[Samba] Windows ACLs : problems

Rowland penny rpenny at samba.org
Tue Feb 25 14:16:33 UTC 2020

On 25/02/2020 14:01, Stefan G. Weichinger via samba wrote:
> Am 25.02.20 um 14:54 schrieb Rowland penny via samba:
>> On 25/02/2020 13:49, Stefan G. Weichinger via samba wrote:
>>> Am 25.02.20 um 14:30 schrieb Rowland penny via samba:
>>>> OK, I give in, I will alter the wiki page, if you use the 'rid' or
>>>> 'autorid'  backend, you can use Domain Admins, just do not give Domain
>>>> Admins a gidNumber.
>>> While you're at it ;-)
>>> It also isn't clear to me where "Unix Admins" comes from.
>> Out of my head ;-)
>>> I have to add that group on the DC, add my admin-users ... right? Then
>>> grant the SeDiskOperatorPrivilege ... then chgrp the files in the share?
>> You do not need it, it is only required if using the winbind 'ad'
>> backend and only then if you don't want possible problems with sysvol.
> What? Now I *don't* need it?

Bad choice of words there, you do not need 'Unix Admins', you can use 
'Domain Admins' instead. You only need to use 'Unix Admins' if you use 
the winbind 'ad' backend and do not care if you mess up sysvol.

If you add GPOs, then they can be owned by Domain Admins (something that 
normally cannot happen on Unix). This is because Domain Admins is mapped 
to 'ID_TYPE_BOTH' in idmap.ldb. If you give Domain Admins a gidNumber, 
it becomes just a group and cannot own anything in sysvol. On a Unix 
domain member using the 'rid' backend, the mapping is done locally and 
does not affect idmap.ldb.

> Sorry, can't follow here.
> So far I only was able to get that mostly working by doing "chown -R
> Administrator:10513" or so ...
> Right now I can't access the ACLs from windows at all (on that share,
> with DOM\Administrator)
> feels like a loop  ....

Possibly a German loop ;-)


More information about the samba mailing list