samba - Nov 2025 - Fwd: NT Authority\System on member servers

Hi there,
I got the strange error that Windows is not creating a profile folder 
(user.V6) on the network share (configured via gpo). The user has the 
permission and can manually create it, but otherwise just the blue pop 
up is there (login not possible).

I tracked this down and (think) that the issue is, that I am not 
granting permissions to the SYSTEM account to that particular share (See 
https://wiki.samba.org/index.php/The_SYSTEM_Account).

However I am unable to find that specific user on a domain member. It 
exists on the domain controller (same samba version) and I can look it 
up with id "NT Authority\system".


The member server has pretty much the following configuration:
[global]
         netbios name = USERHOME
         disable netbios = yes
         password server = DC.DOMAIN.MUC
         realm = DOMAIN.MUC
         security = ADS
         server role = member server
         winbind use default domain = Yes
         workgroup = DOMAIN
         idmap config * : range = 10000-9999999
         idmap config * : backend = autorid
         idmap_ldb:use rfc2307 = yes


I do not want to use jibberish NT ACLs, I am using setfacl to set the 
permission:

setfacl --set u::rwx,g::rwx,g:"domain users":rwx,other::---
"/profiles"
...

I am running Samba version 4.22.3-Debian-4.22.3+dfsg-4 from debian 
trixie inside both containers.


My question is:

How can I grant (at least fake it for windows) that the SYSTEM user has 
full permission?


Thanks, appreciate any help!


Moritz

On Sat, 8 Nov 2025 12:41:25 +0100
Moritz Zwerger via samba <samba at lists.samba.org> wrote:
> Hi there,
> I got the strange error that Windows is not creating a profile folder 
> (user.V6) on the network share (configured via gpo). The user has the 
> permission and can manually create it, but otherwise just the blue
> pop up is there (login not possible).
> 
> I tracked this down and (think) that the issue is, that I am not 
> granting permissions to the SYSTEM account to that particular share
> (See https://wiki.samba.org/index.php/The_SYSTEM_Account).
> 
> However I am unable to find that specific user on a domain member. It 
> exists on the domain controller (same samba version) and I can look
> it up with id "NT Authority\system".
> 
> 
First lets take a walk through your smb.conf file:
> The member server has pretty much the following configuration:
> [global]
>          netbios name = USERHOME
There is no need to set the 'netbios name' parameter, Samba will do it
for you.
>          disable netbios = yes
>          password server = DC.DOMAIN.MUC
You should not set the 'password server' parameter, you should allow
Samba to select the best DC to use.
>          realm = DOMAIN.MUC
>          security = ADS
>          server role = member server
>          winbind use default domain = Yes
>          workgroup = DOMAIN
>          idmap config * : range = 10000-9999999
>          idmap config * : backend = autorid
>          idmap_ldb:use rfc2307 = yes
The 'idmap_ldb' parameter is only used in a Samba AD DCs smb.conf

As you want to use 'SYSTEM', you also need:

  vfs objects = acl_xattr
  map acl inherit = Yes
> 
> 
> I do not want to use jibberish NT ACLs, I am using setfacl to set the 
> permission:
I suggest you stop doing that and set them from Windows, see here:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> 
> setfacl --set u::rwx,g::rwx,g:"domain users":rwx,other::---
> "/profiles" ...
> 
> I am running Samba version 4.22.3-Debian-4.22.3+dfsg-4 from debian 
> trixie inside both containers.
> 
> 
> My question is:
> 
> How can I grant (at least fake it for windows) that the SYSTEM user
> has full permission?
The SID for 'SYSTEM' is 'S-1-5-18', a normal Domain user SID is
in the
format 'S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-RID'. I hope from
that, that you can see 'SYSTEM' is not a DOMAIN user and is a bit
meaningless on Unix, you can set permissions on a Unix share, but only
from Windows.

You appear to be doing something for Windows, but do not seem to want
to do it in a Windows way.

Rowland