[Samba] Sysvol issues after DC migration

Oleg Blyahher oleg.blyahher at bluetest.se
Tue Mar 16 15:09:30 UTC 2021


Hi,

After running *samba-tool ntacl sysvolreset *everything is now MUCH 
better. I can edit GPO and sysvol permissions without problems. Thanks you!

I did get some errors though, when running this:

connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' 
and 'force unknown acl user = true' for service sysvol
set_nt_acl_conn: init_files_struct failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
ERROR(runtime): uncaught exception - (3221225524, 'The object name is 
not found.')
   File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 
186, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line 
415, in run
     lp, use_ntvfs=use_ntvfs)
   File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", 
line 1782, in setsysvolacl
     set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, 
use_ntvfs, passdb=s4_passdb)
   File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", 
line 1676, in set_gpos_acl
     passdb=passdb)
   File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", 
line 1637, in set_dir_acl
     setntacl(lp, path, acl, domsid, session_info, use_ntvfs=use_ntvfs, 
skip_invalid_chown=True, passdb=passdb, service=service)
   File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 238, in 
setntacl
     service=service, session_info=session_info)

If I run samba-tool ntacl sysvolcheck I get this error:

ldb_wrap open of idmap.ldb
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - 
ProvisioningError: DB ACL on GPO file 
/var/lib/samba/sysvol/domain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Machine/Registry.pol 
O:BAG:DUD:(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;;0x001f01ff;;;SY)(A;;0x001200a9;;;AU)(A;;0x001200a9;;;ED) 
does not match expected value 
O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
from GPO object
   File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 
186, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line 
446, in run
     lp)
   File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", 
line 1905, in checksysvolacl
     direct_db_access)
   File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", 
line 1855, in check_gpos_acl
     domainsid, direct_db_access)
   File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", 
line 1809, in check_dir_acl
     raise ProvisioningError('%s ACL on GPO file %s %s does not match 
expected value %s from GPO object' % (acl_type(direct_db_access), 
os.path.join(root, name), fsacl_sddl, acl))

If I run the script you mentioned:

INFO 2021-03-16 16:03:48,635 pid:5074 
/usr/lib/python3/dist-packages/samba/netcmd/testparm.py #96: Loaded smb 
config files from /etc/samba/smb.conf INFO 2021-03-16 16:03:48,636 
pid:5074 /usr/lib/python3/dist-packages/samba/netcmd/testparm.py #97: 
Loaded services file OK. Review the file : default-rights-sysvol.acl, 
these contains the defaults for sysvol. The sysvol ACLS info.....

Anything else that could be done? Do I need to do anything with the ACLs 
mentioned (default-rights-sysvol.acl)? In Computer Management the sysvol 
has all the permissions mentioned by the script.

Oleg


On 2021-03-16 13:09, L.P.H. van Belle via samba wrote:
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Oleg Blyahher via
>> samba
>> Verzonden: dinsdag 16 maart 2021 12:23
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Sysvol issues after DC migration
>>
>> I've followed Rowland's advice regarding removing uidNumber and
>> gidNumber from all the aforementioned users and groups.
>>
>> It did help me a little bit on the way - I can now change the sysvol
>> SHARE permissions, but nothing else :/
>>
>> idmap.ldb *does *contain an object as described in Rowland's last email,
>> with dn CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
>>
>> Louis, could you please elaborate? I just want to make sure I understood
>> you correctly.
>>
>> After removing uidNumber and gidNumber from the Administrator, guest,
>> and all the groups mentioned, I need to run
>>
>> chown -R root:root
>>
>> on
>>
>> /var/lib/samba/sysvol/my-domain.com
>>
>> ?
> yes, and depending on the samba version you can use samba-tool sysvolreset.
>
>> What's the next step? Or would that be enough? Do I need to delete the
>> folders within the Policies directory?
> thats not needed.
>
>> I can also see, in the GPO editor, that if I select "Default Domain
>> Policy", it says "The permission for thi GPO in the SYSVOL folder are
>> inconsisten with those in AD". This does not happen when I click on a
>> GPO that was manually created on the previous DC. In case that helps..
> that inconsistend will be fixed if you do that within the Gpo editor.
>
> run this and veryfy the output
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-set-sysvol.sh
>
> Greetz,
>
> Louis
>
>
>> Oleg
>>
>>
>> On 2021-03-16 11:48, L.P.H. van Belle via samba wrote:
>>> You need to reset this in total.
>>>
>>> If you had at first UID 2500 for Administrator,
>>> then the owner still is UID 2500 and its all restriced,
>>> you must enforce it to change it to root.
>>>
>>> setfacl -b -R ....
>>> often i also do
>>> chown -R root:root  to make sure root is the owner now.
>>> and reapply them again.
>>>
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny
>> via
>>>> samba
>>>> Verzonden: dinsdag 16 maart 2021 11:09
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: Re: [Samba] Sysvol issues after DC migration
>>>>
>>>> On 16/03/2021 08:58, Oleg Blyahher via samba wrote:
>>>>> I've removed uidNumber from the Administrator user (it had 2500).
>>>>> Still getting the same "Access is denied" when trying to change
>>>>> things, and can't set the owner.
>>>>>
>>>>> The Administrator user also has the gidNumber 512, if that helps
>>>>> anything.
>>>> It sounds like someone has given everything a uidNumber or gidNumber,
>>>> try checking the following users for a uidNumber or gidNumber
>> attribute:
>>>> administrator
>>>> guest
>>>> krbtgt
>>>>
>>>> Remove any that you find. Do the same for these groups:
>>>>
>>>> cert publishers
>>>> ras and ias servers
>>>> allowed rodc password replication group
>>>> denied rodc password replication group
>>>> enterprise read-only domain controllers
>>>> domain admins
>>>> domain guests
>>>> domain computers
>>>> domain controllers
>>>> schema admins
>>>> enterprise admins
>>>> group policy creator owners
>>>> read-only domain controllers
>>>>
>>>> Then run 'net cache flush' on all Unix domain members.
>>>>
>>>> If you still cannot use  Administrator to change things on a Samba DC,
>>>> then check if idmap.ldb contains an object similar to this:
>>>>
>>>> dn: CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
>>>> cn: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
>>>> objectClass: sidMap
>>>> objectSid: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
>>>> type: ID_TYPE_UID
>>>> xidNumber: 0
>>>> distinguishedName: CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
>>>>
>>>> Where 'S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz' is your domain SID
>>>>
>>>> Rowland
>>>>
>>>>
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>



More information about the samba mailing list