[Samba] can't remove groups in AD

[herman]

Martin Hauptmann wrote:
> Hi,
>
> I set up a samba 3.0.26a as an ads-member of a windows 2003 Small
> Business Server.
> Every windows user in the domain can read and write their files,
> everyone's happy.
> My Problem is, that I cannot set up security groups in the AD. When I
> try, I do not get an error message, but my changes are being silently
> ignored.
> I cannot set rights exceeding read,write, execute and owner.
> E.g. I cannot remove the group 'everyone' from the file access list.
> When I do and confirm I do not get an error message, but when I review
> the settings, nothing has changed, 'everyone' is still in the list.
> It is the same when I try to set or unset full access to files - no
> error message, but no success.
> I tried different settings concerning heritage, but that did not help.
>
> There are some other postings in the mailing list that sound quite
> similar, related to versions >3.0.25. Maybe there is a bug in these
> versions?
>
> My smb.conf: http://www.pastebin.ca/753491
>
> Regards
>
> Martin
>   
Did you perhaps change anything in ADS?  I have found that one should 
NEVER change the spelling of a record, or drag a user or group somewhere 
else.  Doing so totally screws up winbind.

To fix it, I suggest that you create a new OU with groups and users in 
the OU, ensure everything works, then set the security policy of the OU 
and finally delete the old dud users and groups.  Only delete the users 
and groups afterwards, to ensure that the GUIDs won't get re-used for 
the new records. 

I actually never delete records - I have a special OU called 'trash' and 
I drag and drop trashed users and groups there - to prevent GUID re-use 
and consequent side effects.  I don't know whether that is strictly 
necessary, but I was losing a lot of hair at one point so I became 
paranoid about never changing *anything* in ADS once created, and it 
really seems to work better this way.

Cheers,

Herman