[Samba] Sysvol permission issue - how to repair permanently?

Stefan Bellon bellon at axivion.com
Sun Apr 4 20:12:32 UTC 2021

On Sun, 04 Apr, Rowland penny via samba wrote:

> I wish I had a time machine, I could go back in time and tell you
> that using mapped ID's in this way was a bad idea.

As soon as you have "apt install real-life-timemachine" ready, I'll
volunteer for a beta test. ;-)

> Using nslcd at that time wasn't a bad idea, though unnecessary. You 
> could easily change to Unix domain members, except for the ill
> advised group ID's and you could probably work around them.

Yes, it looks like if we did it "the proper way" back in time, we would
not be in this mess right now.

> Do you have this line in the Samba DC's smb.conf : idmap_ldb:use 
> rfc2307  = yes
> If you do, comment it out (using a ';' or '#') and see if that helps,
> it will make the DC's only use idmap.ldb and ignore any uidNumber & 
> gidNumber attributes in AD.

Oh, wow, you are referring to



Wow, I could have sworn that I read somewhere to put

  idmap_ldb:use rfc2307 = yes

into /etc/samba/smb.conf, but (of course) you are right, the wiki
mentions that it is not important for DCs and even more so, that it's
less error prone without.

So, basically, "idmap_ldb:use rfc2307 = yes" puts special
uidNumber/gidNumber handling with higher priority into the mapping and
without that setting, just the idmap.ldb is being used? Removing that
setting will not have any writing effect on the databases?

Then I'll try it tomorrow or the day after. Thanks a lot so far!


Stefan Bellon

More information about the samba mailing list