[Samba] Sysvol issues after DC migration
Oleg Blyahher
oleg.blyahher at bluetest.se
Tue Mar 16 15:09:30 UTC 2021
Hi,
After running *samba-tool ntacl sysvolreset *everything is now MUCH
better. I can edit GPO and sysvol permissions without problems. Thanks you!
I did get some errors though, when running this:
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
and 'force unknown acl user = true' for service sysvol
set_nt_acl_conn: init_files_struct failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
ERROR(runtime): uncaught exception - (3221225524, 'The object name is
not found.')
File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
186, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line
415, in run
lp, use_ntvfs=use_ntvfs)
File "/usr/lib/python3/dist-packages/samba/provision/__init__.py",
line 1782, in setsysvolacl
set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
use_ntvfs, passdb=s4_passdb)
File "/usr/lib/python3/dist-packages/samba/provision/__init__.py",
line 1676, in set_gpos_acl
passdb=passdb)
File "/usr/lib/python3/dist-packages/samba/provision/__init__.py",
line 1637, in set_dir_acl
setntacl(lp, path, acl, domsid, session_info, use_ntvfs=use_ntvfs,
skip_invalid_chown=True, passdb=passdb, service=service)
File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 238, in
setntacl
service=service, session_info=session_info)
If I run samba-tool ntacl sysvolcheck I get this error:
ldb_wrap open of idmap.ldb
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
ProvisioningError: DB ACL on GPO file
/var/lib/samba/sysvol/domain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Machine/Registry.pol
O:BAG:DUD:(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;;0x001f01ff;;;SY)(A;;0x001200a9;;;AU)(A;;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
186, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line
446, in run
lp)
File "/usr/lib/python3/dist-packages/samba/provision/__init__.py",
line 1905, in checksysvolacl
direct_db_access)
File "/usr/lib/python3/dist-packages/samba/provision/__init__.py",
line 1855, in check_gpos_acl
domainsid, direct_db_access)
File "/usr/lib/python3/dist-packages/samba/provision/__init__.py",
line 1809, in check_dir_acl
raise ProvisioningError('%s ACL on GPO file %s %s does not match
expected value %s from GPO object' % (acl_type(direct_db_access),
os.path.join(root, name), fsacl_sddl, acl))
If I run the script you mentioned:
INFO 2021-03-16 16:03:48,635 pid:5074
/usr/lib/python3/dist-packages/samba/netcmd/testparm.py #96: Loaded smb
config files from /etc/samba/smb.conf INFO 2021-03-16 16:03:48,636
pid:5074 /usr/lib/python3/dist-packages/samba/netcmd/testparm.py #97:
Loaded services file OK. Review the file : default-rights-sysvol.acl,
these contains the defaults for sysvol. The sysvol ACLS info.....
Anything else that could be done? Do I need to do anything with the ACLs
mentioned (default-rights-sysvol.acl)? In Computer Management the sysvol
has all the permissions mentioned by the script.
Oleg
On 2021-03-16 13:09, L.P.H. van Belle via samba wrote:
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Oleg Blyahher via
>> samba
>> Verzonden: dinsdag 16 maart 2021 12:23
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Sysvol issues after DC migration
>>
>> I've followed Rowland's advice regarding removing uidNumber and
>> gidNumber from all the aforementioned users and groups.
>>
>> It did help me a little bit on the way - I can now change the sysvol
>> SHARE permissions, but nothing else :/
>>
>> idmap.ldb *does *contain an object as described in Rowland's last email,
>> with dn CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
>>
>> Louis, could you please elaborate? I just want to make sure I understood
>> you correctly.
>>
>> After removing uidNumber and gidNumber from the Administrator, guest,
>> and all the groups mentioned, I need to run
>>
>> chown -R root:root
>>
>> on
>>
>> /var/lib/samba/sysvol/my-domain.com
>>
>> ?
> yes, and depending on the samba version you can use samba-tool sysvolreset.
>
>> What's the next step? Or would that be enough? Do I need to delete the
>> folders within the Policies directory?
> thats not needed.
>
>> I can also see, in the GPO editor, that if I select "Default Domain
>> Policy", it says "The permission for thi GPO in the SYSVOL folder are
>> inconsisten with those in AD". This does not happen when I click on a
>> GPO that was manually created on the previous DC. In case that helps..
> that inconsistend will be fixed if you do that within the Gpo editor.
>
> run this and veryfy the output
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-set-sysvol.sh
>
> Greetz,
>
> Louis
>
>
>> Oleg
>>
>>
>> On 2021-03-16 11:48, L.P.H. van Belle via samba wrote:
>>> You need to reset this in total.
>>>
>>> If you had at first UID 2500 for Administrator,
>>> then the owner still is UID 2500 and its all restriced,
>>> you must enforce it to change it to root.
>>>
>>> setfacl -b -R ....
>>> often i also do
>>> chown -R root:root to make sure root is the owner now.
>>> and reapply them again.
>>>
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny
>> via
>>>> samba
>>>> Verzonden: dinsdag 16 maart 2021 11:09
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: Re: [Samba] Sysvol issues after DC migration
>>>>
>>>> On 16/03/2021 08:58, Oleg Blyahher via samba wrote:
>>>>> I've removed uidNumber from the Administrator user (it had 2500).
>>>>> Still getting the same "Access is denied" when trying to change
>>>>> things, and can't set the owner.
>>>>>
>>>>> The Administrator user also has the gidNumber 512, if that helps
>>>>> anything.
>>>> It sounds like someone has given everything a uidNumber or gidNumber,
>>>> try checking the following users for a uidNumber or gidNumber
>> attribute:
>>>> administrator
>>>> guest
>>>> krbtgt
>>>>
>>>> Remove any that you find. Do the same for these groups:
>>>>
>>>> cert publishers
>>>> ras and ias servers
>>>> allowed rodc password replication group
>>>> denied rodc password replication group
>>>> enterprise read-only domain controllers
>>>> domain admins
>>>> domain guests
>>>> domain computers
>>>> domain controllers
>>>> schema admins
>>>> enterprise admins
>>>> group policy creator owners
>>>> read-only domain controllers
>>>>
>>>> Then run 'net cache flush' on all Unix domain members.
>>>>
>>>> If you still cannot use Administrator to change things on a Samba DC,
>>>> then check if idmap.ldb contains an object similar to this:
>>>>
>>>> dn: CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
>>>> cn: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
>>>> objectClass: sidMap
>>>> objectSid: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
>>>> type: ID_TYPE_UID
>>>> xidNumber: 0
>>>> distinguishedName: CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
>>>>
>>>> Where 'S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz' is your domain SID
>>>>
>>>> Rowland
>>>>
>>>>
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list