[Samba] Sysvol issues after DC migration

Oleg Blyahher oleg.blyahher at bluetest.se
Mon Mar 15 19:30:55 UTC 2021 

Ok, thanks Rowland. I've made it a further now, and the script runs to 
the point it tells me the following:

Set your sysvol SHARE permissions as followed. EVERYONE: READ 
Authenticated Users: FULL CONTROL (BUILTIN or NTDOM)\Administrators: 
FULL CONTROL (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL User/Group system 
is added compaired to a win2008R2 sysvol, you need this for some GPO 
settings. Set your sysvol FOLDER permissions as followed. Authenticated 
Users: Read & Exec, Show folder content, Read (BUILTIN or 
NTDOM)\Administrators: FULL CONTROL (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL


I've opened up Computer Management as the domain admin, but I can't do 
any changes in the permissions. It keeps telling me "Access is denied" 
whenever I try to modify the share or security permissions. Right now 
"Everyone" have full access in the share permissions. I can't even see 
the owners there.

Any point in modifying the sysvol folder with setfacl? Where should I 
look next?

Oleg


On 2021-03-15 18:53, Rowland penny via samba wrote:
> On 15/03/2021 17:32, Oleg Blyahher via samba wrote:
>> No, it currently has the gidNumber 544 (checked by running samba-tool 
>> group edit Administrators).
>>
>> What gid should it have otherwise? Something in the 5000-6000 range?
>
>
> Perhaps I should have said "does the 'Administrators' group have a 
> gidNumber".
>
> So, in the Administrators object in AD there is this line:
>
> gidNumber: 544
>
> If so, edit the group again and remove that line, 'Administrators' 
> should not have a gidNumber, it just turns 'Administrators' into a 
> group. You aare probably now thinking 'What' ? Administrators is a 
> group, well yes, but it is a Windows group and Windows groups can 
> 'own' things like a user, something that doesn't happen on Unix. To 
> allow this on a Samba DC (Administrators has to own things in Sysvol), 
> groups are mapped to 'ID_TYPE_BOTH' in idmap.ldb, giving a group a 
> gidNumber breaks this.
>
> This applies to all the groups in the 'Well Known SIDs' (basicaly the 
> groups created by a provision), apart from Domain Users.
>
> Rowland
>
>
>

More information about the samba mailing list