[Samba] GPO fail and sysvol perm errors

[Rowland penny]

On 25/10/2020 19:21, Sonic wrote:
> On Sun, Oct 25, 2020 at 2:38 PM Rowland penny via samba
> <samba at lists.samba.org> wrote:
>> So '5035' is a computer, but what is '3000011' ?
>> You can find out by running this on the DC:
>> ldbsearch -H /path/to/idmap.ldb '(&(objectClass=sidMap)(xidNumber=3000011))'
> ===================================
> # ldbsearch -H /usr/local/samba/private/idmap.ldb
> '(&(objectClass=sidMap)(xidNumber=3000011))'
> # record 1
> dn: CN=S-1-5-21-546846319-217595157-9522986-1328
> cn: S-1-5-21-546846319-217595157-9522986-1328
> objectClass: sidMap
> objectSid: S-1-5-21-546846319-217595157-9522986-1328
> type: ID_TYPE_BOTH
> xidNumber: 3000011
> distinguishedName: CN=S-1-5-21-546846319-217595157-9522986-1328
>
> # returned 1 records
> # 1 entries
> # 0 referrals
> ===================================
> S-1-5-21-546846319-217595157-9522986-1328 is the sid of the Windows 10
> pro client I'm using to manage the domain.
> ===================================
>> Once you find out that, you should then be able to find out why the two
>> are being denied access, by examining the permissions on sysvol.
> Permissions on sysvol are:
> drwxrwx---+ 4 root 3000000
>
> Compared with another domains DC (which has no GPO issues):
> drwxrws---+ 1 root 3000000
>
> Looks like sgid is set on one and not the other. I have not touched
> those permissions. If sgid is needed shouldn't the classic upgrade
> have handled that?
> Should I add the sgid to sysvol and it's subdirectories (that's how it
> is on the working domain) or is this just a difference in the two
> releases (the working domain is running 4.10.16)?
>
> Chris

OK, if you look at the end of the permissions, there is a '+' sign, this 
shows that extended acls set, to see these:

getfacl /usr/local/samba/var/locks/sysvol

You can also see the extended ACL's with:

samba-tool ntacl get /usr/local/samba/var/locks/sysvol --as-sddl

Rowland