[Samba] Rights issue on GPO

[Rowland penny]

On 20/06/16 21:17, mj wrote:
> Hi,
>
>> OK, I take it that 3000009 points to CN=S-1-5-11 and it is just
>> CN=S-1-5-18 that is wrong by pointing at proxmox$ (which incidentally,
>> is one of your computers)
>> Try backing up idmap.ldb, then open idmap.ldb in ldbedit, find and
>> delete the stanza that holds CN=S-1-5-18, it will look like this:
>>
>> dn: CN=S-1-5-18
>> cn: S-1-5-18
>> objectClass: sidMap
>> objectSid: S-1-5-18
>> type: ID_TYPE_BOTH
>> xidNumber: 3000002   # NOTE: your number will be different!
>> distinguishedName: CN=S-1-5-18
>>
>> Just delete it and then close & save your editor, run 'net cache flush'
>> and then let Samba recreate the record.
>
> So, I did that, and output is still the same...?
>
> I re-checked idmap.ldb on dc4, and a new entry was generated for 
> CN=S-1-5-18, but not with the expected xidNumber 3000300 (like on 
> dc2/dc3) but 3000306.
>
> Then i searched idmap.ldb on dc4 for xidNumber 3000300, and it already 
> exists for a record:
>
>> # record 295
>> dn: CN=S-1-5-21-90123450-981238634-861235949-133256
>> cn: S-1-5-21-90123450-981238634-861235949-133256
>> objectClass: sidMap
>> objectSid: S-1-5-21-90123450-981238634-861235949-133256
>> type: ID_TYPE_BOTH
>> xidNumber: 3000300
>> distinguishedName: CN=S-1-5-21-90123450-981238634-861235949-133256
>
> My guess is that this is the proxmox test machine we saw in the 
> getfacl output on ./sysvol.
>
> Should I simply delete that record as well..? (or am I being far too 
> optimistic now?)
>
> MJ
>

You could, but what does getfacl now show for sysvol ?
You could also try running sysvolreset on sysvol.

Rowland