[Samba] DC2 denies access when sa­ving through the Group Po­licy Management Console

Rowland Penny rowlandpenny at googlemail.com
Sat Nov 1 10:19:12 MDT 2014

On 01/11/14 15:28, ?icro MEGAS wrote:
> Hello list,
> I am not sure if this is a bug or known already but I will describe it. I have two domain controllers running on 4.1.12/sernet which are linked together. I am using unison for bidirectional sync for the sysvol directory as described on samba's wiki, although in my opinion the problem I will describe in the following has nothing to do with the sync process. The sync occurs every 5min.
> On a win7 client I open the Group Policy Management Console (run/execute the command "gpmc.msc"). When i right-click on the left pane onto my domain name "mydom.example.com" I can choose "Change Domain Controller...". Inside the window which is opened, on the bottom I see my two domain controllers which I can choose I'd like to connect to. Whatever I can configure while connected on DC1, the changes are propagated to DC2 after max. 5minutes and I can check that the settings are successfully transferred to DC2.
> But ==> Whenever I try to make modifications while connected to DC2 I get errors like "No permission" or "Error 0x80070005 during the save  ... Access denied" and stuff like that. I cannot modify settings on DC2, why? Shouldn't it normally work?
> Mirco.I think I am approaching the issue. When I am logged in with a domain admin account on the windows machine and try to access the share \\dc1\sysvol or \\dc2\sysvol I get access denied. So I did "getfacl /var/lib/samba/sysvol" on both, DC1 and DC2 and the result is...
> # file: sysvol
> # owner: root
> # group: 3000000
> user::rwx
> user:root:rwx
> group::rwx
> group:3000000:rwx
> group:3000001:r-x
> group:3000002:rwx
> group:3000003:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:group::---
> default:group:3000000:rwx
> default:group:3000001:r-x
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:mask::rwx
> default:other::---
> As you see, the gid=3000000 is not resolved on my domain controllers, thus it's explained why my domain admin account cannot access the share. The strange thing is: why am I able to make modifications on GPOs on DC1 ?? And the most important question: how do I reset/setup the correct acl parameters for sysvol? I want to add, that I don't use winbind on DC1 or DC2. Do I really have to enable winbind also on DC1+DC2? Please give me some advice.
> Thank you.
> Mirco
The gid is being resolved on the DC, just not in the way that you 
expect, if you open idmap.ldb in ldbedit, you will find that '3000000' 
comes from the well known SID 'S-1-5-32-544', this is the 
'Administrators' group in AD.

The others are:
3000001 S-1-5-32-549 Server Operators
3000002 S-1-5-18 Local System
3000003 S-1-5-11 Authenticated Users

If you need to reset the sysvol ACL's, then there is a command for it:

samba-tool ntacl sysvolreset

You can check the ACL's on sysvol with:

samba-tool ntacl sysvolcheck

You do not need to run either, your ACL's are correct

You are using winbind on the server, it is either built into the samba 
daemon, or if you are running 4.2, it is now called 'winbindd' and is 
started by the samba daemon.

I think that your problem is that when you join another DC to the 
domain, idmap.ldb is not replicated, so when you sync sysvol from the 
first DC to the second the 'xidnumbers' i.e. '3000000' do not match what 
is in idmap.ldb on the second DC, so the permissions are not correct, 
the cure is to copy idmap.ldb from the first DC to any other DC's.


More information about the samba mailing list