>
>> Administrators
>>          SID       : S-1-5-32-544
>>          Unix gid  : 90000001
>>          Unix group: BUILTIN\administrators
>>          Group type: Local Group
>>          Comment   :
>> Users
>>          SID       : S-1-5-32-545
>>          Unix gid  : 90000002
>>          Unix group: BUILTIN\users
>>          Group type: Local Group
>>          Comment   :
>>
>> Here's the smb4.conf file contents:
>> [global]
>>      server max protocol = SMB2
>>      encrypt passwords = yes
>>      dns proxy = no
>>      strict locking = no
>>      oplocks = yes
>>      deadtime = 15
>>      max log size = 51200
>>      max open files = 942185
>>      load printers = no
>>      printing = bsd
>>      printcap name = /dev/null
>>      disable spoolss = yes
>>      getwd cache = yes
>>      guest account = nobody
>>      map to guest = Bad User
>>      obey pam restrictions = yes
>>      directory name cache size = 0
>>      kernel change notify = no
>>      panic action = /usr/local/libexec/samba/samba-backtrace
>>      nsupdate command = /usr/local/bin/samba-nsupdate -g
>>      server string = FreeNAS Server
>>      ea support = yes
>>      store dos attributes = yes
>>      lm announce = yes
>>      hostname lookups = yes
>>      acl allow execute always = true
>>      acl check permissions = true
>>      dos filemode = yes
>>      multicast dns register = yes
>>      domain logons = no
>>      idmap config *: backend = tdb
>>      idmap config *: range = 90000001-100000000
>>      server role = member server
>>      netbios name = FREENAS
>>      workgroup = MMIA
>>      realm = INTRANET.MITCHELLANDMITCHELL.COM
>>      security = ADS
>>      client use spnego = yes
>>      cache directory = /var/tmp/.cache/.samba
>>      local master = no
>>      domain master = no
>>      preferred master = no
>>      ads dns update = yes
>>      winbind cache time = 7200
>>      winbind offline logon = yes
>>      winbind enum users = yes
>>      winbind enum groups = yes
>>      winbind nested groups = yes
>>      winbind use default domain = no
>>      winbind refresh tickets = yes
>>      idmap config MMIA: backend = rid
>>      idmap config MMIA: range = 20000-90000000
>>      allow trusted domains = no
>>      client ldap sasl wrapping = plain
>>      template shell = /bin/sh
>>      template homedir = /home/%D/%U
>>      pid directory = /var/run/samba
>>      create mask = 0666
>>      directory mask = 0777
>>      client ntlmv2 auth = yes
>>      dos charset = CP437
>>      unix charset = UTF-8
>>      log level = 1
>>
>>
>> [applied]
>>      path = /mnt/trunk/MM/applied
>>      printable = no
>>      veto files = /.snapshot/.windows/.mac/.zfs/
>>      writeable = yes
>>      browseable = yes
>>      shadow:snapdir = .zfs/snapshot
>>      shadow:sort = desc
>>      shadow:localtime = yes
>>      shadow:format = auto-%Y%m%d.%H%M-1w
>>      shadow:snapdirseverywhere = yes
>>      vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread
>> streams_xattr
>>      hide dot files = yes
>>      guest ok = no
>>      nfs4:mode = special
>>      nfs4:acedup = merge
>>      nfs4:chown = true
>>      zfsacl:acesort = dontcare
>>      veto oplock files = /*.dbf/*.DBF/*.ndx/*.NDX/
>>
>>
>> [deploy]
>>      path = /mnt/trunk/MM/deploy
>>      printable = no
>>      veto files = /.snapshot/.windows/.mac/.zfs/
>>      writeable = yes
>>      browseable = yes
>>      shadow:snapdir = .zfs/snapshot
>>      shadow:sort = desc
>>      shadow:localtime = yes
>>      shadow:format = auto-%Y%m%d.%H%M-1w
>>      shadow:snapdirseverywhere = yes
>>      vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread
>> streams_xattr
>>      hide dot files = yes
>>      guest ok = no
>>      nfs4:mode = special
>>      nfs4:acedup = merge
>>      nfs4:chown = true
>>      zfsacl:acesort = dontcare
>>
>>
>> [eim]
>>      path = /mnt/trunk/MM/applied/EIM
>>      printable = no
>>      veto files = /.snapshot/.windows/.mac/.zfs/
>>      writeable = yes
>>      browseable = yes
>>      shadow:snapdir = .zfs/snapshot
>>      shadow:sort = desc
>>      shadow:localtime = yes
>>      shadow:format = auto-%Y%m%d.%H%M-1w
>>      shadow:snapdirseverywhere = yes
>>      vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread
>> streams_xattr
>>      hide dot files = yes
>>      guest ok = no
>>      nfs4:mode = special
>>      nfs4:acedup = merge
>>      nfs4:chown = true
>>      zfsacl:acesort = dontcare
>>
>>
>> [home]
>>      path = /mnt/trunk/MM/home
>>      printable = no
>>      veto files = /.snapshot/.windows/.mac/.zfs/
>>      writeable = yes
>>      browseable = yes
>>      shadow:snapdir = .zfs/snapshot
>>      shadow:sort = desc
>>      shadow:localtime = yes
>>      shadow:format = auto-%Y%m%d.%H%M-1w
>>      shadow:snapdirseverywhere = yes
>>      vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread
>> streams_xattr
>>      hide dot files = yes
>>      guest ok = no
>>      nfs4:mode = special
>>      nfs4:acedup = merge
>>      nfs4:chown = true
>>      zfsacl:acesort = dontcare
>>
>>
>> [profiles]
>>      path = /mnt/trunk/MM/profiles
>>      printable = no
>>      veto files = /.snapshot/.windows/.mac/.zfs/
>>      writeable = yes
>>      browseable = yes
>>      shadow:snapdir = .zfs/snapshot
>>      shadow:sort = desc
>>      shadow:localtime = yes
>>      shadow:format = auto-%Y%m%d.%H%M-1w
>>      shadow:snapdirseverywhere = yes
>>      vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread
>> streams_xattr
>>      hide dot files = yes
>>      guest ok = no
>>      nfs4:mode = special
>>      nfs4:acedup = merge
>>      nfs4:chown = true
>>      zfsacl:acesort = dontcare
>>
>>
>> [shared]
>>      path = /mnt/trunk/MM/shared
>>      printable = no
>>      veto files = /.snapshot/.windows/.mac/.zfs/
>>      writeable = yes
>>      browseable = yes
>>      shadow:snapdir = .zfs/snapshot
>>      shadow:sort = desc
>>      shadow:localtime = yes
>>      shadow:format = auto-%Y%m%d.%H%M-1w
>>      shadow:snapdirseverywhere = yes
>>      vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread
>> streams_xattr
>>      hide dot files = yes
>>      guest ok = no
>>      nfs4:mode = special
>>      nfs4:acedup = merge
>>      nfs4:chown = true
>>      zfsacl:acesort = dontcare
>>
>>
>> Appreciate any insight.  Note that this server is not "live"
yet, so I'm
>> game to experiment with any ideas you may have.
>>
>>
>
>