Web lists-archives.com

Re: [Samba] syscolcheck error / Could not convert sid S-1-5-32-544 to uid




On Fri, 25 May 2018 16:39:22 +0200
Henry Jensen <hjensen@xxxxxxxxxxx> wrote:

> 
> OK, maybe this is something which should be mentioned in the wiki. The
> reason I got to this was that I wanted to try sysvol replication. The
> wiki mentions at
> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
> you should i.e. copy idmap.ldb from the first DC to the new DC and
> then run "samba-tool ntacl sysvolreset".
> 
> Is this instruction still valid?

The problem with sysvolcheck & sysvolreset is they have never used the
Owner, group and ACLs that windows uses. Having said that, as long as
no BULTIN or DOMAIN user or group (except Domain Users) has a uidNumber
or gidNumber AND you haven't added any extra GPOs, it will work, you
just have to ignore that error message.
When you add ANY extra GPOs, then never ever use sysvolcheck or
sysvolreset. You should also never give Domain Admins a gidNumber
attribute, this turns the windows group into a Unix group. You are now
probably thinking 'what?', a group is just a group, right ? Well, no,
a Windows group can do something that no Unix group can, it can own
files and directories and guess what needs to own files and directories
in sysvol ??
 
Rowland


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba