[Samba] sysvolreset doesn't reset all ACLs
Rowland Penny
rpenny at samba.org
Fri Aug 25 10:10:34 UTC 2017
On Fri, 25 Aug 2017 11:32:23 +0200
Sven Schwedas via samba <samba at lists.samba.org> wrote:
> Time to take a step back: My original problem is that clients can no
> longer read or update their GPOs.
>
>
> Domain Admins used to have a gid set, this was corrected before my
> last attempt to restore permissions via GPMC. (A dummy `Unix Domain
> Admins` group was added to take over the NIS members.)
>
> Enterprise Admin used to have a gid set, too. By the time I realized
> it, GPMC no longer complained about wrong permissions, and I can't
> request it to fix the permissions.
Really the only Windows group that needs a a gidNumber is 'Domain
Users'. There may be special cases for other groups having a gidNumber,
but I cannot think of any.
>
>
> Testparm output is attached.
>
>
> Only remaining stubborn client is my VM, which still can't find…
> something. I'm not sure if it's even related to this issue, or an
> unrelated trust relationship issue.
>
Can I suggest you try this smb.conf on your DC (preferably when
everybody has logged off)
[global]
realm = AD.TAO.AT
workgroup = AD
dns forwarder = 85.214.20.141
ldap server require strong auth = No
logging = syslog
disable spoolss = Yes
load printers = No
printcap name = /dev/null
server role = active directory domain controller
tls cafile = /usr/local/share/ca-certificates/tao-ad-ca.crt
tls certfile = /etc/ssl/certs/graz-dc.ad.tao.at.crt
tls keyfile = /etc/ssl/private/graz-dc.ad.tao.at.key
template homedir = /home/%U
template shell = /bin/zsh
idmap_ldb:use rfc2307 = yes
include = /etc/samba/site.conf
printing = bsd
It is yours without all the unrequired lines.
Rowland
More information about the samba
mailing list