[Samba] Sysvol issues after DC migration
Oleg Blyahher
oleg.blyahher at bluetest.se
Tue Mar 16 11:22:52 UTC 2021
I've followed Rowland's advice regarding removing uidNumber and
gidNumber from all the aforementioned users and groups.
It did help me a little bit on the way - I can now change the sysvol
SHARE permissions, but nothing else :/
idmap.ldb *does *contain an object as described in Rowland's last email,
with dn CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
Louis, could you please elaborate? I just want to make sure I understood
you correctly.
After removing uidNumber and gidNumber from the Administrator, guest,
and all the groups mentioned, I need to run
chown -R root:root
on
/var/lib/samba/sysvol/my-domain.com
?
What's the next step? Or would that be enough? Do I need to delete the
folders within the Policies directory?
I can also see, in the GPO editor, that if I select "Default Domain
Policy", it says "The permission for thi GPO in the SYSVOL folder are
inconsisten with those in AD". This does not happen when I click on a
GPO that was manually created on the previous DC. In case that helps..
Oleg
On 2021-03-16 11:48, L.P.H. van Belle via samba wrote:
> You need to reset this in total.
>
> If you had at first UID 2500 for Administrator,
> then the owner still is UID 2500 and its all restriced,
> you must enforce it to change it to root.
>
> setfacl -b -R ....
> often i also do
> chown -R root:root to make sure root is the owner now.
> and reapply them again.
>
>
> Greetz,
>
> Louis
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny via
>> samba
>> Verzonden: dinsdag 16 maart 2021 11:09
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Sysvol issues after DC migration
>>
>> On 16/03/2021 08:58, Oleg Blyahher via samba wrote:
>>> I've removed uidNumber from the Administrator user (it had 2500).
>>> Still getting the same "Access is denied" when trying to change
>>> things, and can't set the owner.
>>>
>>> The Administrator user also has the gidNumber 512, if that helps
>>> anything.
>>
>> It sounds like someone has given everything a uidNumber or gidNumber,
>> try checking the following users for a uidNumber or gidNumber attribute:
>>
>> administrator
>> guest
>> krbtgt
>>
>> Remove any that you find. Do the same for these groups:
>>
>> cert publishers
>> ras and ias servers
>> allowed rodc password replication group
>> denied rodc password replication group
>> enterprise read-only domain controllers
>> domain admins
>> domain guests
>> domain computers
>> domain controllers
>> schema admins
>> enterprise admins
>> group policy creator owners
>> read-only domain controllers
>>
>> Then run 'net cache flush' on all Unix domain members.
>>
>> If you still cannot use Administrator to change things on a Samba DC,
>> then check if idmap.ldb contains an object similar to this:
>>
>> dn: CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
>> cn: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
>> objectClass: sidMap
>> objectSid: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
>> type: ID_TYPE_UID
>> xidNumber: 0
>> distinguishedName: CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
>>
>> Where 'S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz' is your domain SID
>>
>> Rowland
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list