samba - Jul 2016 - Why is Samba4 not recommended as a file server?

On 28/07/16 09:43, Volker Lendecke wrote:
> You can of course export file shares from a DC. It's just that our 
> file server has seen much wider deployment as an AD member instead of 
> a DC, that's all. There is much more experience with it, and all the 
> topics around idmapping are much better known. I'm not saying that 
> they are much better implemented, it's just the better-known setup. 
> Volker 
Hi Volker, as far as I can see, the only problem is idmapping, only 
yesterday I found out that giving Domain Admins a gidNumber isn't a good 
idea, the group needs to own Policies in sysvol.

Rowland

Can you explain why it would be an issue giving GID to "Domain Admins"
group?

2016-07-28 10:50 GMT+02:00 Rowland penny <rpenny at samba.org>:
> On 28/07/16 09:43, Volker Lendecke wrote:
>
>> You can of course export file shares from a DC. It's just that our
file
>> server has seen much wider deployment as an AD member instead of a DC,
>> that's all. There is much more experience with it, and all the
topics
>> around idmapping are much better known. I'm not saying that they
are much
>> better implemented, it's just the better-known setup. Volker
>>
>
> Hi Volker, as far as I can see, the only problem is idmapping, only
> yesterday I found out that giving Domain Admins a gidNumber isn't a
good
> idea, the group needs to own Policies in sysvol.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 28/07/16 10:32, mathias dufresne wrote:
> Can you explain why it would be an issue giving GID to "Domain
Admins"
> group?
>
This is because Domain Admins has to own group policies in sysvol, not 
as a group but as a user. If you give Domain Admins a gidNumber, it 
becomes purely a group, so it cannot own the group policies as a user.

Rowland