[Samba] Can't create/update Group Policy in Samba 4.6.5

Rowland Penny rpenny at samba.org
Tue Jul 4 19:51:26 UTC 2017

On Tue, 4 Jul 2017 16:04:20 -0300
Marcio Demetrio Bacci via samba <samba at lists.samba.org> wrote:

> Hi Louis
> I have moved "empresa.com.br" folder to /root. After I run samba-tool
> ntacl sysvolreset, but some errors appear:

Please put it back.

Also which DC is this on, your first DC or the second one ? and if it is
the second one, have you followed the wiki page I pointed you to, on
your other post ?

Or to put it another way, do both of your DCs sysvol directories (and
sub-directories) match and have you synced idmap.ldb from the first DC
to the second DC.

I know what Louis told you to do, but you should only give 'Domain
Users' a gidNumber attribute, you can also give 'Domain Admins' a
gidNumber, but I personally think it is better to create a group called
'Unix Admins', make this group a member of 'Domain Admins' and then
give this new group a gidNumber. Now use this group when setting
permissions from Windows. My reasoning behind this: 'Domain Admins'
needs to own policies in sysvol, it cannot do this if it has a
gidNumber attribute.
Do not give any other user or group from the well known sids a
uidNumber or gidNumber, see here for the well known sids:



More information about the samba mailing list