[Samba] Sysvol reset

me at tdiehl.org me at tdiehl.org
Mon Sep 9 12:15:21 UTC 2019

Hi Roland,

On Fri, 6 Sep 2019, Rowland penny via samba wrote:

> On 06/09/2019 20:54, me at tdiehl.org wrote:
>>  On Fri, 6 Sep 2019, Rowland penny via samba wrote:
>>>  On 06/09/2019 17:05, Tom Diehl via samba wrote:
>>>>  ?Hi Louis,
>>>>  ?On Fri, 6 Sep 2019, L.P.H. van Belle via samba wrote:
>>>>>  ?Hai,
>>>>>  ?Try the script, make backups of you sysvol first.
>>>>>  ?The script shows the correct settings, these are duplicated from a
>>>>>  ?windows 2008R2 server.
>>>>>  ?But here you go, the ms link to verify your settings.
>>>>>  ?https://support.microsoft.com/nl-nl/help/2838154/permissions-for-this-gpo-in-the-sysvol-folder-are-inconsistent-with-th 
>>>>  ?Thanks for the link. I like pictures. :-)
>>>>>  ?But i must also say, start with upgrading you samba-ad-dc's.
>>>>  ?I plan to upgrade but I was thinking I should fix the sysvol problems
>>>>  ?before
>>>>  ?making more changes. Are you saying I should upgrade first? Is there a
>>>>  ?compelling reason to upgrade past 4.9.latest at this time?
>>>>  ?Regards,
>>>  Samba has three levels of support for each minor version, spread over 18
>>>  months:
>>>  Fully supported for first six months
>>>  Maintenance fixes for the next six months
>>>  Security fixes only for the last six months
>>>  4.9.x is in maintenance mode at the moment, but 4.11.0 is fairly imminent
>>>  and, when it is released, 4.9.x will drop into security fixes only (4.8.x
>>>  will go EOL at this time)
>>>  That is the reason to upgrade to the highest version possible, plus you
>>>  will get numerous fixes that have been added to 4.10.x
>>  Right I get that. The problem for me is that at this time, anything past
>>  4.9.latest is going to require either switching to a distro I know nothing
>>  about
>>  (One of the Debian variants but which one?) or figuring out the python3
>>  crap on
>>  Centos 7 or wait for Centos 8. Hopefully once Centos 8 is a real thing
>>  there will be a list of required packages to build samba like there is
>>  with Centos 7. Hence my hesitation with moving past 4.9.x at this time.
>>  I expect that will change in the next few weeks.
>>  Now if you said there was some bug fix in 4.10 that would get group policy
>>  working
>>  again, I would most likely bite the bullet and go for it since you are
>>  after all
>>  one of the samba gods. :-)
> First time anybodies called me that ;-)
>>  One question I do have is, is it expected that if I try to run gpresult as
>>  administrator
>>  that I get an error that says "The user SAMDOM\Administrator does not have
>>  RSOP data?
> Louis is the Windows expert here, but I think that is just because 
> Administrator hasn't logged into the system.
>>  Also, In the gpmc if I try to run the "group policy modeling wizard" I get
>>  an error that says
>>  "The rpc server is unavailable" Is that also expected or do I have other
>>  issues?
> Sort of, it doesn't happen all the time and not for everyone, but normally 
> just pressing 'OK' is enough.
>>  The server services in smb.conf is as follows:
>>  server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
>>  winbindd, ntp_signd, kcc, dnsupdate
>>  If I read this correctly, rpc should be available. Is this correct?
> Yes, but I don't think Samba is the problem, well, not in that way. I think 
> Windows checks for the RPC server in a way that Samba doesn't understand, or 
> Samba replies in a way that Windows doesn't understand, but either way, once 
> you have got pas that message box, it usually works.

Unfortunately, it will not let me get past the message box. If I click OK it

>>  TBH, when it comes to windows tools I am never sure what is supposed to
>>  work with Samba and what does not.
> Not by yourself there, I prefer the Command line.

So do I. The problem I have is what is the command line equivelent of adsi edit?
If it is ldb search/edit/delete, how does one figure out the correct
incantation to add/delete/modify things.

For instance, I have the following record:

# record 4009
dn: CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=com
objectClass: top
objectClass: site
cn: Default-First-Site-Name
instanceType: 4
whenCreated: 20061005105708.0Z
whenChanged: 20061005105708.0Z
uSNCreated: 3742
showInAdvancedViewOnly: TRUE
name: Default-First-Site-Name
objectGUID: 206ddbbb-14cf-4f37-bb66-1f2d07bac717
systemFlags: 1107296256
objectCategory: CN=Site,CN=Schema,CN=Configuration,DC=mydomain,DC=com
uSNChanged: 10210
msExchServerSiteBL: CN=PHT1,CN=Servers,CN=Exchange Administrative Group (FYDIB
  OHF23SPDLT),CN=Administrative Groups,CN=MYDOMAIN,CN=Microsoft Exchange,CN=Servi
distinguishedName: CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pht

Is there a documant that explains all of this in a manor that mear mortals can

The above server no longer exists. It died before I could remove it gracefully
so I am left with a mess that I think the only way to clean it up is to
remove the remaining records by hand.

I normally would not care that these orphaned records are there except that
when I run samba-tool dbcheck --cross-ncs --fix I get 316 errors and none of
them get repaired. Most if not all appear to be related to the dead server.
For the record adsi edit will only let me look at the records. If I try to
delete/modify anything, I get an error that says "Operation Failed error code
0x202c. the server does not support the requested critical extensions"

In case it is useful in fixing the problem the following is a sample of the output
of samba-tool dbcheck --cross-ncs --fix:

WARNING: no target object found for GUID component for cross-partition link otherWellKnownObjects in object CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=mydomain,DC=com - B:32:A7D2016C83F003458132789EEB127B84:<GUID=5dc1e7ca-2cbc-4318-b250-b7d9126e02f6>;<SID=S-1-5-21-619667644-1604242038-736796184-1619>;CN=Exchange Servers,OU=Microsoft Exchange Security Groups,DC=mydomain,DC=com
Not removing dangling one-way cross-partition link (we might be mid-replication)


Fix nTSecurityDescriptor on CN=57428d75-bef7-43e1-938b-2e749f5a8d56,CN=Operations,CN=DomainUpdates,CN=System,DC=mydomain,DC=com? [y/N/all/none] y
Fixed attribute 'nTSecurityDescriptor' of 'CN=57428d75-bef7-43e1-938b-2e749f5a8d56,CN=Operations,CN=DomainUpdates,CN=System,DC=mydomain,DC=com'


Fix nTSecurityDescriptor on CN=RpcServices,CN=System,DC=mydomain,DC=com? [YES]
Fixed attribute 'nTSecurityDescriptor' of 'CN=RpcServices,CN=System,DC=mydomain,DC=com'

Checked 9880 objects (316 errors)

As you can see it says that it is fixing things but if I run it again, I get the same results.



Tom			me at tdiehl.org

More information about the samba mailing list