[Samba] sysvol right error and how to correct it.

karel.de.macil at free.fr karel.de.macil at free.fr
Tue Jan 12 16:06:08 UTC 2021


Le 08/01/2021 15:47, Rowland penny via samba a écrit :
> On 08/01/2021 12:48, karel de macil via samba wrote:
>> Hi all,
>> 
>> having some trouble with my samba 4 ad gpo's, i have launch a sysvol 
>> reset BEFORE reading it was wrong.
>> I'm attemting to fix thing now following this page :
>> 
>> https://wiki.samba.org/index.php/Sysvolreset
>> 
>> but thing's don't goes well and i'm stuck.
>> 
>> My AD have two DC :
>> 
>> - 1 :a debian 8.11 jessie with samba 4.2.14
>> - 2 :a debian bulleye with samba 4.13.2
>> 
>> Current situation is :
>> 
>> - any attempt to create a new GPO get a "Group Policy Object Creation 
>> Failed - This security ID may not be assigned as the owner of this 
>> object" msg
>> - when a try to change folder permissions on sysvol for the second DC 
>> from a windows computer permissions display instantly reset to no 
>> permission
>> as soon as i apply the permissions BUT they still appear in the 
>> advanced permissions management windows...
>> - when i go to my  /var/lib/samba/sysvol/domain/Policies repository i 
>> have something like this :
>> 
>> 
>> drwxrwxr--+  5 3000008 3000008 4,0K sept. 24  2014 
>> {D044195A-B603-4F3D-9A3D-D26CD8693AAE}
>> drwxrwxr--+  4   10001   20012 4,0K mai   21  2019 
>> {D2391757-C80E-4063-852F-990A3BBEC517}
>> drwxrwxr--+  4 3000008 3000008 4,0K mai    9  2014 
>> {D42A7541-4EE3-4F7F-9CE8-C7B933D79851}
>> drwxrwxr--+  4   10001   20012 4,0K juil.  3  2015 
>> {DEFA441E-1400-4E86-82FE-0C5C04B5E05F}
>> 
>> wbinfo --gid-to-sid=3000008
>> S-1-5-21-2718981395-2814295682-4030710678-512
>>  wbinfo --sid-to-name=S-1-5-21-2718981395-2814295682-4030710678-512
>> Domain\Domain Admins 2
>> wbinfo --gid-to-sid=20012
>> S-1-5-21-2718981395-2814295682-4030710678-512
>> wbinfo --sid-to-name=S-1-5-21-2718981395-2814295682-4030710678-512
>> Domain\Domain Admins 2
>> wbinfo --gid-to-sid=10001
>> S-1-22-2-10001
>> wbinfo --sid-to-name=S-1-22-2-10001
>> failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
>> Could not lookup sid S-1-22-2-10001
>> wbinfo --sid-to-gid=S-1-5-21-2718981395-2814295682-4030710678-512
>> 20012
>> 
>> strange...
>> 
>> so, my question are :
>> 
>> - is there a way to fix the : two gid leading to a same sid thing ? 
>> any clue on what have lead to a change ?
>> - should i change the owner of the GPO i have with the 10001 user 
>> considering the fact that this correspond to no real user ?
>> 
>> - is there a way to fix my sysvol right so i can create GPO again.
>> 
>> - in the worst case scenario is there a way to recreate sysvol with no 
>> gpo inside BUT with some correct right.
>> 
>> - subsidiary question but linked to the previous one :
>> - does anyone know (or can lead my to some documentation on the 
>> subject) how to
>> understand the answer given by the samba-tools ntacl get command as 
>> this one :
>> 
>> samba-tool ntacl get /var/lib/samba/sysvol --as-sddl 2> /dev/null
>> O:LAG:BAD:PAI(A;OICI;0x00120089;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x00100000;;;CG)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001f01ff;;;LA)(A;OICI;0x001f01ff;;;BA)(A;OICI;0x00120089;;;BU)(A;OICI;0x001200a9;;;SO) 
>> - does anyone know what Linux user and group  should own 
>> /var/lib/samba/sysvol, /var/lib/samba/sysvol/domain, 
>> /var/lib/samba/sysvol/domain/Policies
>> - does anyone know what Windows user and group should own 
>> /var/lib/samba/sysvol, /var/lib/samba/sysvol/domain, 
>> /var/lib/samba/sysvol/domain/Policies
>> 
>> As usual, any advice ,any help will be most welcome.
>> 
> In answer to your questions, then the answer would be 'yes, I do', but
> before we get deeper in to this, can I ask you to do two things:
> 
> Post your smb.conf files
> 
> Transfer all the FSMO roles to your bullseye DC (if they are not
> already there), then demote the jessie DC, upgrade it to bullseye and
> join it to the domain again.
> 
> Rowland


Hi Rowland,

here is the smb.conf file.

- Can you explain why you want me to demote the Jessie DC and is it 
necessary to update it to bulleye or can i update it to stable with the 
same samba version as in bulleye ?
- Can you please tell me what to do next ?

smb.conf on bulley (let's call it DCA)
[global]
         netbios name = XXXXXXX
         realm = DOMAIN.FR
         server role = active directory domain controller
         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
drepl, winbind, ntp_signd, kcc, dnsupdate, dns
         workgroup = DOMAIN
         idmap_ldb:use rfc2307  = yes
         dns forwarder = 8.8.8.8
         allow dns updates = nonsecure
         dns update command=/usr/sbin/samba_dnsupdate --use-samba-tool
         restrict anonymous = 2
         printcap name = /dev/null
         load printers = no
         disable spoolss = yes
         printing = bsd
         log level = 6
         #auth_audit:10@/var/log/samba/log.auth_audit
         disable netbios = yes
         smb ports = 445
         server schannel = yes
         ntlm auth = true

[netlogon]
         path = /var/lib/samba/sysvol/domain.fr/scripts
         read only = No
         vfs objects = full_audit
[sysvol]
         path = /var/lib/samba/sysvol
         read only = No
         vfs objects = dfs_samba4 full_audit

smb.conf on jessie (let's call it DCB)

[global]
         workgroup = DOMAIN
         realm = DOMAIN.FR
         netbios name = XXXXXXY
         server role = active directory domain controller
         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
drepl, winbind, ntp_signd, kcc, dnsupdate, dns
         idmap_ldb:use rfc2307 = yes
         dns forwarder = 8.8.8.8
         allow dns updates = nonsecure
#       winbind rpc only = yes
         log level = 5
         ntp signd socket directory = /var/lib/samba/ntp_signd
         server schannel = yes
#       ntlm auth = ntlmv1-permitted
         min protocol = SMB2
[netlogon]
         path = /var/lib/samba/sysvol/domain.fr/scripts
         read only = No

[sysvol]
         path = /var/lib/samba/sysvol
         read only = No

[demo]
         path = /share/demo
         read only = no



More information about the samba mailing list