Web lists-archives.com

Re: [Samba] syscolcheck error / Could not convert sid S-1-5-32-544 to uid




On Fri, 25 May 2018 16:09:11 +0100
Rowland Penny via samba <samba@xxxxxxxxxxxxxxx> wrote:

> > OK, maybe this is something which should be mentioned in the wiki. The
> > reason I got to this was that I wanted to try sysvol replication. The
> > wiki mentions at
> > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
> > you should i.e. copy idmap.ldb from the first DC to the new DC and
> > then run "samba-tool ntacl sysvolreset".
> > 
> > Is this instruction still valid?  
> 
> The problem with sysvolcheck & sysvolreset is they have never used the
> Owner, group and ACLs that windows uses. Having said that, as long as
> no BULTIN or DOMAIN user or group (except Domain Users) has a uidNumber
> or gidNumber AND you haven't added any extra GPOs, it will work, you
> just have to ignore that error message.
> When you add ANY extra GPOs, then never ever use sysvolcheck or
> sysvolreset. You should also never give Domain Admins a gidNumber
> attribute, this turns the windows group into a Unix group. You are now
> probably thinking 'what?', a group is just a group, right ? Well, no,
> a Windows group can do something that no Unix group can, it can own
> files and directories and guess what needs to own files and directories
> in sysvol ??


Thanks again. This is something I will write in our internal admin wiki.


Kind Regards,

Henry



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba