search for: id_type_both

.../medarts.lan/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No Note that the SIDs are out of my specified range below: ldbsearch -H /var/lib/samba/private/idmap.ldb # record 1 dn: CN=S-1-1-0 cn: S-1-1-0 objectClass: sidMap objectSid: S-1-1-0 type: ID_TYPE_BOTH xidNumber: 3000013 distinguishedName: CN=S-1-1-0 # record 2 dn: CN=S-1-5-21-1106274642-2786564146-798650368-501 cn: S-1-5-21-1106274642-2786564146-798650368-501 objectClass: sidMap objectSid: S-1-5-21-1106274642-2786564146-798650368-501 type: ID_TYPE_BOTH xidNumber: 3000011 distinguishedName: CN=S...

...gt; path = /var/lib/samba/sysvol > read only = No > > Note that the SIDs are out of my specified range below: > ldbsearch -H /var/lib/samba/private/idmap.ldb > # record 1 > dn: CN=S-1-1-0 > cn: S-1-1-0 > objectClass: sidMap > objectSid: S-1-1-0 > type: ID_TYPE_BOTH > xidNumber: 3000013 > distinguishedName: CN=S-1-1-0 > > # record 2 > dn: CN=S-1-5-21-1106274642-2786564146-798650368-501 > cn: S-1-5-21-1106274642-2786564146-798650368-501 > objectClass: sidMap > objectSid: S-1-5-21-1106274642-2786564146-798650368-501 > type: ID_TYPE_BO...

...read only = No > > > > Note that the SIDs are out of my specified range below: > > ldbsearch -H /var/lib/samba/private/idmap.ldb > > # record 1 > > dn: CN=S-1-1-0 > > cn: S-1-1-0 > > objectClass: sidMap > > objectSid: S-1-1-0 > > type: ID_TYPE_BOTH > > xidNumber: 3000013 > > distinguishedName: CN=S-1-1-0 > > > > # record 2 > > dn: CN=S-1-5-21-1106274642-2786564146-798650368-501 > > cn: S-1-5-21-1106274642-2786564146-798650368-501 > > objectClass: sidMap > > objectSid: S-1-5-21-1106274642-278656...

...t;>> >>> Note that the SIDs are out of my specified range below: >>> ldbsearch -H /var/lib/samba/private/idmap.ldb >>> # record 1 >>> dn: CN=S-1-1-0 >>> cn: S-1-1-0 >>> objectClass: sidMap >>> objectSid: S-1-1-0 >>> type: ID_TYPE_BOTH >>> xidNumber: 3000013 >>> distinguishedName: CN=S-1-1-0 >>> >>> # record 2 >>> dn: CN=S-1-5-21-1106274642-2786564146-798650368-501 >>> cn: S-1-5-21-1106274642-2786564146-798650368-501 >>> objectClass: sidMap >>> objectSid: S-1...

...t I know that can 'create' usergroups is sssd, so are > you using this as well ? > > I think more info is required here, what OS ? What version of Samba ? > Please post your smb.conf > > Rowland > > Several of the idmap backends (including idmap_rid) in samba support id_type_both (the ID is both a user and a group). This is ultimately needed for accurately producing Windows-style behavior regarding permissions (where a group can be the owner of a file). Without knowing the details of the ACL module, the best path forward would be for you to figure out how to maintain window...

...We don't (eg in sidHistory, or when files are migrated, preserving permissions, from a workstation or from a domain that is not trusted) always know if an incoming SID is a user or group. - Working out if an arbitrary SID is a user or group takes time and network operations, which may fail. ID_TYPE_BOTH is both fast and deterministic in this respect. My view is that we should always have mapped SIDs to both a UID and GID, and I understand that in general, we are doing that now in new backends. See for example idmap_rid and idmap_autorid. The only tricky bit is that while a user can be put in a...

...the SID what the object is? and if not, what > does windows do? In Windows, a SID is a SID, and there is no need to translate it to anything else for access checking. > > - Working out if an arbitrary SID is a user or group takes time and > > network operations, which may fail. ID_TYPE_BOTH is both fast and > > deterministic in this respect. > > And in my opinion (which is worth very little) it is a kludge, also > does a group actually try to connect (note, I do not know if this > happens, which is why I am asking) and if so how ? a group doesn't > have a pa...

...; had been replaced with 'EXAMPLE\134Administrator' >>> >>> Now this lead me to start thinking, why is a user also a group and >>> vice-versa ? >>> >>> Checking idmap.ldb, I found that the 4 user/groups?? were all >>> described as 'ID_TYPE_BOTH', so I altered them to be what they >>> actually are i.e. a UID or GID >>> >>> reset sysvol 'samba-tool ntacl sysvolreset' and getfacl now returns: >>> >>> getfacl: Removing leading '/' from absolute path names >>> # file: v...

Am 10/29/20 um 1:07 PM schrieb Rowland penny via samba: > On 29/10/2020 11:56, Andrew Walker wrote: >> Several of the idmap backends (including idmap_rid) in samba support >> id_type_both (the ID is both a user and a group). This is ultimately >> needed for accurately producing Windows-style behavior regarding >> permissions (where a group can be the owner of a file). Without >> knowing the details of the ACL module, the best path forward would be >> for you...

...t is? and if not, what >> does windows do? > In Windows, a SID is a SID, and there is no need to translate it to > anything else for access checking. > >>> - Working out if an arbitrary SID is a user or group takes time and >>> network operations, which may fail. ID_TYPE_BOTH is both fast and >>> deterministic in this respect. >> And in my opinion (which is worth very little) it is a kludge, also >> does a group actually try to connect (note, I do not know if this >> happens, which is why I am asking) and if so how ? a group doesn't >&g...

