Automate skipping of Domain Admins GID in classicupgrade
abartlet at samba.org
Wed Oct 3 21:49:10 MDT 2012
Ricky (and others)
The WHATSNEW has this known issue:
- 'samba-tool domain classicupgrade' will fail when setting ACLs on
the GPO folders with NT_STATUS_INVALID_ONWER in the default
configuration. This happens if, as is typical a 'domain admins'
group (-512) is mapped in the passdb backend being upgraded. This
is because the group mapping to a GID only prevents Samba from
allocating a uid for that group. The uid is needed so the 'domain
admins' group can own the GPO file objects.
To work around this issue, remove the 'domain admins' group before
upgrade, as it will be re-created automatically. You will
of course need to fill in the group membership again. A future
will make this automatic, or find some other workaround.
The attached patch makes it automatic. Can you test it and check it
I hope to propose something better (a way to select a value for a
combined (IDMAP_BOTH) uid and gid for domain admins) and a way to store
it in the AD directory, but for now this might help.
Please let me know,
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1847 bytes
Desc: not available
More information about the samba-technical