[Samba] Adding Share Windows ACL
rpenny at samba.org
Fri Jan 26 10:22:52 UTC 2018
On Fri, 26 Jan 2018 10:50:48 +0100
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> I dont agree..
> > Yes, Domain Admins needs to be a Unix group.
> I agree on this one.
> > No, because if Domain Admins is a Unix group, it cannot own GPOs in
> > sysvol and Domain Admins needs to own GPOs as a user. On a Samba DC,
> > Domain Admins is mapped to 'ID_TYPE_BOTH' and can own GPOs as a
> > user.
> Not totaly.. Imo.
This is a sddl of a GPO in sysvol:
The important part is at the start:
O = owner
G = group
DA = Domain Admins
The only way this can occur on a Unix DC is if Domain Admins doesn't
have a gidNumber attribute.
> Only one BEWARE !!
> If you change to ignore systemacls, you MUST RE-APPPLY ALL SHARE AND
> SECURITY SETTINGS AGAIN! And for sysvol, set it and forget it, dont
> run samba-tool sysvolreset !
Yes, do not run sysvolreset, but not because of this problem, it is
because the underlying 'C' code doesn't set the ACLs correctly, see:
More information about the samba