[Samba] Sysvol issues after DC migration

L.P.H. van Belle belle at bazuin.nl
Tue Mar 16 10:48:25 UTC 2021


You need to reset this in total. 

If you had at first UID 2500 for Administrator, 
then the owner still is UID 2500 and its all restriced, 
you must enforce it to change it to root.

setfacl -b -R .... 
often i also do 
chown -R root:root  to make sure root is the owner now. 
and reapply them again. 


Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny via
> samba
> Verzonden: dinsdag 16 maart 2021 11:09
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Sysvol issues after DC migration
> 
> On 16/03/2021 08:58, Oleg Blyahher via samba wrote:
> > I've removed uidNumber from the Administrator user (it had 2500).
> > Still getting the same "Access is denied" when trying to change
> > things, and can't set the owner.
> >
> > The Administrator user also has the gidNumber 512, if that helps
> > anything.
> 
> 
> It sounds like someone has given everything a uidNumber or gidNumber,
> try checking the following users for a uidNumber or gidNumber attribute:
> 
> administrator
> guest
> krbtgt
> 
> Remove any that you find. Do the same for these groups:
> 
> cert publishers
> ras and ias servers
> allowed rodc password replication group
> denied rodc password replication group
> enterprise read-only domain controllers
> domain admins
> domain guests
> domain computers
> domain controllers
> schema admins
> enterprise admins
> group policy creator owners
> read-only domain controllers
> 
> Then run 'net cache flush' on all Unix domain members.
> 
> If you still cannot use  Administrator to change things on a Samba DC,
> then check if idmap.ldb contains an object similar to this:
> 
> dn: CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
> cn: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
> objectClass: sidMap
> objectSid: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
> type: ID_TYPE_UID
> xidNumber: 0
> distinguishedName: CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
> 
> Where 'S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz' is your domain SID
> 
> Rowland
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba





More information about the samba mailing list