[Samba] Administrator lost write privileges to sysvol (Can't add/edit anything using RSAT Tools)
Rowland penny
rpenny at samba.org
Sun Jan 26 17:48:44 UTC 2020
On 26/01/2020 17:05, Darren Conte via samba wrote:
> Rowland, thanks for the replies.
>
>> How was the domain configured in the first place ?
> samba-tool domain provision --realm=SAMDOM.COM --domain=SAMDOM
> --adminpass="SOME_PASSWD" --server-role=dc –-dns-backend=SAMBA_INTERNAL
To use RFC2307 attributes, it is recommended that you add 'idmap_ldb:use
rfc2307 = Yes' to your DCs smb.conf (note: this not required on a Unix
domain member)
>
>> If it wasn't provisioned to use rfc2307 attributes, you possibly do not
> have the ypServ30.ldif installed, do the other DCs have the
> 'idmap_ldb:use rfc2307 = yes' line ?
>
> No, none of the other sites that I administer have the 'idmap_ldb:use rfc
> 2307 = yes' line, either.
>
>> Is there a simple way to restore the database files without bringing down
>> the site for an extended period of time doing an entire restore? It's a
>> very busy office with users in many global locations. I say that because
>> since I do not have WRITE access to anything, nothing has change>d.
>>
>> Is it just one DC, then demote and remove that DC.
> Yes, there is one only DC at this location with 5 Win10Pro PCs.
>
>> Try comparing all your DCs, is there anything on the other DCs (Samba
> wise) that isn't on the others ?
>
> I have compared each site and I do not see any material differences with
> the exception of number of client workstations. syvol permissions are
> identitical (it seems), as stated in my original post (both getfacl and
> --as-sddl). Each site has one production DC, which is also used as a file
> server. 5-18 Win10 Pro clients joined to the domain. No linux clients, no
> 'idmap_ldb:use rfc 2307 = yes' line used.
>
>> Rowland
> Your help with the exact add, demote and removal steps would be
> appreciated. Its a live production site so I'm worried that I do not fully
> understand how I can demote and remove the only DC and still connect using
> RSAT. Could you give more detail on step-by-steps you recommend? I read
> the wiki but when I read: "You should never use the 'samba-tool domain
> backup/restore' commands to recover an individual DC.", I'm confused why.
> What am I missing?
>
> Darren
Perhaps I should have been more explicit, If you have more than one DC
in a domain and only one of those is giving problems, then demote the
problem DC, but if you have only DC (which isn't recommended) then you
have problems,.
As I said, Sysvol is only used for GPOs and Administrator not being able
to write to it is not the fault, but a symptom.
Can you log into a Windows PC as Administrator, connect to a share on a
Unix machine as Administrator and create a file. Then go to the Unix
machine and see who the file was saved as.
Rowland
More information about the samba
mailing list