Re: [Samba] sysvolreset doesn't reset all ACLs
- Date: Thu, 24 Aug 2017 14:15:53 +0200
- From: Sven Schwedas via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] sysvolreset doesn't reset all ACLs
On 2017-08-24 13:00, Rowland Penny via samba wrote:
> On Thu, 24 Aug 2017 12:41:36 +0200
> Sven Schwedas via samba <samba@xxxxxxxxxxxxxxx> wrote:
>> On 2017-08-24 12:27, Rowland Penny via samba wrote:
>>> On Thu, 24 Aug 2017 12:03:42 +0200
>>> Sven Schwedas via samba <samba@xxxxxxxxxxxxxxx> wrote:
>>>> Where does the error come from, and why doesn't sysvolreset fix it?
>>> Mainly because (from my testing) sysvolcheck/sysvolreset is broken.
>>> I do not write 'C' code and the problem seems to be in set_nt_acl
>>> from source3/smbd/posix_acls.c
>>> It doesn't set the correct ACL.
>>> I have opened a bug for this:
>> Ah, crap.
> I actually used worse words when I found out why I couldn't get my work
> on the python code to work. ;-)
>>> Even when this gets fixed, the python code will need work, because
>>> it doesn't do what windows does, also anybody who has set a
>>> gidNumber on Domain Admins, will need to remove it, the group needs
>>> to own things in sysvol and with a gidNumber it cannot.
>> Does this apply only to sysvolreset or also when fixing ACLs from
> On a Samba AD DC, 'Domain Admins' is mapped to 'ID_TYPE_BOTH' in
> idmap.ldb, this makes it able to own files and dirs in sysvol. The
> moment you give 'Domain Admins' a gidNumber, you break this mapping and
> the group becomes just a group and cannot own anything on a Unix
> machine, so my recommendation is to not give the group a gidNumber,
> create another group 'Unix Admins' ? give this group a gidNumber and
> make this group a member of 'Domain Admins'
Does removing the gidNumber retroactively allow it to work?
(That is, once I figured out how to reset the ACLs from within Windows.)
>>> The recommendation at the moment is to not use either sysvolreset or
>>> sysvolcheck. Do everything from windows.
>> I presume with this?
>> Or some other way?
> Not sure, I actually don't use GPOs ;-)
> Louis is your man, he is the expert here.
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas, Systemadministrator
Mail/XMPP sven.schwedas@xxxxxx | Skype sven.schwedas
TAO Digital | Lendplatz 45 | A8020 Graz
https://www.tao-digital.at | Tel +43 680 301 7167
To unsubscribe from this list go to the following URL and read the