[Samba] Windows ACLs : problems

Rowland penny rpenny at samba.org
Tue Feb 25 13:16:28 UTC 2020

On 25/02/2020 13:04, Stefan G. Weichinger via samba wrote:
> Am 24.02.20 um 10:34 schrieb Rowland penny via samba:
>> Change the owner to 'root' and never use Administrator on a Unix domain
>> member.
> wiki says:
> # chown root:"Unix Admins" /srv/samba/Demo/
> # chmod 0770 /srv/samba/Demo/
> I dont't have "Unix Admins" ...

And it says immediately above that: .... For example:

And further up the page, in a blue 'NOTE' box, it says this:

If you use the winbind 'ad' backend on Unix domain members and you add a 
gidNumber attribute to the |Domain Admins| group in AD, you will break 
the mapping in |idmap.ldb|. |Domain Admins| is mapped as |ID_TYPE_BOTH| 
in |idmap.ldb|, this is to allow the group to own files in |Sysvol| on a 
Samba AD DC. It is suggested you create a new group (|Unix Admins| for 
instance), give this group a |gidNumber| attribute and add it to the 
|Administrators| group and then, on Unix, use the group wherever you 
would normally use |Domain Admins|.

You do not need to use another group, but if give Domain Admins a 
gidNumber, you will have problems in sysvol.

> and the chown to root makes my Windows-connections fail with
> Administrator ...

Do you have a user.map line in smb.conf ?

Something like this:

username map = /etc/samba/smb.conf

Which contains something like this:

!root = DOMAIN\Administrator


More information about the samba mailing list