Web lists-archives.com

Re: [Samba] Can't create/update Group Policy in Samba 4.6.5




On Tue, 4 Jul 2017 16:04:20 -0300
Marcio Demetrio Bacci via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hi Louis
> 
> 
> I have moved "empresa.com.br" folder to /root. After I run samba-tool
> ntacl sysvolreset, but some errors appear:

Please put it back.

Also which DC is this on, your first DC or the second one ? and if it is
the second one, have you followed the wiki page I pointed you to, on
your other post ?

Or to put it another way, do both of your DCs sysvol directories (and
sub-directories) match and have you synced idmap.ldb from the first DC
to the second DC.

I know what Louis told you to do, but you should only give 'Domain
Users' a gidNumber attribute, you can also give 'Domain Admins' a
gidNumber, but I personally think it is better to create a group called
'Unix Admins', make this group a member of 'Domain Admins' and then
give this new group a gidNumber. Now use this group when setting
permissions from Windows. My reasoning behind this: 'Domain Admins'
needs to own policies in sysvol, it cannot do this if it has a
gidNumber attribute.
Do not give any other user or group from the well known sids a
uidNumber or gidNumber, see here for the well known sids:

https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba