[Samba] Can't create/update Group Policy in Samba 4.6.5
Rowland Penny
rpenny at samba.org
Tue Jul 4 19:51:26 UTC 2017
On Tue, 4 Jul 2017 16:04:20 -0300
Marcio Demetrio Bacci via samba <samba at lists.samba.org> wrote:
> Hi Louis
>
>
> I have moved "empresa.com.br" folder to /root. After I run samba-tool
> ntacl sysvolreset, but some errors appear:
Please put it back.
Also which DC is this on, your first DC or the second one ? and if it is
the second one, have you followed the wiki page I pointed you to, on
your other post ?
Or to put it another way, do both of your DCs sysvol directories (and
sub-directories) match and have you synced idmap.ldb from the first DC
to the second DC.
I know what Louis told you to do, but you should only give 'Domain
Users' a gidNumber attribute, you can also give 'Domain Admins' a
gidNumber, but I personally think it is better to create a group called
'Unix Admins', make this group a member of 'Domain Admins' and then
give this new group a gidNumber. Now use this group when setting
permissions from Windows. My reasoning behind this: 'Domain Admins'
needs to own policies in sysvol, it cannot do this if it has a
gidNumber attribute.
Do not give any other user or group from the well known sids a
uidNumber or gidNumber, see here for the well known sids:
https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems
Rowland
More information about the samba
mailing list