Automate skipping of Domain Admins GID in classicupgrade

Andrew Bartlett abartlet at
Wed Oct 3 21:49:10 MDT 2012

Ricky (and others)

The WHATSNEW has this known issue:

- 'samba-tool domain classicupgrade' will fail when setting ACLs on
  the GPO folders with NT_STATUS_INVALID_ONWER in the default
  configuration.  This happens if, as is typical a 'domain admins'
  group (-512) is mapped in the passdb backend being upgraded.  This
  is because the group mapping to a GID only prevents Samba from
  allocating a uid for that group.  The uid is needed so the 'domain
  admins' group can own the GPO file objects.

  To work around this issue, remove the 'domain admins' group before
  upgrade, as it will be re-created automatically.  You will
  of course need to fill in the group membership again.  A future
  will make this automatic, or find some other workaround.

The attached patch makes it automatic.  Can you test it and check it

I hope to propose something better (a way to select a value for a
combined (IDMAP_BOTH) uid and gid for domain admins) and a way to store
it in the AD directory, but for now this might help.

Please let me know,

Andrew Bartlett
Andrew Bartlett                      
Authentication Developer, Samba Team 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-samba-tool-Ignore-GID-assigned-to-domain-admins-duri.patch
Type: text/x-patch
Size: 1847 bytes
Desc: not available
URL: <>

More information about the samba-technical mailing list