[Samba] Windows ACLs : problems

Stefan G. Weichinger lists at xunil.at
Tue Feb 25 13:21:22 UTC 2020

Am 25.02.20 um 14:16 schrieb Rowland penny via samba:
> On 25/02/2020 13:04, Stefan G. Weichinger via samba wrote:
>> Am 24.02.20 um 10:34 schrieb Rowland penny via samba:
>>> Change the owner to 'root' and never use Administrator on a Unix domain
>>> member.
>> wiki says:
>> # chown root:"Unix Admins" /srv/samba/Demo/
>> # chmod 0770 /srv/samba/Demo/
>> I dont't have "Unix Admins" ...
> And it says immediately above that: .... For example:
> And further up the page, in a blue 'NOTE' box, it says this:
> If you use the winbind 'ad' backend on Unix domain members and you add a
> gidNumber attribute to the |Domain Admins| group in AD, you will break
> the mapping in |idmap.ldb|. |Domain Admins| is mapped as |ID_TYPE_BOTH|
> in |idmap.ldb|, this is to allow the group to own files in |Sysvol| on a
> Samba AD DC. It is suggested you create a new group (|Unix Admins| for
> instance), give this group a |gidNumber| attribute and add it to the
> |Administrators| group and then, on Unix, use the group wherever you
> would normally use |Domain Admins|.

I use the "rid" backend ...

> You do not need to use another group, but if give Domain Admins a
> gidNumber, you will have problems in sysvol.

Can't remember having done that ...

>> and the chown to root makes my Windows-connections fail with
>> Administrator ...
> Do you have a user.map line in smb.conf ?
> Something like this:
> username map = /etc/samba/smb.conf
> Which contains something like this:
> !root = DOMAIN\Administrator


More information about the samba mailing list