[Samba] samba Digest, Vol 205, Issue 28
darren.conte at volereservices.com
Tue Jan 28 17:31:31 UTC 2020
> ---------- Forwarded message ----------
> From: Rowland penny <rpenny at samba.org>
> To: samba at lists.samba.org
> Date: Mon, 27 Jan 2020 15:08:57 +0000
> Subject: Re: [Samba] Administrator lost write privileges to sysvol (Can't
> add/edit anything using RSAT Tools)
> On 27/01/2020 14:49, Darren Conte via samba wrote:
> >> Perhaps I should have been more explicit, If you have more than one DC
> > in a domain and only one of those is giving problems, then demote the
> > problem DC, but if you have only DC (which isn't recommended) then you
> > have problems,.
> >> As I said, Sysvol is only used for GPOs and Administrator not being able
> > to write to it is not the fault, but a symptom.
> >> Can you log into a Windows PC as Administrator, connect to a share on a
> > Unix machine as Administrator and create a file. Then go to the Unix
> > machine and see who the file was saved as.
> >> Rowland
> > Rowland - I logged onto a PC as DOMAIN\Administrator and created the two
> > items below from Windows. As you can see the owner is 'root'.
> > root at server:/Shares/Pool# ls -la | grep 'Fred'
> > drwxrwsrwx+ 2 root users 4096 Jan 27 08:26 Fred
> > -rwxrwxrwx+ 1 root users 8458 Jan 27 08:26 Fred.odt
> Good, this is what I expected and shows that Administrator is being
> mapped to 'root'
> > When other 'Domain Users' create content within /Shares/Pool, owner = UID
> > (respectively).
> > drwxrwsrwx+ 4 3000027 users 4096 Jan 27 08:27 Test_Folder
> > My issue only stems around DOMAIN\Administrator, here's why. As a test,
> > logged in as another Delegated User who was a 'Member of' the Domain
> > group. What is strange, is that username has full WRITE privileges to
> > and GPO, and can add/edit all objects (which is expected). So, I
> > successfully added my username to the 'Members' of Domain Admins, logged
> > out and was successfully able to verify that I have full WRITE privileges
> > too. So again, it seems like removing 'Rodolfo' from 'Domain Admins'
> > incorrectly only seemed to corrupt DOMAIN\Administrator since that was
> > username I was performing the task from.
> This is very strange, is Administrator a member of Domain Admins ? or
> did you change 'Administrator' to 'Rodolfo' ? (those may actually be the
> same question)
Nope - I have never touched Administrator. Rodolfo was added as a normal
user, delegated incorrectly to 'Domain Admins' then removed incorrectly
from 'Domain Admins'.
> > If that is the case, do you think if I logon as my Delegated User, remove
> > DOMAIN\Administrator from 'Members' in Domain Admins group, reboot then
> > re-add it back in, might straighten out the corruption? I don't know if
> > there would be downstream issues, so I am looking for your input before I
> > do-so. Let me know your thoughts?
> It should show in Domain Admins like this:
> member: CN=Administrator,CN=Users,DC=samdom,DC=example,DC=com
> It does.
> And 'Domain Admins' should be a member of 'Administrators'
> It is.
> Can you dump the following objects from AD, sanitise them and then post
> ldbsearch -H /usr/local/samba/private/sam.ldb -b $(echo dc=$(hostname -d)
| sed 's/\./,dc=/g') -s sub '(&(objectClass=group)(cn=Administrators))'
# record 1
member: CN=Enterprise Admins,CN=Users,DC=SAMDOM,DC=net
member: CN=Domain Admins,CN=Users,DC=SAMDOM,DC=net
> root at server:/# samba-tool user show administrator
description: Built-in account for administering the computer/domain
memberOf: CN=Domain Admins,CN=Users,DC=SAMDOM,DC=net
memberOf: CN=Schema Admins,CN=Users,DC=SAMDOM,DC=net
memberOf: CN=Enterprise Admins,CN=Users,DC=SAMDOM,DC=net
memberOf: CN=Group Policy Creator Owners,CN=Users,DC=SAMDOM,DC=net
> CN=Domain Admins,CN=Users,DC=samdom,DC=example,DC=com
> root at server:/# samba-tool group show 'Domain Admins'
dn: CN=Domain Admins,CN=Users,DC=SAMDOM,DC=net
cn: Domain Admins
description: Designated administrators of the domain
name: Domain Admins
sAMAccountName: Domain Admins
memberOf: CN=Denied RODC Password Replication Group,CN=Users,DC=SAMDOM,DC=
distinguishedName: CN=Domain Admins,CN=Users,DC=SAMDOM,DC=net
> One other thing, can you please reply to the mailing list, I do not know
> what you are actually doing, but it is breaking the thread ;-)
> Thanks again,
> samba mailing list
> samba at lists.samba.org
More information about the samba