[Samba] Administrator lost write privileges to sysvol (Can't add/edit anything using RSAT Tools)

Rowland penny rpenny at samba.org
Sun Jan 26 17:48:44 UTC 2020

On 26/01/2020 17:05, Darren Conte via samba wrote:
> Rowland, thanks for the replies.
>> How was the domain configured in the first place ?
> samba-tool domain provision --realm=SAMDOM.COM --domain=SAMDOM
> --adminpass="SOME_PASSWD" --server-role=dc –-dns-backend=SAMBA_INTERNAL
To use RFC2307 attributes, it is recommended that you add 'idmap_ldb:use 
rfc2307 = Yes' to your DCs smb.conf (note: this not required on a Unix 
domain member)
>> If it wasn't provisioned to use rfc2307 attributes, you possibly do not
> have the ypServ30.ldif installed, do the other DCs have the
> 'idmap_ldb:use rfc2307 = yes' line ?
> No, none of the other sites that I administer have the 'idmap_ldb:use rfc
> 2307 = yes' line, either.
>> Is there a simple way to restore the database files without bringing down
>> the site for an extended period of time doing an entire restore? It's a
>> very busy office with users in many global locations.   I say that because
>> since I do not have WRITE access to anything, nothing has change>d.
>> Is it just one DC, then demote and remove that DC.
> Yes, there is one only DC at this location with 5 Win10Pro PCs.
>> Try comparing all your DCs, is there anything on the other DCs (Samba
> wise) that isn't on the others ?
> I have compared each site and I do not see any material differences with
> the exception of number of client workstations. syvol permissions are
> identitical (it seems), as stated in my original post (both getfacl and
> --as-sddl).  Each site has one production DC, which is also used as a file
> server. 5-18 Win10 Pro clients joined to the domain. No linux clients, no
> 'idmap_ldb:use rfc 2307 = yes' line used.
>> Rowland
> Your help with the exact add, demote and removal steps would be
> appreciated.  Its a live production site so I'm worried that I do not fully
> understand how I can demote and remove the only DC and still connect using
> RSAT. Could you give more detail on step-by-steps you recommend?  I read
> the wiki but when I read: "You should never use the 'samba-tool domain
> backup/restore' commands to recover an individual DC.", I'm confused why.
> What am I missing?
> Darren

Perhaps I should have been more explicit, If you have more than one DC 
in a domain and only one of those is giving problems, then demote the 
problem DC, but if you have only DC (which isn't recommended) then you 
have problems,.

As I said, Sysvol is only used for GPOs and Administrator not being able 
to write to it is not the fault, but a symptom.

Can you log into a Windows PC as Administrator, connect to a share on a 
Unix machine as Administrator and create a file. Then go to the Unix 
machine and see who the file was saved as.


More information about the samba mailing list