[Samba] sysvolreset doesn't reset all ACLs

me at tdiehl.org me at tdiehl.org
Thu Aug 31 20:04:42 UTC 2017

On Thu, 24 Aug 2017, Rowland Penny via samba wrote:

> On Thu, 24 Aug 2017 12:41:36 +0200
> Sven Schwedas via samba <samba at lists.samba.org> wrote:
>> On 2017-08-24 12:27, Rowland Penny via samba wrote:
> I actually used worse words when I found out why I couldn't get my work
> on the python code to work. ;-)
>> Does this apply only to sysvolreset or also when fixing ACLs from
>> Windows?
> On a Samba AD DC, 'Domain Admins' is mapped to 'ID_TYPE_BOTH' in
> idmap.ldb, this makes it able to own files and dirs in sysvol. The
> moment you give 'Domain Admins' a gidNumber, you break this mapping and
> the group becomes just a group and cannot own anything on a Unix
> machine, so my recommendation is to not give the group a gidNumber,
> create another group 'Unix Admins' ? give this group a gidNumber and
> make this group a member of 'Domain Admins'

So I have 2 Samba AD DCs running 4.7.0rc5 and 2 member file servers running
samba-4.6.2-8.el7.x86_64 on Centos 7.4. In setting up shares on the file
servers I see that
says to grant SeDiskOperatorPrivilege to the Domain Admins group.

If I follow Rowland's advice above and make a unix admins group, do I still
grant SeDiskOperatorPrivilege to Domain Admins or do I grant
SeDiskOperatorPrivilege to Unix Admins?

I am thinking "Unix Admins" group needs SeDiskOperatorPrivilege but I want to
be sure.

Also When I create the shares do I set the permissions to root:Unix Admins?

If I do getent group "domain admins" nothing returns. Which I believe is because
Domain Admins does not have a unix GID assigned.

If I do:
(vfs2 pts4) # getent group "unix admins"
unix admins:x:10001:
(vfs2 pts4) #

That works. Since unix admins is a member of domain admins is that good enough?

I am trying very hard to get this right but given all of these special cases
and documentation that gives different advice, it is difficult at best. I would
not have any chance of getting this working without all of the help on this

Thank You!!


Tom			me at tdiehl.org		Spamtrap address	 		me123 at tdiehl.org

More information about the samba mailing list