[Samba] Sysvol issues after DC migration

L.P.H. van Belle belle at bazuin.nl
Tue Mar 16 15:23:00 UTC 2021 

Yes, my script does not change anything, but, the output of it shows the
steps you can do. 

if all already show the same settings, then its not really needed to run it. 
But it does not hurt, you can rerun : samba-tool ntacl sysvolreset again if
needed, the script makes sure all folders are set correctly (recusively)

on the error's below, can you try to clik on all Gpo's in windows.
if one is off, windows till tell you and you can clik there and its correct. 

if the errors stay and windows eventlog also shows GPO errors, then get the event id's also and post these. 


Greetz, 

Louis




> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Oleg Blyahher via
> samba
> Verzonden: dinsdag 16 maart 2021 16:09
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Sysvol issues after DC migration
> 
> Hi,
> 
> After running *samba-tool ntacl sysvolreset *everything is now MUCH
> better. I can edit GPO and sysvol permissions without problems. Thanks
> you!
> 
> I did get some errors though, when running this:
> 
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service sysvol
> set_nt_acl_conn: init_files_struct failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
> ERROR(runtime): uncaught exception - (3221225524, 'The object name is
> not found.')
>    File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
> 186, in _run
>      return self.run(*args, **kwargs)
>    File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line
> 415, in run
>      lp, use_ntvfs=use_ntvfs)
>    File "/usr/lib/python3/dist-packages/samba/provision/__init__.py",
> line 1782, in setsysvolacl
>      set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
> use_ntvfs, passdb=s4_passdb)
>    File "/usr/lib/python3/dist-packages/samba/provision/__init__.py",
> line 1676, in set_gpos_acl
>      passdb=passdb)
>    File "/usr/lib/python3/dist-packages/samba/provision/__init__.py",
> line 1637, in set_dir_acl
>      setntacl(lp, path, acl, domsid, session_info, use_ntvfs=use_ntvfs,
> skip_invalid_chown=True, passdb=passdb, service=service)
>    File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 238, in
> setntacl
>      service=service, session_info=session_info)
> 
> If I run samba-tool ntacl sysvolcheck I get this error:
> 
> ldb_wrap open of idmap.ldb
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
> ProvisioningError: DB ACL on GPO file
> /var/lib/samba/sysvol/domain.com/Policies/{31B2F340-016D-11D2-945F-
> 00C04FB984F9}/Machine/Registry.pol
> O:BAG:DUD:(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;;
> 0x001f01ff;;;SY)(A;;0x001200a9;;;AU)(A;;0x001200a9;;;ED)
> does not match expected value
> O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x0
> 01f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001
> 200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> from GPO object
>    File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
> 186, in _run
>      return self.run(*args, **kwargs)
>    File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line
> 446, in run
>      lp)
>    File "/usr/lib/python3/dist-packages/samba/provision/__init__.py",
> line 1905, in checksysvolacl
>      direct_db_access)
>    File "/usr/lib/python3/dist-packages/samba/provision/__init__.py",
> line 1855, in check_gpos_acl
>      domainsid, direct_db_access)
>    File "/usr/lib/python3/dist-packages/samba/provision/__init__.py",
> line 1809, in check_dir_acl
>      raise ProvisioningError('%s ACL on GPO file %s %s does not match
> expected value %s from GPO object' % (acl_type(direct_db_access),
> os.path.join(root, name), fsacl_sddl, acl))
> 
> If I run the script you mentioned:
> 
> INFO 2021-03-16 16:03:48,635 pid:5074
> /usr/lib/python3/dist-packages/samba/netcmd/testparm.py #96: Loaded smb
> config files from /etc/samba/smb.conf INFO 2021-03-16 16:03:48,636
> pid:5074 /usr/lib/python3/dist-packages/samba/netcmd/testparm.py #97:
> Loaded services file OK. Review the file : default-rights-sysvol.acl,
> these contains the defaults for sysvol. The sysvol ACLS info.....
> 
> Anything else that could be done? Do I need to do anything with the ACLs
> mentioned (default-rights-sysvol.acl)? In Computer Management the sysvol
> has all the permissions mentioned by the script.
> 
> Oleg
> 
> 
> On 2021-03-16 13:09, L.P.H. van Belle via samba wrote:
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Oleg Blyahher
