[Samba] Adding Share Windows ACL

Rowland Penny rpenny at samba.org
Fri Jan 26 10:22:52 UTC 2018

On Fri, 26 Jan 2018 10:50:48 +0100
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:

> I dont agree.. 

> > Yes, Domain Admins needs to be a Unix group. 
> I agree on this one. 
> > No, because if Domain Admins is a Unix group, it cannot own GPOs in
> > sysvol and Domain Admins needs to own GPOs as a user. On a Samba DC,
> > Domain Admins is mapped to 'ID_TYPE_BOTH' and can own GPOs as a
> > user.
> Not totaly..  Imo.

This is a sddl of a GPO in sysvol:


The important part is at the start:


O = owner
G = group
DA = Domain Admins

The only way this can occur on a Unix DC is if Domain Admins doesn't
have a gidNumber attribute.

> Only one BEWARE !! 
> If you change to ignore systemacls, you MUST RE-APPPLY ALL SHARE AND
> SECURITY SETTINGS AGAIN! And for sysvol, set it and forget it, dont
> run samba-tool sysvolreset ! 

Yes, do not run sysvolreset, but not because of this problem, it is
because the underlying 'C' code doesn't set the ACLs correctly, see:



More information about the samba mailing list