karel.de.macil at free.fr
2021-Jan-08 12:48 UTC
[Samba] sysvol right error and how to correct it.
Hi all,
having some trouble with my samba 4 ad gpo's, i have launch a sysvol
reset BEFORE reading it was wrong.
I'm attemting to fix thing now following this page :
https://wiki.samba.org/index.php/Sysvolreset
but thing's don't goes well and i'm stuck.
My AD have two DC :
- 1 :a debian 8.11 jessie with samba 4.2.14
- 2 :a debian bulleye with samba 4.13.2
Current situation is :
- any attempt to create a new GPO get a "Group Policy Object Creation
Failed - This security ID may not be assigned as the owner of this
object" msg
- when a try to change folder permissions on sysvol for the second DC
from a windows computer permissions display instantly reset to no
permission
as soon as i apply the permissions BUT they still appear in the advanced
permissions management windows...
- when i go to my /var/lib/samba/sysvol/domain/Policies repository i
have something like this :
drwxrwxr--+ 5 3000008 3000008 4,0K sept. 24 2014
{D044195A-B603-4F3D-9A3D-D26CD8693AAE}
drwxrwxr--+ 4 10001 20012 4,0K mai 21 2019
{D2391757-C80E-4063-852F-990A3BBEC517}
drwxrwxr--+ 4 3000008 3000008 4,0K mai 9 2014
{D42A7541-4EE3-4F7F-9CE8-C7B933D79851}
drwxrwxr--+ 4 10001 20012 4,0K juil. 3 2015
{DEFA441E-1400-4E86-82FE-0C5C04B5E05F}
wbinfo --gid-to-sid=3000008
S-1-5-21-2718981395-2814295682-4030710678-512
wbinfo --sid-to-name=S-1-5-21-2718981395-2814295682-4030710678-512
Domain\Domain Admins 2
wbinfo --gid-to-sid=20012
S-1-5-21-2718981395-2814295682-4030710678-512
wbinfo --sid-to-name=S-1-5-21-2718981395-2814295682-4030710678-512
Domain\Domain Admins 2
wbinfo --gid-to-sid=10001
S-1-22-2-10001
wbinfo --sid-to-name=S-1-22-2-10001
failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup sid S-1-22-2-10001
wbinfo --sid-to-gid=S-1-5-21-2718981395-2814295682-4030710678-512
20012
strange...
so, my question are :
- is there a way to fix the : two gid leading to a same sid thing ? any
clue on what have lead to a change ?
- should i change the owner of the GPO i have with the 10001 user
considering the fact that this correspond to no real user ?
- is there a way to fix my sysvol right so i can create GPO again.
- in the worst case scenario is there a way to recreate sysvol with no
gpo inside BUT with some correct right.
- subsidiary question but linked to the previous one :
- does anyone know (or can lead my to some documentation on the subject)
how to
understand the answer given by the samba-tools ntacl get command as this
one :
samba-tool ntacl get /var/lib/samba/sysvol --as-sddl 2> /dev/null
O:LAG:BAD:PAI(A;OICI;0x00120089;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x00100000;;;CG)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001f01ff;;;LA)(A;OICI;0x001f01ff;;;BA)(A;OICI;0x00120089;;;BU)(A;OICI;0x001200a9;;;SO)
- does anyone know what Linux user and group should own
/var/lib/samba/sysvol, /var/lib/samba/sysvol/domain,
/var/lib/samba/sysvol/domain/Policies
- does anyone know what Windows user and group should own
/var/lib/samba/sysvol, /var/lib/samba/sysvol/domain,
/var/lib/samba/sysvol/domain/Policies
As usual, any advice ,any help will be most welcome.
On 08/01/2021 12:48, karel de macil via samba wrote:> Hi all, > > having some trouble with my samba 4 ad gpo's, i have launch a sysvol > reset BEFORE reading it was wrong. > I'm attemting to fix thing now following this page : > > https://wiki.samba.org/index.php/Sysvolreset > > but thing's don't goes well and i'm stuck. > > My AD have two DC : > > - 1 :a debian 8.11 jessie with samba 4.2.14 > - 2 :a debian bulleye with samba 4.13.2 > > Current situation is : > > - any attempt to create a new GPO get a "Group Policy Object Creation > Failed - This security ID may not be assigned as the owner of this > object" msg > - when a try to change folder permissions on sysvol for the second DC > from a windows computer permissions display instantly reset to no > permission > as soon as i apply the permissions BUT they still appear in the > advanced permissions management windows... > - when i go to my? /var/lib/samba/sysvol/domain/Policies repository i > have something like this : > > > drwxrwxr--+? 5 3000008 3000008 4,0K sept. 24? 2014 > {D044195A-B603-4F3D-9A3D-D26CD8693AAE} > drwxrwxr--+? 4?? 10001?? 20012 4,0K mai?? 21? 2019 > {D2391757-C80E-4063-852F-990A3BBEC517} > drwxrwxr--+? 4 3000008 3000008 4,0K mai??? 9? 2014 > {D42A7541-4EE3-4F7F-9CE8-C7B933D79851} > drwxrwxr--+? 4?? 10001?? 20012 4,0K juil.? 3? 2015 > {DEFA441E-1400-4E86-82FE-0C5C04B5E05F} > > wbinfo --gid-to-sid=3000008 > S-1-5-21-2718981395-2814295682-4030710678-512 > ?wbinfo --sid-to-name=S-1-5-21-2718981395-2814295682-4030710678-512 > Domain\Domain Admins 2 > wbinfo --gid-to-sid=20012 > S-1-5-21-2718981395-2814295682-4030710678-512 > wbinfo --sid-to-name=S-1-5-21-2718981395-2814295682-4030710678-512 > Domain\Domain Admins 2 > wbinfo --gid-to-sid=10001 > S-1-22-2-10001 > wbinfo --sid-to-name=S-1-22-2-10001 > failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND > Could not lookup sid S-1-22-2-10001 > wbinfo --sid-to-gid=S-1-5-21-2718981395-2814295682-4030710678-512 > 20012 > > strange... > > so, my question are : > > - is there a way to fix the : two gid leading to a same sid thing ? > any clue on what have lead to a change ? > - should i change the owner of the GPO i have with the 10001 user > considering the fact that this correspond to no real user ? > > - is there a way to fix my sysvol right so i can create GPO again. > > - in the worst case scenario is there a way to recreate sysvol with no > gpo inside BUT with some correct right. > > - subsidiary question but linked to the previous one : > - does anyone know (or can lead my to some documentation on the > subject) how to > understand the answer given by the samba-tools ntacl get command as > this one : > > samba-tool ntacl get /var/lib/samba/sysvol --as-sddl 2> /dev/null > O:LAG:BAD:PAI(A;OICI;0x00120089;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x00100000;;;CG)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001f01ff;;;LA)(A;OICI;0x001f01ff;;;BA)(A;OICI;0x00120089;;;BU)(A;OICI;0x001200a9;;;SO) > > > - does anyone know what Linux user and group? should own > /var/lib/samba/sysvol, /var/lib/samba/sysvol/domain, > /var/lib/samba/sysvol/domain/Policies > - does anyone know what Windows user and group should own > /var/lib/samba/sysvol, /var/lib/samba/sysvol/domain, > /var/lib/samba/sysvol/domain/Policies > > As usual, any advice ,any help will be most welcome. >In answer to your questions, then the answer would be 'yes, I do', but before we get deeper in to this, can I ask you to do two things: Post your smb.conf files Transfer all the FSMO roles to your bullseye DC (if they are not already there), then demote the jessie DC, upgrade it to bullseye and join it to the domain again. Rowland