[Samba] sysvolreset doesn't reset all ACLs

Rowland Penny rpenny at samba.org
Thu Aug 31 21:09:36 UTC 2017

On Thu, 31 Aug 2017 16:04:42 -0400 (EDT)
me at tdiehl.org wrote:

> On Thu, 24 Aug 2017, Rowland Penny via samba wrote:
> > On Thu, 24 Aug 2017 12:41:36 +0200
> > Sven Schwedas via samba <samba at lists.samba.org> wrote:
> >
> >> On 2017-08-24 12:27, Rowland Penny via samba wrote:
> >
> > I actually used worse words when I found out why I couldn't get my
> > work on the python code to work. ;-)
> >
> >> Does this apply only to sysvolreset or also when fixing ACLs from
> >> Windows?
> >
> > On a Samba AD DC, 'Domain Admins' is mapped to 'ID_TYPE_BOTH' in
> > idmap.ldb, this makes it able to own files and dirs in sysvol. The
> > moment you give 'Domain Admins' a gidNumber, you break this mapping
> > and the group becomes just a group and cannot own anything on a Unix
> > machine, so my recommendation is to not give the group a gidNumber,
> > create another group 'Unix Admins' ? give this group a gidNumber and
> > make this group a member of 'Domain Admins'
> So I have 2 Samba AD DCs running 4.7.0rc5 and 2 member file servers
> running samba-4.6.2-8.el7.x86_64 on Centos 7.4. In setting up shares
> on the file servers I see that
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> says to grant SeDiskOperatorPrivilege to the Domain Admins group.
> If I follow Rowland's advice above and make a unix admins group, do I
> still grant SeDiskOperatorPrivilege to Domain Admins or do I grant
> SeDiskOperatorPrivilege to Unix Admins?
> I am thinking "Unix Admins" group needs SeDiskOperatorPrivilege but I
> want to be sure.

Basically, wherever the wikipage  mentions 'Domain Admins' use 'Unix
Admins' instead (you don't have to use a group called 'Unix Admins', it
just seemed a logical name to me), so yes, you give both a gidNumber
and 'SeDiskOperatorPrivilege' to 'Unix Admins', you will also need to
make 'Unix Admins' a member of 'Domain Admins'

> Also When I create the shares do I set the permissions to root:Unix
> Admins?

Yes, or 'Unix Admins' will not be able to do anything.
> If I do getent group "domain admins" nothing returns. Which I believe
> is because Domain Admins does not have a unix GID assigned.

Good, whilst 'Domain Admins' isn't used by the default GPOs, it is used
(as an owner) by other GPOs you will add.

> If I do:
> (vfs2 pts4) # getent group "unix admins"
> unix admins:x:10001:
> (vfs2 pts4) #
> That works. Since unix admins is a member of domain admins is that
> good enough?


> I am trying very hard to get this right but given all of these
> special cases and documentation that gives different advice, it is
> difficult at best. I would not have any chance of getting this
> working without all of the help on this list.

If you compare what Samba sets 'sysvol' to, to what a Windows 2012R2
does, there are lots of differences, these don't really affect the
default GPOs, but they do affect any other GPOs added and I cannot
attempt to fix the python code until the underlying 'C' code is fixed, I
cannot do this because I do not understand 'C' 


More information about the samba mailing list