Web lists-archives.com

Re: [Samba] Problem sysvolreset




On Tue, 7 Mar 2017 10:26:03 -0800
Kris Lou via samba <samba@xxxxxxxxxxxxxxx> wrote:


> Hang on, can you explain this a little further?  I thought that Domain
> Admins was issued gidNumber 512 by default. In addition, sysvolreset
> is not recommended to fix potential SysVol replication problems with
> GPO perms?
> 

No Domain Admins doesn't get gidNumber 512 by default, it gets the
'RID' 512 by default, bit of a difference there.

Domain Admins gets mapped to an xidNumber in idmap.ldb, but it also
gets mapped as 'ID_TYPE_BOTH', this means that Domain Admins is both a
group and a user and therefore is able to own files etc on Unix.

If you then give Domain Admins a gidNumber, it becomes just a group
and cannot own files as a user does.

Domain Admins needs to own files in sysvol as a user, but sysvolreset 
seems to change the ACLs set when a GPO is added on a windows machine. 

It is my recommendation to not give Domain Admins a gidNumber and not
to run sysvolreset if you add any GPOs.

Rowland


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba