samba-tool ntacl sysvolreset --use-s3fs failure on samba4.0.0rc1
abartlet at samba.org
Tue Oct 9 05:35:23 MDT 2012
On Tue, 2012-10-09 at 09:50 +0200, Daniele Dario wrote:
> Hi samba team,
> yesterday I was trying to understand why my DC account created during
> provisioning (for the primary DC) and during join (for secondary DC) do
> not have any permission on the sysvol folder.
> Did I break something "posixifying" the AD default groups?
Like installations that are upgraded from Samba3 and have GID allocated
for domain admins, there is the issue that because 'domain admins'
actually owns files in the sysvol directory, it needs to also map as a
The IDMAP_BOTH tag in idmap.ldb indicates this.
However, there is not (yet) a way to indicate this in the AD directory.
My thoughts are to add an optional extra schema that can be imported,
and that administrators wishing to set a SID -> UID and GID mapping can
to the user and group objects, and have it regard a uidNumber as also
being a gidNumber and vice versa.
This would allow a per-object selection that the administrator has
confirmed that the uid and gid spaces do not conflict in this specific
The other approach is to try and ignore the problem, and this attached
patch tries to simply avoid doing the chown, instead changing the file
to be owned by either administrator or root, but then lying about the
I need feedback to confirm that this all works properly for GPO
manipulation, so if you can test that it would be most helpful.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 8303 bytes
Desc: not available
More information about the samba-technical