samba - Dec 2018 - Domain Admins default ownership is BUILTIN\Administrators

So, a little bit more investigation shows a problem with idmap ->

User - BUILTIN\Administrator uid = 30000
Group - BUILTIN\Administrators gid = 3000000
Group - SAMDOM\Domain Admins gid = 60000

POSIX file ownership is becoming 3000000:60000

It seems that the Administrators group group is set as the owner. What's
more, 'Administrators' group name is not mapped when I list the
directory:

ls -l
total 7.9M
drwxr-xr-x   7 JohnDoe Domain Users 4.0K Aug 24 20:47 ./
drwxr-xr-x  11 root    root         4.0K Dec  1 16:50 ../
-rw-r--r--   1 JohnDoe Domain Users 439K Aug 14  2013 Book.xlsx
-rw-r--r--   1 JohnDoe Domain Users  30K Mar  4  2012 planner.xls
-rwxr-xr-x+  1 3000000 Domain Users 4.2M Feb 10  2017 acasta.ics*

Any ideas how to fix this?

--
Rob Mason
07770 578764

From: Rob Mason
Sent: 30 November 2018 18:28
To: 'samba at lists.samba.org' <samba at lists.samba.org>
Subject: Domain Admins default ownership is BUILTIN\Administrators

I've now spun up a second DC ready for a migration from an old DC. Just
checking over a few things and have hit this problem:

Objects created by Domain Admins members default to ownership by
BUILTIN\Administrators.  So, when JohnDoe is logged on as JohnDoe and creates a
file, its ownership becomes BUILTIN\Administrators.

I've played with perms for over an hour and cannot make any sense of this? I
cannot see where/why it is defaulting to this account??

\data is chmod 2755 owned by "SAMDOM\JohnDoe":"SAMDOM\Domain
Admins".   Resulting files are 755 owned by
"BUILTIN\Administrators":"SAMDOM\Domain Admins"


[global]
        netbios name = SAGAN
        realm = SAMDOM.INTRA
        server role = active directory domain controller
        workgroup = SAMDOM
        idmap_ldb:use rfc2307 = yes

template shell = /bin/bash
   winbind use default domain = true
   winbind offline logon = false
   winbind nss info = rfc2307
        winbind enum users = yes
        winbind enum groups = yes


[netlogon]
        path = /var/lib/samba/sysvol/acasta.intra/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[data]
        path = /data
        read only = No


--
Rob Mason


Acasta Ltd - A Crown Commercial Service Supplier. CyberEssentials Certified
QGCE013.
Registered in England 6619191. 42 Pitt Street, Barnsley, S70 1BB. VAT Registered
934 6797 75.

...looks like there is no problem and this is normal behaviour -
https://www.linuxquestions.org/questions/linux-server-73/windows-ad-user-not-creating-files-with-correct-uid-on-samb4-dc-ad-4175551047/.

Still, is there any reason why the uid number 3000000 is displayed rather than
its mapped name "Administrators"???

From: Rob Mason
Sent: 02 December 2018 10:14
To: samba at lists.samba.org
Subject: RE: Domain Admins default ownership is BUILTIN\Administrators

So, a little bit more investigation shows a problem with idmap ->

User - BUILTIN\Administrator uid = 30000
Group - BUILTIN\Administrators gid = 3000000
Group - SAMDOM\Domain Admins gid = 60000

POSIX file ownership is becoming 3000000:60000

It seems that the Administrators group group is set as the owner. What's
more, 'Administrators' group name is not mapped when I list the
directory:

ls -l
total 7.9M
drwxr-xr-x   7 JohnDoe Domain Users 4.0K Aug 24 20:47 ./
drwxr-xr-x  11 root    root         4.0K Dec  1 16:50 ../
-rw-r--r--   1 JohnDoe Domain Users 439K Aug 14  2013 Book.xlsx
-rw-r--r--   1 JohnDoe Domain Users  30K Mar  4  2012 planner.xls
-rwxr-xr-x+  1 3000000 Domain Users 4.2M Feb 10  2017 acasta.ics*

Any ideas how to fix this?


From: Rob Mason
Sent: 30 November 2018 18:28
To: 'samba at lists.samba.org' <samba at
lists.samba.org<mailto:samba at lists.samba.org>>
Subject: Domain Admins default ownership is BUILTIN\Administrators

I've now spun up a second DC ready for a migration from an old DC. Just
checking over a few things and have hit this problem:

Objects created by Domain Admins members default to ownership by
BUILTIN\Administrators.  So, when JohnDoe is logged on as JohnDoe and creates a
file, its ownership becomes BUILTIN\Administrators.

I've played with perms for over an hour and cannot make any sense of this? I
cannot see where/why it is defaulting to this account??

\data is chmod 2755 owned by "SAMDOM\JohnDoe":"SAMDOM\Domain
Admins".   Resulting files are 755 owned by
"BUILTIN\Administrators":"SAMDOM\Domain Admins"


[global]
        netbios name = SAGAN
        realm = SAMDOM.INTRA
        server role = active directory domain controller
        workgroup = SAMDOM
        idmap_ldb:use rfc2307 = yes

template shell = /bin/bash
   winbind use default domain = true
   winbind offline logon = false
   winbind nss info = rfc2307
        winbind enum users = yes
        winbind enum groups = yes


[netlogon]
        path = /var/lib/samba/sysvol/acasta.intra/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[data]
        path = /data
        read only = No


--
Rob Mason


Acasta Ltd - A Crown Commercial Service Supplier. CyberEssentials Certified
QGCE013.
Registered in England 6619191. 42 Pitt Street, Barnsley, S70 1BB. VAT Registered
934 6797 75.