[Samba] Sysvol permission issue - how to repair permanently?
Stefan Bellon
bellon at axivion.com
Mon Apr 5 14:47:45 UTC 2021
On Mon, 05 Apr, Rowland penny via samba wrote:
> On 05/04/2021 12:55, Stefan Bellon via samba wrote:
> > If that is a correct understanding ... wouldn't one of the following
> > two ways help to remove the conflict?
> >
> > 1) I could remove the attribute gidNumber from our AD group
> > "developers" (via sam.ldb). the individual users would still have
> > the gidNumber attribute set to 100 and nslcd would assign those
> > users gid 100 and group "users" on the Linux side while in AD the
> > group "developers" would not be connected to GID 100 any more?
>
> You would also have to run 'net cache flush', but that would get
> everything back to where it should be, but anything belonging to
> developers would probably belong to 'users' after the change.
>
> >
> > 2) Or, a second way to break the conflict: Change (via idmap.ldb)
> > the xidNumber of "Domain Users" from 100 to something like
> > 3000100?
>
> That would fix it on the AD side, but developers would be mapped to
> the Unix group 'users', I would prefer option 1
I now went with option 1) ... but that didn't change anything: I
removed gidNumber 100 from AD group "developers". But still, after
changing some GPO from within RSAT on Windows, "sysvolcheck" fails. The
permissions of the changed GPO still have this diff:
--- dc1-sysvol-before.txt 2021-04-03 10:46:26.467894061 +0200
+++ dc1-sysvol-after5.txt 2021-04-05 16:26:58.277030979 +0200
@@ -643,14 +643,17 @@
other::---
# file: /var/lib/samba/sysvol/xxx/Policies/{F9E5E9AC-B120-454C-9F5E-AD7A32DF180F}/Machine/Registry.pol
-# owner: 3000008
-# group: 3000008
+# owner: 3000000
+# group: 100
user::rwx
user:3000002:rwx
user:3000003:r-x
user:3000006:rwx
+user:3000008:rwx
user:3000010:r-x
-group::rwx
+group::---
+group:100:---
+group:3000000:rwx
group:3000002:rwx
group:3000003:r-x
group:3000006:rwx
And thinking about it, I think this is to be expected, because the
group here is mapped via idmap.ldb from SID of "Domain Users" and this
is mapped to xidNumber 100?
And in your last response you said, this is correct. So, having "Domain
Users" on Windows actually should map to gid 100 here in the ACLs on
the GNU/Linux file system, right?
But then, why is "sysvolcheck" still unhappy?
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception
- ProvisioningError: DB ACL on GPO
file /var/lib/samba/sysvol/xxx/Policies/{F9E5E9AC-B120-454C-9F5E-AD7A32DF180F}/Machine/Registry.pol
O:BAG:DUD:(A;;0x001d0156;;;DA)(A;;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;;0x001f01ff;;;SY)(A;;0x001200a9;;;AU)(A;;0x001200a9;;;ED)(A;;0x001200a9;;;DA)
does not match expected value
O:DAG:DAD:PAR(A;OICI;0x001d0156;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001d0156;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;DA)
from GPO object
Greetings,
Stefan
--
Stefan Bellon
More information about the samba
mailing list