[Samba] GPO fail and sysvol perm errors
rpenny at samba.org
Sun Oct 25 19:31:27 UTC 2020
On 25/10/2020 19:21, Sonic wrote:
> On Sun, Oct 25, 2020 at 2:38 PM Rowland penny via samba
> <samba at lists.samba.org> wrote:
>> So '5035' is a computer, but what is '3000011' ?
>> You can find out by running this on the DC:
>> ldbsearch -H /path/to/idmap.ldb '(&(objectClass=sidMap)(xidNumber=3000011))'
> # ldbsearch -H /usr/local/samba/private/idmap.ldb
> # record 1
> dn: CN=S-1-5-21-546846319-217595157-9522986-1328
> cn: S-1-5-21-546846319-217595157-9522986-1328
> objectClass: sidMap
> objectSid: S-1-5-21-546846319-217595157-9522986-1328
> type: ID_TYPE_BOTH
> xidNumber: 3000011
> distinguishedName: CN=S-1-5-21-546846319-217595157-9522986-1328
> # returned 1 records
> # 1 entries
> # 0 referrals
> S-1-5-21-546846319-217595157-9522986-1328 is the sid of the Windows 10
> pro client I'm using to manage the domain.
>> Once you find out that, you should then be able to find out why the two
>> are being denied access, by examining the permissions on sysvol.
> Permissions on sysvol are:
> drwxrwx---+ 4 root 3000000
> Compared with another domains DC (which has no GPO issues):
> drwxrws---+ 1 root 3000000
> Looks like sgid is set on one and not the other. I have not touched
> those permissions. If sgid is needed shouldn't the classic upgrade
> have handled that?
> Should I add the sgid to sysvol and it's subdirectories (that's how it
> is on the working domain) or is this just a difference in the two
> releases (the working domain is running 4.10.16)?
OK, if you look at the end of the permissions, there is a '+' sign, this
shows that extended acls set, to see these:
You can also see the extended ACL's with:
samba-tool ntacl get /usr/local/samba/var/locks/sysvol --as-sddl
More information about the samba