[Samba] syscolcheck error / Could not convert sid S-1-5-32-544 to uid

Rowland Penny rpenny at samba.org
Fri May 25 15:09:11 UTC 2018

On Fri, 25 May 2018 16:39:22 +0200
Henry Jensen <hjensen at mailbox.org> wrote:

> OK, maybe this is something which should be mentioned in the wiki. The
> reason I got to this was that I wanted to try sysvol replication. The
> wiki mentions at
> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
> you should i.e. copy idmap.ldb from the first DC to the new DC and
> then run "samba-tool ntacl sysvolreset".
> Is this instruction still valid?

The problem with sysvolcheck & sysvolreset is they have never used the
Owner, group and ACLs that windows uses. Having said that, as long as
no BULTIN or DOMAIN user or group (except Domain Users) has a uidNumber
or gidNumber AND you haven't added any extra GPOs, it will work, you
just have to ignore that error message.
When you add ANY extra GPOs, then never ever use sysvolcheck or
sysvolreset. You should also never give Domain Admins a gidNumber
attribute, this turns the windows group into a Unix group. You are now
probably thinking 'what?', a group is just a group, right ? Well, no,
a Windows group can do something that no Unix group can, it can own
files and directories and guess what needs to own files and directories
in sysvol ??

More information about the samba mailing list