[Samba] sysvol right error and how to correct it.
karel.de.macil at free.fr
karel.de.macil at free.fr
Fri Jan 8 12:48:01 UTC 2021
Hi all,
having some trouble with my samba 4 ad gpo's, i have launch a sysvol
reset BEFORE reading it was wrong.
I'm attemting to fix thing now following this page :
https://wiki.samba.org/index.php/Sysvolreset
but thing's don't goes well and i'm stuck.
My AD have two DC :
- 1 :a debian 8.11 jessie with samba 4.2.14
- 2 :a debian bulleye with samba 4.13.2
Current situation is :
- any attempt to create a new GPO get a "Group Policy Object Creation
Failed - This security ID may not be assigned as the owner of this
object" msg
- when a try to change folder permissions on sysvol for the second DC
from a windows computer permissions display instantly reset to no
permission
as soon as i apply the permissions BUT they still appear in the advanced
permissions management windows...
- when i go to my /var/lib/samba/sysvol/domain/Policies repository i
have something like this :
drwxrwxr--+ 5 3000008 3000008 4,0K sept. 24 2014
{D044195A-B603-4F3D-9A3D-D26CD8693AAE}
drwxrwxr--+ 4 10001 20012 4,0K mai 21 2019
{D2391757-C80E-4063-852F-990A3BBEC517}
drwxrwxr--+ 4 3000008 3000008 4,0K mai 9 2014
{D42A7541-4EE3-4F7F-9CE8-C7B933D79851}
drwxrwxr--+ 4 10001 20012 4,0K juil. 3 2015
{DEFA441E-1400-4E86-82FE-0C5C04B5E05F}
wbinfo --gid-to-sid=3000008
S-1-5-21-2718981395-2814295682-4030710678-512
wbinfo --sid-to-name=S-1-5-21-2718981395-2814295682-4030710678-512
Domain\Domain Admins 2
wbinfo --gid-to-sid=20012
S-1-5-21-2718981395-2814295682-4030710678-512
wbinfo --sid-to-name=S-1-5-21-2718981395-2814295682-4030710678-512
Domain\Domain Admins 2
wbinfo --gid-to-sid=10001
S-1-22-2-10001
wbinfo --sid-to-name=S-1-22-2-10001
failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup sid S-1-22-2-10001
wbinfo --sid-to-gid=S-1-5-21-2718981395-2814295682-4030710678-512
20012
strange...
so, my question are :
- is there a way to fix the : two gid leading to a same sid thing ? any
clue on what have lead to a change ?
- should i change the owner of the GPO i have with the 10001 user
considering the fact that this correspond to no real user ?
- is there a way to fix my sysvol right so i can create GPO again.
- in the worst case scenario is there a way to recreate sysvol with no
gpo inside BUT with some correct right.
- subsidiary question but linked to the previous one :
- does anyone know (or can lead my to some documentation on the subject)
how to
understand the answer given by the samba-tools ntacl get command as this
one :
samba-tool ntacl get /var/lib/samba/sysvol --as-sddl 2> /dev/null
O:LAG:BAD:PAI(A;OICI;0x00120089;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x00100000;;;CG)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001f01ff;;;LA)(A;OICI;0x001f01ff;;;BA)(A;OICI;0x00120089;;;BU)(A;OICI;0x001200a9;;;SO)
- does anyone know what Linux user and group should own
/var/lib/samba/sysvol, /var/lib/samba/sysvol/domain,
/var/lib/samba/sysvol/domain/Policies
- does anyone know what Windows user and group should own
/var/lib/samba/sysvol, /var/lib/samba/sysvol/domain,
/var/lib/samba/sysvol/domain/Policies
As usual, any advice ,any help will be most welcome.
More information about the samba
mailing list