[Samba] sysvol share: access to the security tab

Rowland Penny rpenny at samba.org
Mon Oct 21 15:17:03 UTC 2024


On Mon, 21 Oct 2024 17:01:36 +0200
Francesco Malvezzi via samba <samba at lists.samba.org> wrote:

> hi all,
> 
> I am maybe in the situation described here: 
> https://wiki.samba.org/index.php/Sysvolreset).
> 
> The admins domains groups has indeed a gidNumber and alas I run a
> 
> ./bin/samba-tool ntacl sysvolcheck
> 
> What's more in my situation is that when I access the sysvol from the 
> windows side (runas /user:administrator computer management ->
> connect to server -> system -> shares -> sysvol), as soon as I clic
> on the 'security' tab, the commandlet cashes.
> 
> The sysvol folder still serves correctly the group policies, the 
> administrator can edit them, but all other user who used to manage
> them are now forbidden.
> 
> I already run the samba-check-set-sysvol.sh script, from the linux
> side the acl look fine (they are incomplete, but I know that I need
> to grand the privileges from the windows side, whom I can't reach).
> 
> I didn't find any piece of useful information about the 'computer 
> management' crash in event viewer or in samba logs.
> 
> What am I missing?
> 

It is not so much what you are missing, it is probably what you have
got ;-)

The situation hasn't changed, Domain Admins still needs to own things
in sysvol and cannot if it has a gidNumber attribute, so remove it and
run 'net cache flush' everywhere on Unix land.

If you must have a Domain Admins type group on Unix, then create one in
AD, give that a gidNumber attribute and join it to Administrators.

Rowland





More information about the samba mailing list