[Samba] Administrator lost write privileges to sysvol (Can't add/edit anything using RSAT Tools)

Rowland penny rpenny at samba.org
Fri Jan 24 16:58:01 UTC 2020

On 24/01/2020 16:05, Darren Conte via samba wrote:
> I do not have a "UNIX Attributes" tab in ADUC.
> I am not using any linux domain workstations/members and do not have the
> setting "idmap_ldb:use rfc2307 = yes" in smb.conf [Global].  Should I apply
> this setting to see what exists? Or is there a command I can run to check
> for 'uidNumber' attribute?

How was the domain configured in the first place ?

If it wasn't provisioned to use rfc2307 attributes, you possibly do not 
have the ypServ30.ldif installed, do the other DCs have the 
'idmap_ldb:use rfc2307 = yes' line ?

> Louis,
> My getfacl might see different to yours but it's similar to 3 other
> installations of samba 4.11.4 I have at other client locations. You have
> the BUILTIN\Group Names spelled out and I have the gid's
This is probably because Louis will have 'winbind' set in the 'passw' & 
'group' lines in /etc/nsswitch.conf
> Wouldn't the 3000000 allow me WRITE access and the ability to change ACLs
> via Windows?  This is what's perplexing.
You only see the numbers because they are not being mapped to Unix users 
& groups
> Plus, this also should have been re-applied when I re-installed 4.11.4 with
> commands below, correct?
Wrong, the only things that get replaced are the various programs & libs
> ./configure --enable-debug --enable-selftest
> make && make install
> samba-tool dbcheck --cross-ncs --fix
> reboot
> Again, I incorrectly removed the 'Domain Admins' Group from a delegated
> User in their 'Members of' attribute in ADUC, and when I closed ADUC, I
> lost all WRITE permissions as the DOMAIN\Administrator to everything. Which
> means I cannot change anything in ADUC, GPO or the ACL permissions to the
> sysvol directory from Windows.
> I think it's a combo of both sysvol permissions, but driven more by what
> Rowland is saying, a db issue. If there wasn't a db issue, I would think I
> could change sysvol permissions.
I think that the sysvols permissions are a symptom, not a reason
> Losing my mind here. :-/  Can we just replace the db's?
> I have a full-backup (.bz2) from the day before this occurred,
Problem is, they will be a backup of the particular DC and out of date
> but do not
> want to go through the entire restore process which will disrupt the work
> location and the samba 4.9+ restore seems complicated to me anyhow.
The new backup process was introduced because it is more reliable and 
will backup the domain, the downside is that you would have to demote 
all DCs, install the backup on one machine and the join the other DCs again.
>    BTW,
> the restore process prior to 4.9, where I could simple stop samba, untar
> .bz2 files, and replace everything with a few commands, would be super
> useful right now. Please bring that back guys.
I am very sure the old way will not be coming back.
> Is there a simple way to restore the database files without bringing down
> the site for an extended period of time doing an entire restore? It's a
> very busy office with users in many global locations.   I say that because
> since I do not have WRITE access to anything, nothing has changed.

Is it just one DC, then demote and remove that DC.

Try comparing all your DCs, is there anything on the other DCs (Samba 
wise) that isn't on the others ?


More information about the samba mailing list