[Samba] Access denied on GPO after "ntacl sysvolreset"

Rowland Penny rpenny at samba.org
Fri Apr 11 11:12:13 UTC 2025 

On Fri, 11 Apr 2025 11:27:21 +0200
Havany via samba <samba at lists.samba.org> wrote:

> Hi Klaas,
> 
> Luis may have been referring to bug 14213 (Windows Explorer crashes
> on S-1-22-* Unix-SIDs when accessing the Security tab), fixed in
> version 4.21.4. This bug also causes gpedit to crash.
> 
> You may have a mapping issue with your IDmap on domain controllers.
> 
> I wrote a script to display the mapping in a readable form (see the
> end of this post).
> 
> To reset the mapping on all DCs, here's what I do (note! You need to 
> adapt it to your configuration; this is for FreeBSD with a ZFS
> dataset for Sysvol and NFS4ACL) (inspired by the migration of the
> RFC2703 schema to TDB of Tranquil IT: 
> https://samba.tranquil.it/doc/en/samba_config_server/samba_rfc_to_tdb.html):

That, in my opinion, isn't actually migrating the RFC2307 schema, the
RFC2307 schema is actually part of the standard AD schema.

There are a few other ways around this problem:

Do not use 'idmap_ldb:use rfc2307  = yes' in the DCs smb.conf , this
will lead to only using the '3000000' xidNumber attributes from
idmap.ldb being used on Samba AD DCs instead of any uidNumber or
gidNumber attributes in AD. This will negate any uidNumber or gidNumber
attributes in AD.

Do not give Domain Admins a gidNumber attribute, you can create another group similar to Domain Admins (I used to use a group called Unix Admins), give that group a gidNumber and use that group on Unix instead of Domain Admins.

Do not use RFC2307 attributes and use the rid or autorid idmap backends on Unix domain members. 

If you do use RFC2307 attributes, then you only really need to give the Domain Users group a gidNumber, along with any groups you create that you want to be visible on Unix domain members.

As the idmap_ldb backend found on Samba AD DCs is an allocating backend and different IDS can be allocated to users and groups depending on when they first come to the DCs notice, you need to sync idmap.ldb between all DCs, however this doesn't need to be done regularly as the changes that matter only really happen when a DC first runs.

Rowland

More information about the samba mailing list