...d 0775 then chgrp "<DOMAIN>\Domain Admins" /srv/share 3) chown -R "<DOMAIN>\Administrator" /srv/share I'm leaning towards 2, but would like a better idea of pros and cons so I may complete the wiki. Rowland: From your last response, I was searching for how the ID_TYPE_BOTH relates to the above, and found a recent thread between yourself and Andrew (Samba4,idmap.ldb & ID_TYPE_BOTH), last posted to on Feb24. The differences you point out W.R.T. sysvol appear to relate more to that thread. If those differences are important to my current issue, I apologize for bei...

...> default:other::--- > > 'root' had been replaced with 'EXAMPLE\134Administrator' > > Now this lead me to start thinking, why is a user also a group and > vice-versa ? > > Checking idmap.ldb, I found that the 4 user/groups?? were all > described as 'ID_TYPE_BOTH', so I altered them to be what they > actually are i.e. a UID or GID > > reset sysvol 'samba-tool ntacl sysvolreset' and getfacl now returns: > > getfacl: Removing leading '/' from absolute path names > # file: var/lib/samba/sysvol/ > # owner: EXAMPLE\134Ad...

I've got this on the backup DC root at bdc:~# wbinfo --sid-to-gid S-1-5-21-1166961617-3197558402-3341820450-516 3000000 while root at bdc:~# ldbedit -H /usr/local/samba/private/idmap.ldb objectsid=S-1-5-21-1166961617-3197558402-3341820450-516 shows correct xid 3000019 and on the primary DC I've got itk at dc:/$ wbinfo --sid-to-gid S-1-5-21-1166961617-3197558402-3341820450-516 3000019

...up:3000010:r-x > default:mask::rwx > default:other::--- > > the user owner is the group ? how can the user owner be a group ? > I this allowed ? This i really dont know. Yes this a mess and is caused by stupid stupid windows allowing groups to own files, therefore you end up with ID_TYPE_BOTH in idmap.ldb. From my investigations, it is only one group that owns files: Administrators, but instead of just making this group 'ID_TYPE_BOTH', samba makes a lot of groups 'ID_TYPE_BOTH', have a look in idmap.ldb. I also tested replacing the ownership of files and dirs in sysv...

...achines and then searching for the relevant xidNumber. On the > first DC, I get: > > dn: CN=S-1-5-21-2025076216-3455336656-3842161122-516 > cn: S-1-5-21-2025076216-3455336656-3842161122-516 > objectClass: sidMap > objectSid: S-1-5-21-2025076216-3455336656-3842161122-516 > type: ID_TYPE_BOTH > xidNumber: 3000025 > distinguishedName: CN=S-1-5-21-2025076216-3455336656-3842161122-516 > > On the second DC, I get: > > dn: CN=S-1-5-21-2025076216-3455336656-3842161122-516 > cn: S-1-5-21-2025076216-3455336656-3842161122-516 > objectClass: sidMap > objectSid: S-1-5-21...

...; >> 'root' had been replaced with 'EXAMPLE\134Administrator' >> >> Now this lead me to start thinking, why is a user also a group and >> vice-versa ? >> >> Checking idmap.ldb, I found that the 4 user/groups?? were all >> described as 'ID_TYPE_BOTH', so I altered them to be what they >> actually are i.e. a UID or GID >> >> reset sysvol 'samba-tool ntacl sysvolreset' and getfacl now returns: >> >> getfacl: Removing leading '/' from absolute path names >> # file: var/lib/samba/sysvol/ &gt...

...st, Rowland said "Oh good, 'Domain Admins' doesn't have a >>>> gidNumber attribute." >>> Domain Admins is a group that must own files in Sysvol. Samba runs >>> on Unix and groups cannot own files on Unix, so Domain Admins is >>> mapped as ID_TYPE_BOTH in idmap.ldb on the DC, this makes Domain >>> Admins a group and a user. If you give Domain Admins a gidNumber >>> attribute, it becomes just a group and cannot own files. >>>> >> >> Now I am confused. Reading "Adding a share" on domain member her...

> I feel I can tell you this without breaking any confidences, the OP sent me their idmap.ldb and the problem boiled down to these three DNs>> CN=S-1-5-32-545> CN=S-1-5-32-544> CN=S-1-5-32-546> > The classicupgrade seems to set these to 'ID_TYPE_GID' instead of 'ID_TYPE_BOTH'.>> RowlandI can confirm this. After changing 'ID_TYPE_GID' to 'ID_TYPE_BOTH' on these three CN= winbind works well. So there is no errors. Also Louis' script works well;) > This was hard to decipher, but I think I understand it>> You need to make some choice...

.../2019-June/223478.html >> In this post, Rowland said "Oh good, 'Domain Admins' doesn't have a >> gidNumber attribute." > Domain Admins is a group that must own files in Sysvol. Samba runs on Unix and groups cannot own files on Unix, so Domain Admins is mapped as ID_TYPE_BOTH in idmap.ldb on the DC, this makes Domain Admins a group and a user. If you give Domain Admins a gidNumber attribute, it becomes just a group and cannot own files. >> Now I am confused. Reading "Adding a share" on domain member here: https://wiki.samba.org/index.php/Setting_up_a_S...

...efault:group:3000003:r-x default:mask::rwx default:other::--- 'root' had been replaced with 'EXAMPLE\134Administrator' Now this lead me to start thinking, why is a user also a group and vice-versa ? Checking idmap.ldb, I found that the 4 user/groups?? were all described as 'ID_TYPE_BOTH', so I altered them to be what they actually are i.e. a UID or GID reset sysvol 'samba-tool ntacl sysvolreset' and getfacl now returns: getfacl: Removing leading '/' from absolute path names # file: var/lib/samba/sysvol/ # owner: EXAMPLE\134Administrator # group: 3000000 user...