[Samba] Fileserver Upgrade problems

Rowland penny rpenny at samba.org
Thu Feb 4 20:01:30 UTC 2021

On 04/02/2021 19:30, Elias Pereira via samba wrote:
> Hello,
> After I upgrade our fileserver from 4.10 to 4.13 and debian 10, the shared
> folder has stopped working. In fact now, every time I try to access the
> shared folder, the password is requested.
> smb.conf
> [global]
>          # Enable modules
>          vfs objects = acl_xattr, recycle, full_audit, dfs_samba4

Why have you added 'dfs_samba4' ?

It should only be used on a Samba AD DC

> This below part of
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> If you use the winbind 'ad' backend on Unix domain members and you add a
> gidNumber attribute to the Domain Admins group in AD, you will break the
> mapping in idmap.ldb. Domain Admins is mapped as ID_TYPE_BOTH in idmap.ldb,
> this is to allow the group to own files in Sysvol on a Samba AD DC. It is
> suggested you create a new AD group (Unix Admins for instance), give this
> group a gidNumber attribute and add it to the Administrators group and
> then, on Unix, use the group wherever you would normally use Domain Admins.
> didn't seem necessary in samba 4.10? Or at least when I set up the
> fileserver it will be requested for "Domain Admins".

it isn't a problem on a Unix domain member (never has been) but it 
breaks sysvol on a Samba AD DC if you add a gidNumber to Domain Admins. 
Windows has this quaint idea of letting a group own files & folders, 
something that isn't normally possible on Unix. However, on a Samba AD 
DC, Domain Admins is mapped as 'ID_TYPE_BOTH' (it is both a group and a 
user), if you give Domain Admins a gidNumber, you break this mapping and 
it just becomes a group and cannot own things in sysvol.


More information about the samba mailing list