[Samba] sysvol right error and how to correct it.
Rowland penny
rpenny at samba.org
Fri Jan 8 14:47:56 UTC 2021
On 08/01/2021 12:48, karel de macil via samba wrote:
> Hi all,
>
> having some trouble with my samba 4 ad gpo's, i have launch a sysvol
> reset BEFORE reading it was wrong.
> I'm attemting to fix thing now following this page :
>
> https://wiki.samba.org/index.php/Sysvolreset
>
> but thing's don't goes well and i'm stuck.
>
> My AD have two DC :
>
> - 1 :a debian 8.11 jessie with samba 4.2.14
> - 2 :a debian bulleye with samba 4.13.2
>
> Current situation is :
>
> - any attempt to create a new GPO get a "Group Policy Object Creation
> Failed - This security ID may not be assigned as the owner of this
> object" msg
> - when a try to change folder permissions on sysvol for the second DC
> from a windows computer permissions display instantly reset to no
> permission
> as soon as i apply the permissions BUT they still appear in the
> advanced permissions management windows...
> - when i go to my /var/lib/samba/sysvol/domain/Policies repository i
> have something like this :
>
>
> drwxrwxr--+ 5 3000008 3000008 4,0K sept. 24 2014
> {D044195A-B603-4F3D-9A3D-D26CD8693AAE}
> drwxrwxr--+ 4 10001 20012 4,0K mai 21 2019
> {D2391757-C80E-4063-852F-990A3BBEC517}
> drwxrwxr--+ 4 3000008 3000008 4,0K mai 9 2014
> {D42A7541-4EE3-4F7F-9CE8-C7B933D79851}
> drwxrwxr--+ 4 10001 20012 4,0K juil. 3 2015
> {DEFA441E-1400-4E86-82FE-0C5C04B5E05F}
>
> wbinfo --gid-to-sid=3000008
> S-1-5-21-2718981395-2814295682-4030710678-512
> wbinfo --sid-to-name=S-1-5-21-2718981395-2814295682-4030710678-512
> Domain\Domain Admins 2
> wbinfo --gid-to-sid=20012
> S-1-5-21-2718981395-2814295682-4030710678-512
> wbinfo --sid-to-name=S-1-5-21-2718981395-2814295682-4030710678-512
> Domain\Domain Admins 2
> wbinfo --gid-to-sid=10001
> S-1-22-2-10001
> wbinfo --sid-to-name=S-1-22-2-10001
> failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not lookup sid S-1-22-2-10001
> wbinfo --sid-to-gid=S-1-5-21-2718981395-2814295682-4030710678-512
> 20012
>
> strange...
>
> so, my question are :
>
> - is there a way to fix the : two gid leading to a same sid thing ?
> any clue on what have lead to a change ?
> - should i change the owner of the GPO i have with the 10001 user
> considering the fact that this correspond to no real user ?
>
> - is there a way to fix my sysvol right so i can create GPO again.
>
> - in the worst case scenario is there a way to recreate sysvol with no
> gpo inside BUT with some correct right.
>
> - subsidiary question but linked to the previous one :
> - does anyone know (or can lead my to some documentation on the
> subject) how to
> understand the answer given by the samba-tools ntacl get command as
> this one :
>
> samba-tool ntacl get /var/lib/samba/sysvol --as-sddl 2> /dev/null
> O:LAG:BAD:PAI(A;OICI;0x00120089;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x00100000;;;CG)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001f01ff;;;LA)(A;OICI;0x001f01ff;;;BA)(A;OICI;0x00120089;;;BU)(A;OICI;0x001200a9;;;SO)
>
>
> - does anyone know what Linux user and group should own
> /var/lib/samba/sysvol, /var/lib/samba/sysvol/domain,
> /var/lib/samba/sysvol/domain/Policies
> - does anyone know what Windows user and group should own
> /var/lib/samba/sysvol, /var/lib/samba/sysvol/domain,
> /var/lib/samba/sysvol/domain/Policies
>
> As usual, any advice ,any help will be most welcome.
>
In answer to your questions, then the answer would be 'yes, I do', but
before we get deeper in to this, can I ask you to do two things:
Post your smb.conf files
Transfer all the FSMO roles to your bullseye DC (if they are not already
there), then demote the jessie DC, upgrade it to bullseye and join it to
the domain again.
Rowland
More information about the samba
mailing list