[Samba] Adding Share Windows ACL

L.P.H. van Belle belle at bazuin.nl
Fri Jan 26 10:41:17 UTC 2018

Yes, your right and not.. .. Sorry..

> This is a sddl of a GPO in sysvol:
> x1200a9;;;AU)(A;OICI;FA;;;SY)(A;OICI;FA;;;DA)(A;OICI;FA;;;S-1-
> 5-21-2695348288-4157658249-429813502-519)
> The important part is at the start:
> O = owner
> G = group
> DA = Domain Admins
> The only way this can occur on a Unix DC is if Domain Admins doesn't
> have a gidNumber attribute.
Yes yes, i know. About 1 year ago we both look this all up.. 
The sddl is fine, and works better if you set ignore systemacls. 
Because then you can have O:DAG:DAD:  its only not shown on the system.. 

This imo also the interesting part and still i dont agree,.. Because 
I have do gid's on "domain users/guest/admins" on my AD backend DC's and members. 
0 problems here. 

getent group "domain users"
domain users:x:10000:.... Here all my users with uid. 

getent group "domain admins"
domain admins:x:10001:admin,administrator

getent group "domain guests"
domain guests:x:10002:guest

domain computers:x:10006:
Yes. Here no computer in the group, but gid was added, this works fine. 

Test it Rowland and you will see it works, maybe i found some great loopholes here.. 
But i really like the ignore systemacl because if fixes a lot of SID/UID/GID related problems. 
I also advice to use it the least as possible, but imo, sysvol netlogin profiles users and a deploy share
really bennefit from the parameter. 
This work really good for me, as of samba 4.4+ now at 4.7.4.



> > Only one BEWARE !! 
> > If you change to ignore systemacls, you MUST RE-APPPLY ALL SHARE AND
> > SECURITY SETTINGS AGAIN! And for sysvol, set it and forget it, dont
> > run samba-tool sysvolreset ! 
> > 
> Yes, do not run sysvolreset, but not because of this problem, it is
> because the underlying 'C' code doesn't set the ACLs correctly, see:
> https://bugzilla.samba.org/show_bug.cgi?id=12924
> Rowland

More information about the samba mailing list