[Samba] Sysvol issues after DC migration
Rowland penny
rpenny at samba.org
Mon Mar 15 17:53:52 UTC 2021
On 15/03/2021 17:32, Oleg Blyahher via samba wrote:
> No, it currently has the gidNumber 544 (checked by running samba-tool
> group edit Administrators).
>
> What gid should it have otherwise? Something in the 5000-6000 range?
Perhaps I should have said "does the 'Administrators' group have a
gidNumber".
So, in the Administrators object in AD there is this line:
gidNumber: 544
If so, edit the group again and remove that line, 'Administrators'
should not have a gidNumber, it just turns 'Administrators' into a
group. You aare probably now thinking 'What' ? Administrators is a
group, well yes, but it is a Windows group and Windows groups can 'own'
things like a user, something that doesn't happen on Unix. To allow this
on a Samba DC (Administrators has to own things in Sysvol), groups are
mapped to 'ID_TYPE_BOTH' in idmap.ldb, giving a group a gidNumber breaks
this.
This applies to all the groups in the 'Well Known SIDs' (basicaly the
groups created by a provision), apart from Domain Users.
Rowland
More information about the samba
mailing list