[Samba] sysvol right error and how to correct it.

karel.de.macil at free.fr karel.de.macil at free.fr
Fri Jan 8 12:48:01 UTC 2021 

Hi all,

having some trouble with my samba 4 ad gpo's, i have launch a sysvol 
reset BEFORE reading it was wrong.
I'm attemting to fix thing now following this page :

https://wiki.samba.org/index.php/Sysvolreset

but thing's don't goes well and i'm stuck.

My AD have two DC :

- 1 :a debian 8.11 jessie with samba 4.2.14
- 2 :a debian bulleye with samba 4.13.2

Current situation is :

- any attempt to create a new GPO get a "Group Policy Object Creation 
Failed - This security ID may not be assigned as the owner of this 
object" msg
- when a try to change folder permissions on sysvol for the second DC 
from a windows computer permissions display instantly reset to no 
permission
as soon as i apply the permissions BUT they still appear in the advanced 
permissions management windows...
- when i go to my  /var/lib/samba/sysvol/domain/Policies repository i 
have something like this :


drwxrwxr--+  5 3000008 3000008 4,0K sept. 24  2014 
{D044195A-B603-4F3D-9A3D-D26CD8693AAE}
drwxrwxr--+  4   10001   20012 4,0K mai   21  2019 
{D2391757-C80E-4063-852F-990A3BBEC517}
drwxrwxr--+  4 3000008 3000008 4,0K mai    9  2014 
{D42A7541-4EE3-4F7F-9CE8-C7B933D79851}
drwxrwxr--+  4   10001   20012 4,0K juil.  3  2015 
{DEFA441E-1400-4E86-82FE-0C5C04B5E05F}

wbinfo --gid-to-sid=3000008
S-1-5-21-2718981395-2814295682-4030710678-512
  wbinfo --sid-to-name=S-1-5-21-2718981395-2814295682-4030710678-512
Domain\Domain Admins 2
wbinfo --gid-to-sid=20012
S-1-5-21-2718981395-2814295682-4030710678-512
wbinfo --sid-to-name=S-1-5-21-2718981395-2814295682-4030710678-512
Domain\Domain Admins 2
wbinfo --gid-to-sid=10001
S-1-22-2-10001
wbinfo --sid-to-name=S-1-22-2-10001
failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup sid S-1-22-2-10001
wbinfo --sid-to-gid=S-1-5-21-2718981395-2814295682-4030710678-512
20012

strange...

so, my question are :

- is there a way to fix the : two gid leading to a same sid thing ? any 
clue on what have lead to a change ?
- should i change the owner of the GPO i have with the 10001 user 
considering the fact that this correspond to no real user ?

- is there a way to fix my sysvol right so i can create GPO again.

- in the worst case scenario is there a way to recreate sysvol with no 
gpo inside BUT with some correct right.

- subsidiary question but linked to the previous one :
- does anyone know (or can lead my to some documentation on the subject) 
how to
understand the answer given by the samba-tools ntacl get command as this 
one :

samba-tool ntacl get /var/lib/samba/sysvol --as-sddl 2> /dev/null
O:LAG:BAD:PAI(A;OICI;0x00120089;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x00100000;;;CG)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001f01ff;;;LA)(A;OICI;0x001f01ff;;;BA)(A;OICI;0x00120089;;;BU)(A;OICI;0x001200a9;;;SO)

- does anyone know what Linux user and group  should own 
/var/lib/samba/sysvol, /var/lib/samba/sysvol/domain, 
/var/lib/samba/sysvol/domain/Policies
- does anyone know what Windows user and group should own 
/var/lib/samba/sysvol, /var/lib/samba/sysvol/domain, 
/var/lib/samba/sysvol/domain/Policies

As usual, any advice ,any help will be most welcome.

More information about the samba mailing list