[Samba] Administrator lost write privileges to sysvol (Can't add/edit anything using RSAT Tools)

[L.P.H. van Belle]

Ah,, ok i miss read that. 

So its something in the DB.. 

Are the SePrivilages checked. ? 

I use something like this for that. 

SEPRIVILEGE="SeMachineAccountPrivilege \
SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege \
SeRemoteShutdownPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege \
SeDiskOperatorPrivilege SeSecurityPrivilege SeSystemtimePrivilege \
SeShutdownPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege \
SeSystemProfilePrivilege SeProfileSingleProcessPrivilege \
SeIncreaseBasePriorityPrivilege SeLoadDriverPrivilege \
SeCreatePagefilePrivilege SeIncreaseQuotaPrivilege SeChangeNotifyPrivilege \
SeUndockPrivilege SeManageVolumePrivilege SeImpersonatePrivilege SeCreateGlobalPrivilege \
SeEnableDelegationPrivilege"

kinit Administrator

for sepriv in $SEPRIVILEGE ; do
    # For a member server. 
    # net rpc rights list privileges $sepriv -S $(hostname -f) -k
    
    # samba-tool dsacl get ? 
    # ( i never had to check that, so above command but then for AD-DC's. 

done
kdestroy 



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland penny via samba
> Verzonden: donderdag 23 januari 2020 16:31
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Administrator lost write privileges to 
> sysvol (Can't add/edit anything using RSAT Tools)
> 
> On 23/01/2020 15:06, L.P.H. van Belle via samba wrote:
> > I havent read the complete thread but was "Create Group" 
> set on the share.
> >
> > What does. getfacl say on the file/folder
> >
> > Deny preffers over Allow.
> >
> > Your setup on sysvol shows :
> > getfacl /usr/local/samba/var/locks/sysvol
> > getfacl: Removing leading '/' from absolute path names
> > # file: usr/local/samba/var/locks/sysvol
> > # owner: 3000000
> > # group: 3000000
> > user::rwx
> > user:root:rwx
> > user:3000000:rwx
> > user:3000001:r-x
> > user:3000002:rwx
> > user:3000003:r-x
> > group::rwx
> > group:3000000:rwx
> > group:3000001:r-x
> > group:3000002:rwx
> > group:3000003:r-x
> > mask::rwx
> > other::r-x
> > default:user::rwx
> > default:user:root:rwx
> > default:user:3000000:rwx
> > default:user:3000001:r-x
> > default:user:3000002:rwx
> > default:user:3000003:r-x
> > default:group::r-x
> > default:group:3000000:rwx
> > default:group:3000001:r-x
> > default:group:3000002:rwx
> > default:group:3000003:r-x
> > default:mask::rwx
> > default:other::rwx
> >
> > Compaired to mine.
> > # file: home/samba/sysvol
> > # owner: root
> > # group: root
> > # flags: -s-
> > user::rwx
> > user:root:rwx
> > user:BUILTIN\\administrators:rwx
> > user:BUILTIN\\server\040operators:r-x
> > user:NT\040AUTHORITY\\system:rwx
> > user:NT\040AUTHORITY\\authenticated\040users:r-x
> > group::rwx
> > group:BUILTIN\\administrators:rwx
> > group:BUILTIN\\server\040operators:r-x
> > group:NT\040AUTHORITY\\system:rwx
> > group:NT\040AUTHORITY\\authenticated\040users:r-x
> > mask::rwx
> > other::---
> > default:user::rwx
> > default:user:root:rwx
> > default:user:BUILTIN\\administrators:rwx
> > default:user:BUILTIN\\server\040operators:r-x
> > default:user:NT\040AUTHORITY\\system:rwx
> > default:user:NT\040AUTHORITY\\authenticated\040users:r-x
> > default:group::---
> > default:group:BUILTIN\\administrators:rwx
> > default:group:BUILTIN\\server\040operators:r-x
> > default:group:NT\040AUTHORITY\\system:rwx
> > default:group:NT\040AUTHORITY\\authenticated\040users:r-x
> > default:mask::rwx
> > default:other::---
> > default:other::---
> >
> > You see the differences..
> >
> > I think its mostly share of ACL rights the need be corrected.
> >
> >
> Hi Louis, I don't think the problem has anything to do with sysvol 
> (though I am open to having my mind changed), the problem 
> seem to have 
> something to do with Administrator no longer being able to 
> write to AD 
> from ADUC.
> 
> Rowland
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>