[Samba] Why would "net rpc rights grant" fail ?

Rowland Penny rowlandpenny at googlemail.com
Thu Apr 17 04:07:31 MDT 2014 

On 17/04/14 10:37, Koenraad Lelong wrote:
> op 17-04-14 11:05, Rowland Penny schreef:
>>
>> If you run this command (replacing 'DC=example,DC=com' with your suffix
>> and assuming that sam.ldb is in /var/lib/samba/private/) :
>>
>> ldbsearch --show-binary -H /var/lib/samba/private/sam.ldb -b
>> CN=Administrators,CN=Builtin,DC=example,DC=com -s sub "(objectclass=*)"
>>
>> You should get somthing similar to this:
>>
> Mine :
>
> # record 1
> dn: CN=Administrators,CN=Builtin,DC=ad01,DC=ace-electronics,DC=be
> cn: Administrators
> description: Administrators have complete and unrestricted access to 
> the computer/domain
> member: CN=Domain Admins,CN=Users,DC=ad01,DC=ace-electronics,DC=be
> member: CN=Enterprise Admins,CN=Users,DC=ad01,DC=ace-electronics,DC=be
> member: CN=Administrator,CN=Users,DC=ad01,DC=ace-electronics,DC=be
> instanceType: 4
> whenCreated: 20140414142941.0Z
> uSNCreated: 3562
> name: Administrators
> objectGUID: fb40ba19-9d5f-4390-8070-3ba1e7e15b12
> objectSid: S-1-5-32-544
> adminCount: 1
> sAMAccountName: Administrators
> sAMAccountType: 536870912
> systemFlags: -1946157056
> groupType: -2147483643
> objectCategory: 
> CN=Group,CN=Schema,CN=Configuration,DC=ad01,DC=ace-electronics,DC=be
> isCriticalSystemObject: TRUE
> gidNumber: 65533
> whenChanged: 20140414142944.0Z
> objectClass: top
> objectClass: posixGroup
> objectClass: group
> msSFU30NisDomain: ace_domain
> uSNChanged: 3802
> distinguishedName: 
> CN=Administrators,CN=Builtin,DC=ad01,DC=ace-electronics,DC=be
>
> # returned 1 records
> # 1 entries
> # 0 referrals
>
> Here also : gidNumber: 65533.
>
>
> Koenraad.
>
OK, I take it that you have not altered the Administrators group 
yourself, all you have done is run 'samba-tool domain classicupgrade', 
is this correct ?

If this is correct, then somehow the group 'nobody' on the old server 
with the gid of '65533' has got mapped to your Administrators group.

I would suggest that you remove the following from your Administrators 
group:

objectClass: posixGroup
gidNumber: 65533
msSFU30NisDomain: ace_domain

You can do this with ldbedit:

ldbedit -e nano -H /var/lib/samba/private/sam.ldb

Search for 
'CN=Administrators,CN=Builtin,DC=ad01,DC=ace-electronics,DC=be' and then 
just delete them.

then run 'samba-tool ntacl sysvolreset'

Hopefully, this should reset the ownership of sysvol to what it should be.

Rowland

More information about the samba mailing list