[Samba] Sysvol issues after DC migration
oleg.blyahher at bluetest.se
Mon Mar 15 19:30:55 UTC 2021
Ok, thanks Rowland. I've made it a further now, and the script runs to
the point it tells me the following:
Set your sysvol SHARE permissions as followed. EVERYONE: READ
Authenticated Users: FULL CONTROL (BUILTIN or NTDOM)\Administrators:
FULL CONTROL (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL User/Group system
is added compaired to a win2008R2 sysvol, you need this for some GPO
settings. Set your sysvol FOLDER permissions as followed. Authenticated
Users: Read & Exec, Show folder content, Read (BUILTIN or
NTDOM)\Administrators: FULL CONTROL (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL
I've opened up Computer Management as the domain admin, but I can't do
any changes in the permissions. It keeps telling me "Access is denied"
whenever I try to modify the share or security permissions. Right now
"Everyone" have full access in the share permissions. I can't even see
the owners there.
Any point in modifying the sysvol folder with setfacl? Where should I
On 2021-03-15 18:53, Rowland penny via samba wrote:
> On 15/03/2021 17:32, Oleg Blyahher via samba wrote:
>> No, it currently has the gidNumber 544 (checked by running samba-tool
>> group edit Administrators).
>> What gid should it have otherwise? Something in the 5000-6000 range?
> Perhaps I should have said "does the 'Administrators' group have a
> So, in the Administrators object in AD there is this line:
> gidNumber: 544
> If so, edit the group again and remove that line, 'Administrators'
> should not have a gidNumber, it just turns 'Administrators' into a
> group. You aare probably now thinking 'What' ? Administrators is a
> group, well yes, but it is a Windows group and Windows groups can
> 'own' things like a user, something that doesn't happen on Unix. To
> allow this on a Samba DC (Administrators has to own things in Sysvol),
> groups are mapped to 'ID_TYPE_BOTH' in idmap.ldb, giving a group a
> gidNumber breaks this.
> This applies to all the groups in the 'Well Known SIDs' (basicaly the
> groups created by a provision), apart from Domain Users.
More information about the samba