[Samba] Fwd: NT Authority\System on member servers
Moritz Zwerger
bixilon at bixilon.de
Sat Nov 8 11:41:25 UTC 2025
Hi there,
I got the strange error that Windows is not creating a profile folder
(user.V6) on the network share (configured via gpo). The user has the
permission and can manually create it, but otherwise just the blue pop
up is there (login not possible).
I tracked this down and (think) that the issue is, that I am not
granting permissions to the SYSTEM account to that particular share (See
https://wiki.samba.org/index.php/The_SYSTEM_Account).
However I am unable to find that specific user on a domain member. It
exists on the domain controller (same samba version) and I can look it
up with id "NT Authority\system".
The member server has pretty much the following configuration:
[global]
netbios name = USERHOME
disable netbios = yes
password server = DC.DOMAIN.MUC
realm = DOMAIN.MUC
security = ADS
server role = member server
winbind use default domain = Yes
workgroup = DOMAIN
idmap config * : range = 10000-9999999
idmap config * : backend = autorid
idmap_ldb:use rfc2307 = yes
I do not want to use jibberish NT ACLs, I am using setfacl to set the
permission:
setfacl --set u::rwx,g::rwx,g:"domain users":rwx,other::--- "/profiles"
...
I am running Samba version 4.22.3-Debian-4.22.3+dfsg-4 from debian
trixie inside both containers.
My question is:
How can I grant (at least fake it for windows) that the SYSTEM user has
full permission?
Thanks, appreciate any help!
Moritz
More information about the samba
mailing list