Web lists-archives.com

Re: [Samba] Domain Admins default ownership is BUILTIN\Administrators

So, a little bit more investigation shows a problem with idmap ->

User - BUILTIN\Administrator uid = 30000
Group - BUILTIN\Administrators gid = 3000000
Group - SAMDOM\Domain Admins gid = 60000

POSIX file ownership is becoming 3000000:60000

It seems that the Administrators group group is set as the owner. What's more, 'Administrators' group name is not mapped when I list the directory:

ls -l
total 7.9M
drwxr-xr-x   7 JohnDoe Domain Users 4.0K Aug 24 20:47 ./
drwxr-xr-x  11 root    root         4.0K Dec  1 16:50 ../
-rw-r--r--   1 JohnDoe Domain Users 439K Aug 14  2013 Book.xlsx
-rw-r--r--   1 JohnDoe Domain Users  30K Mar  4  2012 planner.xls
-rwxr-xr-x+  1 3000000 Domain Users 4.2M Feb 10  2017 acasta.ics*

Any ideas how to fix this?

Rob Mason
07770 578764

From: Rob Mason
Sent: 30 November 2018 18:28
To: 'samba@xxxxxxxxxxxxxxx' <samba@xxxxxxxxxxxxxxx>
Subject: Domain Admins default ownership is BUILTIN\Administrators

I've now spun up a second DC ready for a migration from an old DC. Just checking over a few things and have hit this problem:

Objects created by Domain Admins members default to ownership by BUILTIN\Administrators.  So, when JohnDoe is logged on as JohnDoe and creates a file, its ownership becomes BUILTIN\Administrators.

I've played with perms for over an hour and cannot make any sense of this? I cannot see where/why it is defaulting to this account??

\data is chmod 2755 owned by "SAMDOM\JohnDoe":"SAMDOM\Domain Admins".   Resulting files are 755 owned by "BUILTIN\Administrators":"SAMDOM\Domain Admins"

        netbios name = SAGAN
        realm = SAMDOM.INTRA
        server role = active directory domain controller
        workgroup = SAMDOM
        idmap_ldb:use rfc2307 = yes

template shell = /bin/bash
   winbind use default domain = true
   winbind offline logon = false
   winbind nss info = rfc2307
        winbind enum users = yes
        winbind enum groups = yes

        path = /var/lib/samba/sysvol/acasta.intra/scripts
        read only = No

        path = /var/lib/samba/sysvol
        read only = No

        path = /data
        read only = No

Rob Mason

Acasta Ltd - A Crown Commercial Service Supplier. CyberEssentials Certified QGCE013.
Registered in England 6619191. 42 Pitt Street, Barnsley, S70 1BB. VAT Registered 934 6797 75.
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba