Bug 13532 - samba-tool ntacl sysvolreset add SID from groups to user ACL's
Summary: samba-tool ntacl sysvolreset add SID from groups to user ACL's
Status: RESOLVED INVALID
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Tools (show other bugs)
Version: 4.8.2
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-07-15 16:35 UTC by Laurent Bigonville
Modified: 2020-05-16 13:15 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Laurent Bigonville 2018-07-15 16:35:23 UTC
Hi,

After running samba-tool ntacl sysvolreset, it seems that the GPO (files and directories) end up with group SID set as user ACL as well as the groups one:

# file: GPT.INI
# owner: 3000000
# group: BIGON\134domain\040admins
user::rwx
user:3000004:rwx
user:3000012:r-x
user:3000019:r-x
user:3000022:rwx
group::rwx
group:BIGON\134domain\040admins:rwx
group:BIGON\134enterprise\040admins:rwx
group:NT\040AUTHORITY\134authenticated\040users:r-x
group:NT\040AUTHORITY\134enterprise\040domain\040controllers:r-x
group:NT\040AUTHORITY\134system:rwx
mask::rwx
other::---

# wbinfo --uid-to-sid=3000000
S-1-5-21-1392674437-3576424776-2708817219-512
# wbinfo --uid-to-sid=3000004
S-1-5-21-1392674437-3576424776-2708817219-519
# wbinfo --uid-to-sid=3000012
S-1-5-11
# wbinfo --uid-to-sid=3000019
S-1-5-9
# wbinfo --uid-to-sid=3000022
S-1-5-18
Comment 1 Rowland Penny 2020-05-16 13:15:18 UTC
Closing this bug report. Windows groups can own folders & files, to do this on Linux, they are mapped to 'ID_TYPE_BOTH' in idmap.ldb, this means that a group can also be a user on a DC.