I've removed uidNumber from the Administrator user (it had 2500). Still getting the same "Access is denied" when trying to change things, and can't set the owner. The Administrator user also has the gidNumber 512, if that helps anything. What do I do next? Oleg On 2021-03-15 20:43, Rowland penny via samba wrote:> On 15/03/2021 19:30, Oleg Blyahher via samba wrote: >> Ok, thanks Rowland. I've made it a further now, and the script runs >> to the point it tells me the following: >> >> Set your sysvol SHARE permissions as followed. EVERYONE: READ >> Authenticated Users: FULL CONTROL (BUILTIN or NTDOM)\Administrators: >> FULL CONTROL (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL User/Group >> system is added compaired to a win2008R2 sysvol, you need this for >> some GPO settings. Set your sysvol FOLDER permissions as followed. >> Authenticated Users: Read & Exec, Show folder content, Read (BUILTIN >> or NTDOM)\Administrators: FULL CONTROL (BUILTIN or NTDOM)\SYSTEM, >> FULL CONTROL >> >> >> I've opened up Computer Management as the domain admin, but I can't >> do any changes in the permissions. It keeps telling me "Access is >> denied" whenever I try to modify the share or security permissions. >> Right now "Everyone" have full access in the share permissions. I >> can't even see the owners there. >> >> Any point in modifying the sysvol folder with setfacl? Where should I >> look next? > > > Does 'Administrator' have a uidNumber ? > > Does: > > wbinfo -i Administrator | awk -F ':' '{print $3}' > > Return '0' ? > > If it doesn't, remove the uidNumber from Administrator. > > Rowland > > >
On 16/03/2021 08:58, Oleg Blyahher via samba wrote:> I've removed uidNumber from the Administrator user (it had 2500). > Still getting the same "Access is denied" when trying to change > things, and can't set the owner. > > The Administrator user also has the gidNumber 512, if that helps > anything.It sounds like someone has given everything a uidNumber or gidNumber, try checking the following users for a uidNumber or gidNumber attribute: administrator guest krbtgt Remove any that you find. Do the same for these groups: cert publishers ras and ias servers allowed rodc password replication group denied rodc password replication group enterprise read-only domain controllers domain admins domain guests domain computers domain controllers schema admins enterprise admins group policy creator owners read-only domain controllers Then run 'net cache flush' on all Unix domain members. If you still cannot use? Administrator to change things on a Samba DC, then check if idmap.ldb contains an object similar to this: dn: CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500 cn: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500 objectClass: sidMap objectSid: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500 type: ID_TYPE_UID xidNumber: 0 distinguishedName: CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500 Where 'S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz' is your domain SID Rowland
You need to reset this in total. If you had at first UID 2500 for Administrator, then the owner still is UID 2500 and its all restriced, you must enforce it to change it to root. setfacl -b -R .... often i also do chown -R root:root to make sure root is the owner now. and reapply them again. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny via > samba > Verzonden: dinsdag 16 maart 2021 11:09 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Sysvol issues after DC migration > > On 16/03/2021 08:58, Oleg Blyahher via samba wrote: > > I've removed uidNumber from the Administrator user (it had 2500). > > Still getting the same "Access is denied" when trying to change > > things, and can't set the owner. > > > > The Administrator user also has the gidNumber 512, if that helps > > anything. > > > It sounds like someone has given everything a uidNumber or gidNumber, > try checking the following users for a uidNumber or gidNumber attribute: > > administrator > guest > krbtgt > > Remove any that you find. Do the same for these groups: > > cert publishers > ras and ias servers > allowed rodc password replication group > denied rodc password replication group > enterprise read-only domain controllers > domain admins > domain guests > domain computers > domain controllers > schema admins > enterprise admins > group policy creator owners > read-only domain controllers > > Then run 'net cache flush' on all Unix domain members. > > If you still cannot use? Administrator to change things on a Samba DC, > then check if idmap.ldb contains an object similar to this: > > dn: CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500 > cn: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500 > objectClass: sidMap > objectSid: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500 > type: ID_TYPE_UID > xidNumber: 0 > distinguishedName: CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500 > > Where 'S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz' is your domain SID > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba