Strange ACL UID/GID issue with robocopy


Hi everybody,

I’m running some UCS servers in a mixed Windows AD - UCS domain. Plan is to do a domain takeover in the near futur. But for now I do have a strange ACL issue on the samba shares.

If I create files/folders or play with the ACL on the shares from a Windows client everything is working fine.
But if I mirror a share from a Windows server to one of the UCS servers using robocopy /MIR /COPYALL /ZB … I can’t access the shares one the UCS server anymore.
getfacl gives some strange things:

getfacl -n XXXXXXXX
# file: XXXXXXXX
# owner: 0
# group: 5001

I’ve made a script that basically copies the ACL from the 55xxx to the 5yyy and removes the 55xxx ACLs (same for uid and gid 0 to Administrator / Domain Admins)

For me it look like samba is getting confused between the different user backends. Normal access to the share uses uids and gids I get from NSS (getent…), whereas robocopy /COPYALL seems to set the uid and gid from the internal samba / ldap mapping (at least the ids are in the range defined in smb.conf for the ldap backend).

Maybe this is due to the fact that all domain users get the POSIX account enabled by the AD replication ?



what exactly do you mean by “mixed mode”? Is the UCS server joined as a memberserver? Or is it using the AD Connector for account/group synchronization?

Kind regards,


We are currently running as a test for a future AD Takeover:

  • UCS Master : Active Directory Connection + Windows compatible Memberserver
  • UCS Slave (in remote location) : Windows compatible Memberserver
  • UCS Memberserver (this is the file server i’m making the file copies to) : Windows compatible Memberserver



this is somewhat tricky. I’d like to compare the SIDs used by WIndows and the UCS DC Master for one of the users whose ACLs end up as strange UIDs on the Linux side. Can you please do the following:

  1. On the Windows machine you’re running start a PowerShell. In the shell type the following: [wmi] "win32_userAccount.Domain='linet',Name='mbunkus'" Replace linet with your domain name and mbunkus with the user’s name whose ACLs get mangled.
  2. On the UCS DC Master please run the following: univention-ldapsearch uid=mbunkus sambaSid Again, replace mbunkus with that user’s name.

Then post the output of both commands here.


Kind regards,