[Samba] sysvol right error and how to correct it.
karel.de.macil at free.fr
karel.de.macil at free.fr
Tue Jan 12 16:06:08 UTC 2021
Le 08/01/2021 15:47, Rowland penny via samba a écrit :
> On 08/01/2021 12:48, karel de macil via samba wrote:
>> Hi all,
>>
>> having some trouble with my samba 4 ad gpo's, i have launch a sysvol
>> reset BEFORE reading it was wrong.
>> I'm attemting to fix thing now following this page :
>>
>> https://wiki.samba.org/index.php/Sysvolreset
>>
>> but thing's don't goes well and i'm stuck.
>>
>> My AD have two DC :
>>
>> - 1 :a debian 8.11 jessie with samba 4.2.14
>> - 2 :a debian bulleye with samba 4.13.2
>>
>> Current situation is :
>>
>> - any attempt to create a new GPO get a "Group Policy Object Creation
>> Failed - This security ID may not be assigned as the owner of this
>> object" msg
>> - when a try to change folder permissions on sysvol for the second DC
>> from a windows computer permissions display instantly reset to no
>> permission
>> as soon as i apply the permissions BUT they still appear in the
>> advanced permissions management windows...
>> - when i go to my /var/lib/samba/sysvol/domain/Policies repository i
>> have something like this :
>>
>>
>> drwxrwxr--+ 5 3000008 3000008 4,0K sept. 24 2014
>> {D044195A-B603-4F3D-9A3D-D26CD8693AAE}
>> drwxrwxr--+ 4 10001 20012 4,0K mai 21 2019
>> {D2391757-C80E-4063-852F-990A3BBEC517}
>> drwxrwxr--+ 4 3000008 3000008 4,0K mai 9 2014
>> {D42A7541-4EE3-4F7F-9CE8-C7B933D79851}
>> drwxrwxr--+ 4 10001 20012 4,0K juil. 3 2015
>> {DEFA441E-1400-4E86-82FE-0C5C04B5E05F}
>>
>> wbinfo --gid-to-sid=3000008
>> S-1-5-21-2718981395-2814295682-4030710678-512
>> wbinfo --sid-to-name=S-1-5-21-2718981395-2814295682-4030710678-512
>> Domain\Domain Admins 2
>> wbinfo --gid-to-sid=20012
>> S-1-5-21-2718981395-2814295682-4030710678-512
>> wbinfo --sid-to-name=S-1-5-21-2718981395-2814295682-4030710678-512
>> Domain\Domain Admins 2
>> wbinfo --gid-to-sid=10001
>> S-1-22-2-10001
>> wbinfo --sid-to-name=S-1-22-2-10001
>> failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
>> Could not lookup sid S-1-22-2-10001
>> wbinfo --sid-to-gid=S-1-5-21-2718981395-2814295682-4030710678-512
>> 20012
>>
>> strange...
>>
>> so, my question are :
>>
>> - is there a way to fix the : two gid leading to a same sid thing ?
>> any clue on what have lead to a change ?
>> - should i change the owner of the GPO i have with the 10001 user
>> considering the fact that this correspond to no real user ?
>>
>> - is there a way to fix my sysvol right so i can create GPO again.
>>
>> - in the worst case scenario is there a way to recreate sysvol with no
>> gpo inside BUT with some correct right.
>>
>> - subsidiary question but linked to the previous one :
>> - does anyone know (or can lead my to some documentation on the
>> subject) how to
>> understand the answer given by the samba-tools ntacl get command as
>> this one :
>>
>> samba-tool ntacl get /var/lib/samba/sysvol --as-sddl 2> /dev/null
>> O:LAG:BAD:PAI(A;OICI;0x00120089;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x00100000;;;CG)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001f01ff;;;LA)(A;OICI;0x001f01ff;;;BA)(A;OICI;0x00120089;;;BU)(A;OICI;0x001200a9;;;SO)
>> - does anyone know what Linux user and group should own
>> /var/lib/samba/sysvol, /var/lib/samba/sysvol/domain,
>> /var/lib/samba/sysvol/domain/Policies
>> - does anyone know what Windows user and group should own
>> /var/lib/samba/sysvol, /var/lib/samba/sysvol/domain,
>> /var/lib/samba/sysvol/domain/Policies
>>
>> As usual, any advice ,any help will be most welcome.
>>
> In answer to your questions, then the answer would be 'yes, I do', but
> before we get deeper in to this, can I ask you to do two things:
>
> Post your smb.conf files
>
> Transfer all the FSMO roles to your bullseye DC (if they are not
> already there), then demote the jessie DC, upgrade it to bullseye and
> join it to the domain again.
>
> Rowland
Hi Rowland,
here is the smb.conf file.
- Can you explain why you want me to demote the Jessie DC and is it
necessary to update it to bulleye or can i update it to stable with the
same samba version as in bulleye ?
- Can you please tell me what to do next ?
smb.conf on bulley (let's call it DCA)
[global]
netbios name = XXXXXXX
realm = DOMAIN.FR
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbind, ntp_signd, kcc, dnsupdate, dns
workgroup = DOMAIN
idmap_ldb:use rfc2307 = yes
dns forwarder = 8.8.8.8
allow dns updates = nonsecure
dns update command=/usr/sbin/samba_dnsupdate --use-samba-tool
restrict anonymous = 2
printcap name = /dev/null
load printers = no
disable spoolss = yes
printing = bsd
log level = 6
#auth_audit:10@/var/log/samba/log.auth_audit
disable netbios = yes
smb ports = 445
server schannel = yes
ntlm auth = true
[netlogon]
path = /var/lib/samba/sysvol/domain.fr/scripts
read only = No
vfs objects = full_audit
[sysvol]
path = /var/lib/samba/sysvol
read only = No
vfs objects = dfs_samba4 full_audit
smb.conf on jessie (let's call it DCB)
[global]
workgroup = DOMAIN
realm = DOMAIN.FR
netbios name = XXXXXXY
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbind, ntp_signd, kcc, dnsupdate, dns
idmap_ldb:use rfc2307 = yes
dns forwarder = 8.8.8.8
allow dns updates = nonsecure
# winbind rpc only = yes
log level = 5
ntp signd socket directory = /var/lib/samba/ntp_signd
server schannel = yes
# ntlm auth = ntlmv1-permitted
min protocol = SMB2
[netlogon]
path = /var/lib/samba/sysvol/domain.fr/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[demo]
path = /share/demo
read only = no
More information about the samba
mailing list