Re: [Samba] sysvolreset doesn't reset all ACLs
- Date: Fri, 25 Aug 2017 11:10:34 +0100
- From: Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] sysvolreset doesn't reset all ACLs
On Fri, 25 Aug 2017 11:32:23 +0200
Sven Schwedas via samba <samba@xxxxxxxxxxxxxxx> wrote:
> Time to take a step back: My original problem is that clients can no
> longer read or update their GPOs.
> Domain Admins used to have a gid set, this was corrected before my
> last attempt to restore permissions via GPMC. (A dummy `Unix Domain
> Admins` group was added to take over the NIS members.)
> Enterprise Admin used to have a gid set, too. By the time I realized
> it, GPMC no longer complained about wrong permissions, and I can't
> request it to fix the permissions.
Really the only Windows group that needs a a gidNumber is 'Domain
Users'. There may be special cases for other groups having a gidNumber,
but I cannot think of any.
> Testparm output is attached.
> Only remaining stubborn client is my VM, which still can't find…
> something. I'm not sure if it's even related to this issue, or an
> unrelated trust relationship issue.
Can I suggest you try this smb.conf on your DC (preferably when
everybody has logged off)
realm = AD.TAO.AT
workgroup = AD
dns forwarder = 126.96.36.199
ldap server require strong auth = No
logging = syslog
disable spoolss = Yes
load printers = No
printcap name = /dev/null
server role = active directory domain controller
tls cafile = /usr/local/share/ca-certificates/tao-ad-ca.crt
tls certfile = /etc/ssl/certs/graz-dc.ad.tao.at.crt
tls keyfile = /etc/ssl/private/graz-dc.ad.tao.at.key
template homedir = /home/%U
template shell = /bin/zsh
idmap_ldb:use rfc2307 = yes
include = /etc/samba/site.conf
printing = bsd
It is yours without all the unrequired lines.
To unsubscribe from this list go to the following URL and read the