[Samba] Problem sysvolreset

L.P.H. van Belle belle at bazuin.nl
Mon Mar 20 15:36:34 UTC 2017

Im questioning this because of the following. 

What is "Domain Admins" doing with rights on SYSVOL anyway.. ??

There should not be any "domain admins" at all on sysvol share and security rights. 

But to overcome the problem explained below. 

You can use : 
acl_xattr:ignore system acls = yes 

And make sure sysvol and/or netlogon are windows only shares and not used by any unix/linux/mac clients.

Set : acl_xattr:ignore system acls = yes
In the share sysvol and/or netlogon 

Now in addition, as told, if setup correcly, 
you dont see any "Domain Admins" on sysvol. 

Sysvol Share permissions set to 
"Everyone" Read 
"Authenticated Users" Full Control. 
DOMAIN\Administrators ( same as "BUILDIN\Administrators" ) Full Controll

And for the folder setttings. 
CREATOR OWNER         Special rights.
Authenticated Users   Read 
SYSTEM                Full control.
DOMAIN\Administrators   R&E, LFC, READ, WRITE
DOMAIN\Server Operators R&E, LFC, READ

Now its no problem to give these a gid anymore.
Domain Users
Domain Admins
Domain Guest
Domain Computers
And as bjorn suggested, you do give the groups an id. 

And when its all set, DONT run resetsysvol again when you do that, you must set the share and security rights again. 

And all my servers run with : idmap_ldb:use rfc2307 



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny via
> samba
> Verzonden: maandag 20 maart 2017 15:44
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Problem sysvolreset
> On Mon, 20 Mar 2017 15:27:33 +0100
> Björn JACKE via samba <samba at lists.samba.org> wrote:
> > On 2017-03-07 at 18:48 +0000 Rowland Penny via samba sent off:
> > > It is my recommendation to not give Domain Admins a gidNumber and
> > > not to run sysvolreset if you add any GPOs.
> >
> > anybody who uses idmap ad on a samba member server should give domain
> > users and domain admins a gidnumber actually. This does not affect
> > sysvol on a DC in any way unless you enable idmap_ldb:use rfc2307,
> > what I would not recommend to do.
> >
> > Björn
> >
> Hi Bjorn,
> You can recommend not doing something until you are blue in the face,
> but you will not stop people doing it. ;-)
> If you give Domain Admins a gidNumber, it breaks the mapping in
> idmap.ldb and stops Domain Admins being able to own files and dirs in
> sysvol and Domain Admins needs to own files and dirs in sysvol.
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list