[Samba] Samba4.9.5 AD DC SYSVOL

Fri Feb 18 22:22:48 UTC 2022

On Fri, 2022-02-18 at 22:08 +0000, Rowland Penny via samba wrote:
> On Fri, 2022-02-18 at 13:59 -0800, Matt via samba wrote:
> > On Fri, 2022-02-18 at 14:38 -0700, David Mulder via samba wrote:
> > > On 2/18/22 2:16 PM, Matt via samba <samba at lists.samba.org> wrote:
> > > > Somewhere along the way my SYSVOL permissions got messed up. I
> > > > can't
> > > > change anything from windows as a domain admin user. I get a
> > > > message
> > > > that I don't have permissions. I'm not sure even where to begin
> > > > with
> > > > this problem and any direction would be appreciated.
> > > > 
> > > 
> > > Try doing a `samba-tool ntacl sysvolreset`
> > > 
> > I did try that but it didn't help. I did read in some places about
> > being cautious with that if you already have GPOs, which I do. I
> > wonder
> > if that may be why this is no longer working.
> > 
> > I just removed the requirement from the samba share configuration
> > on
> > sysvol to limit to root. Maybe I've broken something in the mapping
> > of
> > "Domain Admins" to root?
> 
> There is only a problem with sysvolreset if you do two things:
> Add any extra GPO's
> Give 'Domain Admins' a gidNumber attribute
> 
I'm not aware of how to give 'Domain Admins' a gidNumber attribute. Is
this something that can happen inadvertently though another action or
is it an explicit action?
> You also shouldn't map 'Domain Admins' to root (incidentally, how
> have
> you done this ?)
> 
This was a wild guess. I vaguely remember from back in the day having
to map unix users to windows users.

> It may help if you post your smb.conf from the DC and explain any
> changes you may have made to the DC.
> 
The only changes I am aware of was running "samba-tool ntacl
sysvolcheck" and "samba-tool ntacl sysvolreset".

Removing the "valid users = root" line and adding "vfs objects =
dfs_samba4 acl_attr full_audit" seems to have given access back to
sysvol.

My config is below:

[global]
        dns forwarder = 205.171.3.26 205.171.2.26
        name resolve order = wins host bcast
        ntlm auth = ntlmv1-permitted
        passdb backend = samba_dsdb
        realm = COWPOKES.COWBOYSTATETRUCKING.COM
        server role = active directory domain controller
        workgroup = COWPOKES
        rpc_server:tcpip = no
        rpc_daemon:spoolssd = embedded
        rpc_server:spoolss = embedded
        rpc_server:winreg = embedded
        rpc_server:ntsvcs = embedded
        rpc_server:eventlog = embedded
        rpc_server:srvsvc = embedded
        rpc_server:svcctl = embedded
        rpc_server:default = external
        winbindd:use external pipes = true
        idmap_ldb:use rfc2307 = yes
        idmap config * : backend = tdb
        map archive = No
        vfs objects = dfs_samba4 acl_xattr

[netlogon]
        path =
/var/lib/samba/sysvol/cowpokes.cowboystatetrucking.com/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No
        vfs objects = dfs_samba4 acl_attr full_audit