Re: [Samba] syscolcheck error / Could not convert sid S-1-5-32-544 to uid
- Date: Fri, 25 May 2018 17:27:51 +0200
- From: Henry Jensen via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] syscolcheck error / Could not convert sid S-1-5-32-544 to uid
On Fri, 25 May 2018 16:09:11 +0100
Rowland Penny via samba <samba@xxxxxxxxxxxxxxx> wrote:
> > OK, maybe this is something which should be mentioned in the wiki. The
> > reason I got to this was that I wanted to try sysvol replication. The
> > wiki mentions at
> > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
> > you should i.e. copy idmap.ldb from the first DC to the new DC and
> > then run "samba-tool ntacl sysvolreset".
> > Is this instruction still valid?
> The problem with sysvolcheck & sysvolreset is they have never used the
> Owner, group and ACLs that windows uses. Having said that, as long as
> no BULTIN or DOMAIN user or group (except Domain Users) has a uidNumber
> or gidNumber AND you haven't added any extra GPOs, it will work, you
> just have to ignore that error message.
> When you add ANY extra GPOs, then never ever use sysvolcheck or
> sysvolreset. You should also never give Domain Admins a gidNumber
> attribute, this turns the windows group into a Unix group. You are now
> probably thinking 'what?', a group is just a group, right ? Well, no,
> a Windows group can do something that no Unix group can, it can own
> files and directories and guess what needs to own files and directories
> in sysvol ??
Thanks again. This is something I will write in our internal admin wiki.
To unsubscribe from this list go to the following URL and read the