[Samba] Sysvol issues after DC migration

Oleg Blyahher oleg.blyahher at bluetest.se
Tue Mar 16 11:22:52 UTC 2021

I've followed Rowland's advice regarding removing uidNumber and 
gidNumber from all the aforementioned users and groups.

It did help me a little bit on the way - I can now change the sysvol 
SHARE permissions, but nothing else :/

idmap.ldb *does *contain an object as described in Rowland's last email, 
with dn CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500

Louis, could you please elaborate? I just want to make sure I understood 
you correctly.

After removing uidNumber and gidNumber from the Administrator, guest, 
and all the groups mentioned, I need to run

chown -R root:root




What's the next step? Or would that be enough? Do I need to delete the 
folders within the Policies directory?

I can also see, in the GPO editor, that if I select "Default Domain 
Policy", it says "The permission for thi GPO in the SYSVOL folder are 
inconsisten with those in AD". This does not happen when I click on a 
GPO that was manually created on the previous DC. In case that helps..


On 2021-03-16 11:48, L.P.H. van Belle via samba wrote:
> You need to reset this in total.
> If you had at first UID 2500 for Administrator,
> then the owner still is UID 2500 and its all restriced,
> you must enforce it to change it to root.
> setfacl -b -R ....
> often i also do
> chown -R root:root  to make sure root is the owner now.
> and reapply them again.
> Greetz,
> Louis
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny via
>> samba
>> Verzonden: dinsdag 16 maart 2021 11:09
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Sysvol issues after DC migration
>> On 16/03/2021 08:58, Oleg Blyahher via samba wrote:
>>> I've removed uidNumber from the Administrator user (it had 2500).
>>> Still getting the same "Access is denied" when trying to change
>>> things, and can't set the owner.
>>> The Administrator user also has the gidNumber 512, if that helps
>>> anything.
>> It sounds like someone has given everything a uidNumber or gidNumber,
>> try checking the following users for a uidNumber or gidNumber attribute:
>> administrator
>> guest
>> krbtgt
>> Remove any that you find. Do the same for these groups:
>> cert publishers
>> ras and ias servers
>> allowed rodc password replication group
>> denied rodc password replication group
>> enterprise read-only domain controllers
>> domain admins
>> domain guests
>> domain computers
>> domain controllers
>> schema admins
>> enterprise admins
>> group policy creator owners
>> read-only domain controllers
>> Then run 'net cache flush' on all Unix domain members.
>> If you still cannot use  Administrator to change things on a Samba DC,
>> then check if idmap.ldb contains an object similar to this:
>> dn: CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
>> cn: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
>> objectClass: sidMap
>> objectSid: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
>> type: ID_TYPE_UID
>> xidNumber: 0
>> distinguishedName: CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
>> Where 'S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz' is your domain SID
>> Rowland
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list