[Samba] sysvolreset doesn't reset all ACLs

[Rowland Penny]

On Fri, 25 Aug 2017 11:32:23 +0200
Sven Schwedas via samba <samba at lists.samba.org> wrote:

> Time to take a step back: My original problem is that clients can no
> longer read or update their GPOs.
> 
> 
> Domain Admins used to have a gid set, this was corrected before my
> last attempt to restore permissions via GPMC. (A dummy `Unix Domain
> Admins` group was added to take over the NIS members.)
> 
> Enterprise Admin used to have a gid set, too. By the time I realized
> it, GPMC no longer complained about wrong permissions, and I can't
> request it to fix the permissions.

Really the only Windows group that needs a a gidNumber is 'Domain
Users'. There may be special cases for other groups having a gidNumber,
but I cannot think of any.

> 
> 
> Testparm output is attached.
> 
> 
> Only remaining stubborn client is my VM, which still can't find…
> something. I'm not sure if it's even related to this issue, or an
> unrelated trust relationship issue.
> 

Can I suggest you try this smb.conf on your DC (preferably when
everybody has logged off)

 [global]
	realm = AD.TAO.AT
	workgroup = AD
	dns forwarder = 85.214.20.141
	ldap server require strong auth = No
	logging = syslog
	disable spoolss = Yes
	load printers = No
	printcap name = /dev/null
	server role = active directory domain controller
	tls cafile = /usr/local/share/ca-certificates/tao-ad-ca.crt
	tls certfile = /etc/ssl/certs/graz-dc.ad.tao.at.crt
	tls keyfile = /etc/ssl/private/graz-dc.ad.tao.at.key
	template homedir = /home/%U
	template shell = /bin/zsh
	idmap_ldb:use rfc2307 = yes
	include = /etc/samba/site.conf
	printing = bsd

It is yours without all the unrequired lines.

Rowland