samba - Aug 2005 - idmap_rid / roaming profile permissions / NT AUTHORITY\SYSTEM

I'm struggling with roaming profile permissions as I can not "see"
the
NT AUTHORITY\SYSTEM account.

I have:
-samba file server with acl 3.0.14a
-authentication with winbind and idmap_rid against Windows 2003 ADS
-using "default domain" in smb.conf for winbind

The roaming profile directories are on the samba machine under the users 
home directory. As noted on several sites, the profile directory must 
have the following permissions:
owner full control (this is ok)
SYSTEM (S-1-5-18) full control (here is the problem)

I can't add the permissions for the system account, as it is "not
seen"
from samba. The result is that roaming profile do not work

I get the following output with wbinfo
wbinfo -s "S-1-5-18"
NT AUTHORITY\SYSTEM 5

wbinfo -n "NT AUTHORITY\SYSTEM"
S-1-5-18 Well-known Group (5)

wbinfo -Y "S-1-5-18"
Could not convert sid S-1-5-18 to gid   <--------

wbinfo -S "S-1-5-18"
Could not convert sid S-1-5-18 to uid   <--------

I tried to fix it with net groupmap, but it did not work (maybe I miss 
something?)

So the question is: how do I set permissions for the SYSTEM account???


regards
Stefanos
-- 
=====================================================================Stefanos
Karasavvidis
Electronic & Computer Engineer, M.Eng.
e-mail : sk@isc.tuc.gr

Technical University of Crete, Campus
Information Systems Center
Address: Akrotiri, Chania, 73100
Tel.: Library Buildings
       (+30) 28210 37352, (+30) 28210 37355, (+30) 28210 37376
       Environmental Engineering Buildings
       (+30) 28210 37766
Fax:  (+30) 28210 37571

I solved the problem with my roaming profiles by just changing from
case sensitive = yes
to
case sensitive = auto
in smb.conf!!!

No permissions change, no nothing.

Stefanos

Stefanos Karasavvidis wrote:
> I'm struggling with roaming profile permissions as I can not
"see" the
> NT AUTHORITY\SYSTEM account.
> 
> I have:
> -samba file server with acl 3.0.14a
> -authentication with winbind and idmap_rid against Windows 2003 ADS
> -using "default domain" in smb.conf for winbind
> 
> The roaming profile directories are on the samba machine under the users 
> home directory. As noted on several sites, the profile directory must 
> have the following permissions:
> owner full control (this is ok)
> SYSTEM (S-1-5-18) full control (here is the problem)
> 
> I can't add the permissions for the system account, as it is "not
seen"
> from samba. The result is that roaming profile do not work
> 
> I get the following output with wbinfo
> wbinfo -s "S-1-5-18"
> NT AUTHORITY\SYSTEM 5
> 
> wbinfo -n "NT AUTHORITY\SYSTEM"
> S-1-5-18 Well-known Group (5)
> 
> wbinfo -Y "S-1-5-18"
> Could not convert sid S-1-5-18 to gid   <--------
> 
> wbinfo -S "S-1-5-18"
> Could not convert sid S-1-5-18 to uid   <--------
> 
> I tried to fix it with net groupmap, but it did not work (maybe I miss 
> something?)
> 
> So the question is: how do I set permissions for the SYSTEM account???
> 
> 
> regards
> Stefanos
-- 
=====================================================================Stefanos
Karasavvidis
Electronic & Computer Engineer, M.Eng.
e-mail : sk@isc.tuc.gr

Technical University of Crete, Campus
Information Systems Center
Address: Akrotiri, Chania, 73100
Tel.: Library Buildings
       (+30) 28210 37352, (+30) 28210 37355, (+30) 28210 37376
       Environmental Engineering Buildings
       (+30) 28210 37766
Fax:  (+30) 28210 37571

Hi!

Here is situation:

1. We decide to switch on "Auto proxy config" in our network (you
know,
wpad.example.com, etc.)
2. After that there are lot of robots (checking for new versions, upgrading,
esp. M$ upg) on client
   computers start trying to fetch resources, but w/o any authentication (or
I dont understand what is going on :).
3. Result is unxepected: alot of "requests in queue" to ntlm_auth,
because
of this squid restarts every
    2 min when in morning computers are going up. :(

Tech info:

Linux 2.6.11.12
glibc-2.3.5
gcc-3.4.4
samba-3.0.20, no patches
krb5-1.3.1 (MIT)
squid-2.5.10
ntlm_auth from samba pack

Joined to 2k3 AD.


My ideas about why this happens are exausted (all of them are unproductive
:).
ANYBODY, please, if you have similar, or heard about this situation, please
let me know.
May be some ideas about fighting against it?

Thnx in advance.
/aTan