> via
> >> samba
> >> Verzonden: dinsdag 16 maart 2021 12:23
> >> Aan: samba at lists.samba.org
> >> Onderwerp: Re: [Samba] Sysvol issues after DC migration
> >>
> >> I've followed Rowland's advice regarding removing uidNumber and
> >> gidNumber from all the aforementioned users and groups.
> >>
> >> It did help me a little bit on the way - I can now change the sysvol
> >> SHARE permissions, but nothing else :/
> >>
> >> idmap.ldb *does *contain an object as described in Rowland's last
> email,
> >> with dn CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
> >>
> >> Louis, could you please elaborate? I just want to make sure I
> understood
> >> you correctly.
> >>
> >> After removing uidNumber and gidNumber from the Administrator, guest,
> >> and all the groups mentioned, I need to run
> >>
> >> chown -R root:root
> >>
> >> on
> >>
> >> /var/lib/samba/sysvol/my-domain.com
> >>
> >> ?
> > yes, and depending on the samba version you can use samba-tool
> sysvolreset.
> >
> >> What's the next step? Or would that be enough? Do I need to delete the
> >> folders within the Policies directory?
> > thats not needed.
> >
> >> I can also see, in the GPO editor, that if I select "Default Domain
> >> Policy", it says "The permission for thi GPO in the SYSVOL folder are
> >> inconsisten with those in AD". This does not happen when I click on a
> >> GPO that was manually created on the previous DC. In case that helps..
> > that inconsistend will be fixed if you do that within the Gpo editor.
> >
> > run this and veryfy the output
> > https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-set-
> sysvol.sh
> >
> > Greetz,
> >
> > Louis
> >
> >
> >> Oleg
> >>
> >>
> >> On 2021-03-16 11:48, L.P.H. van Belle via samba wrote:
> >>> You need to reset this in total.
> >>>
> >>> If you had at first UID 2500 for Administrator,
> >>> then the owner still is UID 2500 and its all restriced,
> >>> you must enforce it to change it to root.
> >>>
> >>> setfacl -b -R ....
> >>> often i also do
> >>> chown -R root:root  to make sure root is the owner now.
> >>> and reapply them again.
> >>>
> >>>
> >>> Greetz,
> >>>
> >>> Louis
> >>>
> >>>
> >>>
> >>>> -----Oorspronkelijk bericht-----
> >>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland
> penny
> >> via
> >>>> samba
> >>>> Verzonden: dinsdag 16 maart 2021 11:09
> >>>> Aan: samba at lists.samba.org
> >>>> Onderwerp: Re: [Samba] Sysvol issues after DC migration
> >>>>
> >>>> On 16/03/2021 08:58, Oleg Blyahher via samba wrote:
> >>>>> I've removed uidNumber from the Administrator user (it had 2500).
> >>>>> Still getting the same "Access is denied" when trying to change
> >>>>> things, and can't set the owner.
> >>>>>
> >>>>> The Administrator user also has the gidNumber 512, if that helps
> >>>>> anything.
> >>>> It sounds like someone has given everything a uidNumber or gidNumber,
> >>>> try checking the following users for a uidNumber or gidNumber
> >> attribute:
> >>>> administrator
> >>>> guest
> >>>> krbtgt
> >>>>
> >>>> Remove any that you find. Do the same for these groups:
> >>>>
> >>>> cert publishers
> >>>> ras and ias servers
> >>>> allowed rodc password replication group
> >>>> denied rodc password replication group
> >>>> enterprise read-only domain controllers
> >>>> domain admins
> >>>> domain guests
> >>>> domain computers
> >>>> domain controllers
> >>>> schema admins
> >>>> enterprise admins
> >>>> group policy creator owners
> >>>> read-only domain controllers
> >>>>
> >>>> Then run 'net cache flush' on all Unix domain members.
> >>>>
> >>>> If you still cannot use  Administrator to change things on a Samba
> DC,
> >>>> then check if idmap.ldb contains an object similar to this:
> >>>>
> >>>> dn: CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
> >>>> cn: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
> >>>> objectClass: sidMap
> >>>> objectSid: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
> >>>> type: ID_TYPE_UID
> >>>> xidNumber: 0
> >>>> distinguishedName: CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
> >>>>
> >>>> Where 'S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz' is your domain SID
> >>>>
> >>>> Rowland
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>> To unsubscribe from this list go to the following URL and read the
> >>>> instructions:  https://lists.samba.org/mailman/options/samba
> >>>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >
> >
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list