Web lists-archives.com

Re: [Samba] syscolcheck error / Could not convert sid S-1-5-32-544 to uid




On Fri, 25 May 2018 18:22:21 +0200
Viktor Trojanovic <viktor@xxxxxxxx> wrote:

> On 25 May 2018 at 17:09, Rowland Penny via samba
> <samba@xxxxxxxxxxxxxxx> wrote:
> 
> > On Fri, 25 May 2018 16:39:22 +0200
> > Henry Jensen <hjensen@xxxxxxxxxxx> wrote:
> >
> > >
> > > OK, maybe this is something which should be mentioned in the
> > > wiki. The reason I got to this was that I wanted to try sysvol
> > > replication. The wiki mentions at
> > > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_
> > Existing_Active_Directory
> > > you should i.e. copy idmap.ldb from the first DC to the new DC and
> > > then run "samba-tool ntacl sysvolreset".
> > >
> > > Is this instruction still valid?
> >
> > The problem with sysvolcheck & sysvolreset is they have never used
> > the Owner, group and ACLs that windows uses. Having said that, as
> > long as no BULTIN or DOMAIN user or group (except Domain Users) has
> > a uidNumber or gidNumber AND you haven't added any extra GPOs, it
> > will work, you just have to ignore that error message.
> > When you add ANY extra GPOs, then never ever use sysvolcheck or
> > sysvolreset. You should also never give Domain Admins a gidNumber
> > attribute, this turns the windows group into a Unix group. You are
> > now probably thinking 'what?', a group is just a group, right ?
> > Well, no, a Windows group can do something that no Unix group can,
> > it can own files and directories and guess what needs to own files
> > and directories in sysvol ??
> >
> >
> Hi Rowland,
> 
> This indeed looks like very crucial information that should be part
> of the wiki. Or maybe I just missed it.
> 
> Now, my domain admins group (as well as every other group) does have a
> gidNumber, and my configuration (with many, many extra GPOs) is
> working just fine. Well, maybe not "just" fine, I had to set "ignore
> system acls = no" in order for ACL's to work properly. But I ran
> sysvolcheck and sysvolreset many times with no issues.
> 
> I'm curious, do you consider it safe to now remove the gidNumber from
> all groups except domain users? Would I break something?
> 
> Viktor

If everything is working for you, I would just leave everything alone,
but make a note and then if something does go wrong, you have an hint
where to possibly look ;-)

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba