[Samba] Rebuid the Corrupt default Group Policy
Kris Lou
klou at themusiclink.net
Thu Jul 13 19:19:13 UTC 2017
This would be a good HOWTO for the wiki ... can you provide details on
restoring default policies?
Kris Lou
klou at themusiclink.net
On Thu, Jul 13, 2017 at 6:26 AM, Anantha Raghava via samba <
samba at lists.samba.org> wrote:
> Hello Rowland,
>
> The bash script you shared does not work. It doesn't reset the ACLs as
> expected. Finally, I copied the default policies to the Domain Controller
> SYSVOL folder and manually set the permissions and Windows RSAT accepted
> those changes and it started working properly.
>
> --
>
> Thanks & Regards,
>
>
> Anantha Raghava
>
>
> Do not print this e-mail unless required. Save Paper & trees.
> On 07/07/17 2:39 PM, Rowland Penny wrote:
>
>> On Fri, 7 Jul 2017 05:29:30 +0530
>> Anantha Raghava via samba <samba at lists.samba.org> wrote:
>>
>> Hello Marc,
>>>
>>> Hi Anantha,
>>>>
>>>> Am 06.07.2017 um 10:02 schrieb Anantha Raghava via samba:
>>>>
>>>>> Is there any way we can rebuild corrupt Default Domain Policy and
>>>>> Default Domain Controller Policy.
>>>>>
>>>> What is broken?
>>>>
>>> Entire Default Domain and Default Domain Controller Policies along
>>> with other Polices that we had built are broken.
>>>
>> I have written a bash script that should do what you need and I have
>> attached a copy. I haven't tested it (never had need to), but it
>> should work, it is just a bash interpretation of the python code used
>> during provision.
>> It was written on Devuan (Debian without systemd), so if you are using
>> some other OS, or have moved sysvol (not a good idea), then you may
>> need to tweak it.
>>
>>
>>> In windows AD we can use dcgpofix utility to recreate the Default
>>>>> Domain and Domain Controller Policies. Something similar available
>>>>> in Samba AD DC?
>>>>>
>>>> You can recover the files from your backup and to reset
>>>> Sysvol/directory ACLs, run
>>>> # samba-tool ntacl sysvolreset
>>>>
>>> I believe, samba-tool ntacl sysvolreset does not function the manner
>>> in which it is supposed to. I have seen many discussions on this.
>>>
>> The problem with sysvolreset isn't so much with the default policies,
>> it is with any extra policies you might add, this is further compounded
>> by giving 'Domain Admins' a gidNumber. 'Domain Admins' needs to own
>> directories in the extra policies added, it cannot do this if it has a
>> gidNumber, this is because it is then only a group and a group in Unix
>> cannot own anything.
>>
>> In your case, after you have recreated sysvol, I would run sysvolreset,
>> then add your other policies and then never run sysvolrest again.
>>
>> Rowland
>>
>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list