:-| ls -lnd /opt/samba/var/locks/sysvol drwxrwx---+ 3 0 3000000 4096 Jun 16 13:56 /opt/samba/var/locks/sysvol Em 16-06-2017 13:38, Rowland Penny via samba escreveu:> On Fri, 16 Jun 2017 13:15:19 -0300 > "Carlos A. P. Cunha" <carlos.hollow at gmail.com> wrote: > >> OK, sorry, uncomment a line :-D >> >> Yes exist! >> >> ls -ld /opt/samba/var/locks/sysvol >> drwxrwx---+ 3 root BUILTIN\administrators 4096 Jun 16 11:25 >> /opt/samba/var/locks/sysvol >> > How have you set up your DC, I would expect to see something like this: > > ls -ld /usr/local/samba/var/locks/sysvol > drwxrws---+ 4 3000000 3000015 4096 Mar 13 16:28 /usr/local/samba/var/locks/sysvol > > Note the numbers instead of user & group. > > Rowland > >
On Fri, 16 Jun 2017 13:58:20 -0300 "Carlos A. P. Cunha" <carlos.hollow at gmail.com> wrote:> :-| > > ls -lnd /opt/samba/var/locks/sysvol > drwxrwx---+ 3 0 3000000 4096 Jun 16 13:56 /opt/samba/var/locks/sysvol > >I have this sinking feeling that you have given your AD users and groups from the 'Well Known SIDs' a uidNumber or gidNumber attribute, I cannot think of any other way that 'Builtin\administrators' could have the ID number '4096'. 'root' shouldn't have the ID '3000000' either. On a DC, 'Administrator' should be mapped to 'root' inside idmap.ldb: dn: CN=S-1-5-21-1768301897-3342589593-1064908849-500 cn: S-1-5-21-1768301897-3342589593-1064908849-500 objectClass: sidMap objectSid: S-1-5-21-1768301897-3342589593-1064908849-500 type: ID_TYPE_UID xidNumber: 0 distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-500 BUILTIN\Administrators gets their ID in the same place: dn: CN=S-1-5-32-544 cn: S-1-5-32-544 objectClass: sidMap objectSid: S-1-5-32-544 type: ID_TYPE_BOTH xidNumber: 3000000 distinguishedName: CN=S-1-5-32-544 and as you can see 'Administrator' is a User, but 'BUILTIN\Administrator' is both a user and a group, if you give the group a gidNumber, it just becomes a group. Rowland
Am 16.06.2017 um 19:17 schrieb Rowland Penny via samba:> On Fri, 16 Jun 2017 13:58:20 -0300 > "Carlos A. P. Cunha" <carlos.hollow at gmail.com> wrote: > >> :-| >> >> ls -lnd /opt/samba/var/locks/sysvol >> drwxrwx---+ 3 0 3000000 4096 Jun 16 13:56 /opt/samba/var/locks/sysvol >> >> > > I have this sinking feeling that you have given your AD users and > groups from the 'Well Known SIDs' a uidNumber or gidNumber attribute, I > cannot think of any other way that 'Builtin\administrators' could have > the ID number '4096'. > > 'root' shouldn't have the ID '3000000' either. > > On a DC, 'Administrator' should be mapped to 'root' inside idmap.ldb: > > dn: CN=S-1-5-21-1768301897-3342589593-1064908849-500 > cn: S-1-5-21-1768301897-3342589593-1064908849-500 > objectClass: sidMap > objectSid: S-1-5-21-1768301897-3342589593-1064908849-500 > type: ID_TYPE_UID > xidNumber: 0 > distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-500 > > BUILTIN\Administrators gets their ID in the same place: > > dn: CN=S-1-5-32-544 > cn: S-1-5-32-544 > objectClass: sidMap > objectSid: S-1-5-32-544 > type: ID_TYPE_BOTH > xidNumber: 3000000 > distinguishedName: CN=S-1-5-32-544 > > and as you can see 'Administrator' is a User, but > 'BUILTIN\Administrator' is both a user and a group, if you give the > group a gidNumber, it just becomes a group. > > Rowland >/me pokes Rowland '4096' is the block size.. :) --- This is how it looks on my productive systems: root at ad1:~$ ls -dn /var/lib/samba/sysvol drwxrwx---+ 3 0 3000000 4096 Jun 16 18:46 /var/lib/samba/sysvol root at ad1:~$ getfacl /var/lib/samba/sysvol getfacl: Entferne führende '/' von absoluten Pfadnamen # file: var/lib/samba/sysvol # owner: root # group: BUILTIN\134administrators user::rwx user:root:rwx user:3000000:rwx group::rwx group:BUILTIN\134administrators:rwx group:BUILTIN\134server\040operators:r-x group:3000002:rwx group:3000003:r-x mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:3000000:rwx default:group::--- default:group:BUILTIN\134administrators:rwx default:group:BUILTIN\134server\040operators:r-x default:group:3000002:rwx default:group:3000003:r-x default:mask::rwx default:other::--- Bjoern