Another approach is to remove ?idmap_ldb rfc2307 = yes' from your DCs.
You most likely don't need it, and it tends to complicate things
unnecessarily. For more information, check out this article:
http://samba.bigbird.es/doku.php?id=samba:no-need-for-use-rfc2307
Feedback welcome.
On Oct 21, 2024 at 17:17 +0200, Rowland Penny via samba <samba at
lists.samba.org>, wrote:> On Mon, 21 Oct 2024 17:01:36 +0200
> Francesco Malvezzi via samba <samba at lists.samba.org> wrote:
>
> > hi all,
> >
> > I am maybe in the situation described here:
> > https://wiki.samba.org/index.php/Sysvolreset).
> >
> > The admins domains groups has indeed a gidNumber and alas I run a
> >
> > ./bin/samba-tool ntacl sysvolcheck
> >
> > What's more in my situation is that when I access the sysvol from
the
> > windows side (runas /user:administrator computer management ->
> > connect to server -> system -> shares -> sysvol), as soon as
I clic
> > on the 'security' tab, the commandlet cashes.
> >
> > The sysvol folder still serves correctly the group policies, the
> > administrator can edit them, but all other user who used to manage
> > them are now forbidden.
> >
> > I already run the samba-check-set-sysvol.sh script, from the linux
> > side the acl look fine (they are incomplete, but I know that I need
> > to grand the privileges from the windows side, whom I can't
reach).
> >
> > I didn't find any piece of useful information about the
'computer
> > management' crash in event viewer or in samba logs.
> >
> > What am I missing?
> >
>
> It is not so much what you are missing, it is probably what you have
> got ;-)
>
> The situation hasn't changed, Domain Admins still needs to own things
> in sysvol and cannot if it has a gidNumber attribute, so remove it and
> run 'net cache flush' everywhere on Unix land.
>
> If you must have a Domain Admins type group on Unix, then create one in
> AD, give that a gidNumber attribute and join it to Administrators.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba