[Samba] Sysvol permission issue - how to repair permanently?

Stefan Bellon bellon at axivion.com
Mon Apr 5 14:47:45 UTC 2021 

On Mon, 05 Apr, Rowland penny via samba wrote:
> On 05/04/2021 12:55, Stefan Bellon via samba wrote:

> > If that is a correct understanding ... wouldn't one of the following
> > two ways help to remove the conflict?
> >
> > 1) I could remove the attribute gidNumber from our AD group
> > "developers" (via sam.ldb). the individual users would still have
> > the gidNumber attribute set to 100 and nslcd would assign those
> > users gid 100 and group "users" on the Linux side while in AD the
> > group "developers" would not be connected to GID 100 any more?  
> 
> You would also have to run 'net cache flush', but that would get 
> everything back to where it should be, but anything belonging to 
> developers would probably belong to 'users' after the change.
> 
> >
> > 2) Or, a second way to break the conflict: Change (via idmap.ldb)
> > the xidNumber of "Domain Users" from 100 to something like
> > 3000100?  
> 
> That would fix it on the AD side, but developers would be mapped to
> the Unix group 'users', I would prefer option 1

I now went with option 1) ... but that didn't change anything: I
removed gidNumber 100 from AD group "developers". But still, after
changing some GPO from within RSAT on Windows, "sysvolcheck" fails. The
permissions of the changed GPO still have this diff:

--- dc1-sysvol-before.txt       2021-04-03 10:46:26.467894061 +0200
+++ dc1-sysvol-after5.txt       2021-04-05 16:26:58.277030979 +0200
@@ -643,14 +643,17 @@
 other::---
 
 # file: /var/lib/samba/sysvol/xxx/Policies/{F9E5E9AC-B120-454C-9F5E-AD7A32DF180F}/Machine/Registry.pol
-# owner: 3000008
-# group: 3000008
+# owner: 3000000
+# group: 100
 user::rwx
 user:3000002:rwx
 user:3000003:r-x
 user:3000006:rwx
+user:3000008:rwx
 user:3000010:r-x
-group::rwx
+group::---
+group:100:---
+group:3000000:rwx
 group:3000002:rwx
 group:3000003:r-x
 group:3000006:rwx

And thinking about it, I think this is to be expected, because the
group here is mapped via idmap.ldb from SID of "Domain Users" and this
is mapped to xidNumber 100?

And in your last response you said, this is correct. So, having "Domain
Users" on Windows actually should map to gid 100 here in the ACLs on
the GNU/Linux file system, right?

But then, why is "sysvolcheck" still unhappy?

ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception
- ProvisioningError: DB ACL on GPO
file /var/lib/samba/sysvol/xxx/Policies/{F9E5E9AC-B120-454C-9F5E-AD7A32DF180F}/Machine/Registry.pol
O:BAG:DUD:(A;;0x001d0156;;;DA)(A;;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;;0x001f01ff;;;SY)(A;;0x001200a9;;;AU)(A;;0x001200a9;;;ED)(A;;0x001200a9;;;DA)
does not match expected value
O:DAG:DAD:PAR(A;OICI;0x001d0156;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001d0156;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;DA)
from GPO object


Greetings,
Stefan

-- 
Stefan Bellon

More information about the samba mailing list