[Samba] syscolcheck error / Could not convert sid S-1-5-32-544 to uid

[Viktor Trojanovic]

On 25 May 2018 at 17:09, Rowland Penny via samba <samba at lists.samba.org>
wrote:

> On Fri, 25 May 2018 16:39:22 +0200
> Henry Jensen <hjensen at mailbox.org> wrote:
>
> >
> > OK, maybe this is something which should be mentioned in the wiki. The
> > reason I got to this was that I wanted to try sysvol replication. The
> > wiki mentions at
> > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_
> Existing_Active_Directory
> > you should i.e. copy idmap.ldb from the first DC to the new DC and
> > then run "samba-tool ntacl sysvolreset".
> >
> > Is this instruction still valid?
>
> The problem with sysvolcheck & sysvolreset is they have never used the
> Owner, group and ACLs that windows uses. Having said that, as long as
> no BULTIN or DOMAIN user or group (except Domain Users) has a uidNumber
> or gidNumber AND you haven't added any extra GPOs, it will work, you
> just have to ignore that error message.
> When you add ANY extra GPOs, then never ever use sysvolcheck or
> sysvolreset. You should also never give Domain Admins a gidNumber
> attribute, this turns the windows group into a Unix group. You are now
> probably thinking 'what?', a group is just a group, right ? Well, no,
> a Windows group can do something that no Unix group can, it can own
> files and directories and guess what needs to own files and directories
> in sysvol ??
>
>
Hi Rowland,

This indeed looks like very crucial information that should be part of the
wiki. Or maybe I just missed it.

Now, my domain admins group (as well as every other group) does have a
gidNumber, and my configuration (with many, many extra GPOs) is working
just fine. Well, maybe not "just" fine, I had to set "ignore system acls =
no" in order for ACL's to work properly. But I ran sysvolcheck and
sysvolreset many times with no issues.

I'm curious, do you consider it safe to now remove the gidNumber from all
groups except domain users? Would I break something?

Viktor