[Samba] Fwd: NT Authority\System on member servers

Rowland Penny rpenny at samba.org
Sat Nov 8 12:36:35 UTC 2025 

On Sat, 8 Nov 2025 12:41:25 +0100
Moritz Zwerger via samba <samba at lists.samba.org> wrote:

> Hi there,
> I got the strange error that Windows is not creating a profile folder 
> (user.V6) on the network share (configured via gpo). The user has the 
> permission and can manually create it, but otherwise just the blue
> pop up is there (login not possible).
> 
> I tracked this down and (think) that the issue is, that I am not 
> granting permissions to the SYSTEM account to that particular share
> (See https://wiki.samba.org/index.php/The_SYSTEM_Account).
> 
> However I am unable to find that specific user on a domain member. It 
> exists on the domain controller (same samba version) and I can look
> it up with id "NT Authority\system".
> 
> 

First lets take a walk through your smb.conf file:

> The member server has pretty much the following configuration:
> [global]
>          netbios name = USERHOME

There is no need to set the 'netbios name' parameter, Samba will do it
for you.

>          disable netbios = yes
>          password server = DC.DOMAIN.MUC

You should not set the 'password server' parameter, you should allow
Samba to select the best DC to use.

>          realm = DOMAIN.MUC
>          security = ADS
>          server role = member server
>          winbind use default domain = Yes
>          workgroup = DOMAIN
>          idmap config * : range = 10000-9999999
>          idmap config * : backend = autorid
>          idmap_ldb:use rfc2307 = yes

The 'idmap_ldb' parameter is only used in a Samba AD DCs smb.conf

As you want to use 'SYSTEM', you also need:

  vfs objects = acl_xattr
  map acl inherit = Yes

> 
> 
> I do not want to use jibberish NT ACLs, I am using setfacl to set the 
> permission:

I suggest you stop doing that and set them from Windows, see here:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

> 
> setfacl --set u::rwx,g::rwx,g:"domain users":rwx,other::---
> "/profiles" ...
> 
> I am running Samba version 4.22.3-Debian-4.22.3+dfsg-4 from debian 
> trixie inside both containers.
> 
> 
> My question is:
> 
> How can I grant (at least fake it for windows) that the SYSTEM user
> has full permission?

The SID for 'SYSTEM' is 'S-1-5-18', a normal Domain user SID is in the
format 'S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-RID'. I hope from
that, that you can see 'SYSTEM' is not a DOMAIN user and is a bit
meaningless on Unix, you can set permissions on a Unix share, but only
from Windows.

You appear to be doing something for Windows, but do not seem to want
to do it in a Windows way.

Rowland

More information about the samba mailing list