Re: [Samba] syscolcheck error / Could not convert sid S-1-5-32-544 to uid
- Date: Fri, 25 May 2018 18:22:21 +0200
- From: Viktor Trojanovic via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] syscolcheck error / Could not convert sid S-1-5-32-544 to uid
On 25 May 2018 at 17:09, Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
> On Fri, 25 May 2018 16:39:22 +0200
> Henry Jensen <hjensen@xxxxxxxxxxx> wrote:
> > OK, maybe this is something which should be mentioned in the wiki. The
> > reason I got to this was that I wanted to try sysvol replication. The
> > wiki mentions at
> > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_
> > you should i.e. copy idmap.ldb from the first DC to the new DC and
> > then run "samba-tool ntacl sysvolreset".
> > Is this instruction still valid?
> The problem with sysvolcheck & sysvolreset is they have never used the
> Owner, group and ACLs that windows uses. Having said that, as long as
> no BULTIN or DOMAIN user or group (except Domain Users) has a uidNumber
> or gidNumber AND you haven't added any extra GPOs, it will work, you
> just have to ignore that error message.
> When you add ANY extra GPOs, then never ever use sysvolcheck or
> sysvolreset. You should also never give Domain Admins a gidNumber
> attribute, this turns the windows group into a Unix group. You are now
> probably thinking 'what?', a group is just a group, right ? Well, no,
> a Windows group can do something that no Unix group can, it can own
> files and directories and guess what needs to own files and directories
> in sysvol ??
This indeed looks like very crucial information that should be part of the
wiki. Or maybe I just missed it.
Now, my domain admins group (as well as every other group) does have a
gidNumber, and my configuration (with many, many extra GPOs) is working
just fine. Well, maybe not "just" fine, I had to set "ignore system acls =
no" in order for ACL's to work properly. But I ran sysvolcheck and
sysvolreset many times with no issues.
I'm curious, do you consider it safe to now remove the gidNumber from all
groups except domain users? Would I break something?
To unsubscribe from this list go to the following URL and read the