Web lists-archives.com

Re: [Samba] syscolcheck error / Could not convert sid S-1-5-32-544 to uid




On Fri, 25 May 2018 15:07:57 +0100
Rowland Penny via samba <samba@xxxxxxxxxxxxxxx> wrote:

> > running "samba-tool ntacl sysvolcheck" doesn't fix this.  
> 
> Well it wouldn't, they are both borked.
> 
> Just do administration from Windows 


OK, maybe this is something which should be mentioned in the wiki. The
reason I got to this was that I wanted to try sysvol replication. The wiki mentions at 
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
you should i.e. copy idmap.ldb from the first DC to the new DC and then run 
"samba-tool ntacl sysvolreset".

Is this instruction still valid?

> > S-1-5-32-544 is the Administrator group, which is a builtin group. I  
> 
> No, it is the 'Administrators' group

Yes, of course

> > noticed, that this group already existed in the Samba 3 OpenLDAP DIT
> > with gidNumber 514.   
> 
> If we take it that '514' is actually a windows RID, then the group
> should be Domain Guests.

Yeah, it was 544. It is Friday afternoon - maybe not the best time to
write technical mails;)

> From my experience, the only AD user/group in AD with a RID less than
> 1000 that should have a uidNumber or gidNumber is Domain Users.
> 
> > So my first idea was to remove those Posix attributes from the
> > problematic groups (I tried it on Backup Operators S-1-5-32-551), but
> > to no avail.  
> 
> Ah, you probably missed the magic incantation 'net cache flush' ;-)

That was it. Thank you.

Kind regards,

Henry

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba