wellknown and uid/gid interactions on multi DC samba AD domain

steve steve at steve-ss.com
Thu May 15 06:46:14 MDT 2014

On Thu, 2014-05-15 at 13:33 +0200, Daniele Dario wrote:
> On gio, 2014-05-15 at 11:57 +0200, steve wrote:

> > 
> > If the GPO isn't working, try a big hammer:
> > samba-tool ntacl set
> > 'O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)' /usr/local/samba/var/locks/sysvol/saitel.loc/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
> > We are in the lab here, aren't we?
> > 
> The big hammer doesn't work :(
>  It would be possible that the error was already present
> 'cause I've never tried to run sysvolcheck against the DC in the past. I
> just trusted in sysvolreset.

Are we doing this because the GPO(s) aren't working? Was samba active
when you set the sddl? It worked OK here with no samba processes.
Otherwise we're out of ideas over here.

More information about the samba-technical mailing list