You need to reset this in total. If you had at first UID 2500 for Administrator, then the owner still is UID 2500 and its all restriced, you must enforce it to change it to root. setfacl -b -R .... often i also do chown -R root:root to make sure root is the owner now. and reapply them again. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny via > samba > Verzonden: dinsdag 16 maart 2021 11:09 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Sysvol issues after DC migration > > On 16/03/2021 08:58, Oleg Blyahher via samba wrote: > > I've removed uidNumber from the Administrator user (it had 2500). > > Still getting the same "Access is denied" when trying to change > > things, and can't set the owner. > > > > The Administrator user also has the gidNumber 512, if that helps > > anything. > > > It sounds like someone has given everything a uidNumber or gidNumber, > try checking the following users for a uidNumber or gidNumber attribute: > > administrator > guest > krbtgt > > Remove any that you find. Do the same for these groups: > > cert publishers > ras and ias servers > allowed rodc password replication group > denied rodc password replication group > enterprise read-only domain controllers > domain admins > domain guests > domain computers > domain controllers > schema admins > enterprise admins > group policy creator owners > read-only domain controllers > > Then run 'net cache flush' on all Unix domain members. > > If you still cannot use? Administrator to change things on a Samba DC, > then check if idmap.ldb contains an object similar to this: > > dn: CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500 > cn: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500 > objectClass: sidMap > objectSid: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500 > type: ID_TYPE_UID > xidNumber: 0 > distinguishedName: CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500 > > Where 'S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz' is your domain SID > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
I've followed Rowland's advice regarding removing uidNumber and gidNumber from all the aforementioned users and groups. It did help me a little bit on the way - I can now change the sysvol SHARE permissions, but nothing else :/ idmap.ldb *does *contain an object as described in Rowland's last email, with dn CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500 Louis, could you please elaborate? I just want to make sure I understood you correctly. After removing uidNumber and gidNumber from the Administrator, guest, and all the groups mentioned, I need to run chown -R root:root on /var/lib/samba/sysvol/my-domain.com ? What's the next step? Or would that be enough? Do I need to delete the folders within the Policies directory? I can also see, in the GPO editor, that if I select "Default Domain Policy", it says "The permission for thi GPO in the SYSVOL folder are inconsisten with those in AD". This does not happen when I click on a GPO that was manually created on the previous DC. In case that helps.. Oleg On 2021-03-16 11:48, L.P.H. van Belle via samba wrote:> You need to reset this in total. > > If you had at first UID 2500 for Administrator, > then the owner still is UID 2500 and its all restriced, > you must enforce it to change it to root. > > setfacl -b -R .... > often i also do > chown -R root:root to make sure root is the owner now. > and reapply them again. > > > Greetz, > > Louis > > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny via >> samba >> Verzonden: dinsdag 16 maart 2021 11:09 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] Sysvol issues after DC migration >> >> On 16/03/2021 08:58, Oleg Blyahher via samba wrote: >>> I've removed uidNumber from the Administrator user (it had 2500). >>> Still getting the same "Access is denied" when trying to change >>> things, and can't set the owner. >>> >>> The Administrator user also has the gidNumber 512, if that helps >>> anything. >> >> It sounds like someone has given everything a uidNumber or gidNumber, >> try checking the following users for a uidNumber or gidNumber attribute: >> >> administrator >> guest >> krbtgt >> >> Remove any that you find. Do the same for these groups: >> >> cert publishers >> ras and ias servers >> allowed rodc password replication group >> denied rodc password replication group >> enterprise read-only domain controllers >> domain admins >> domain guests >> domain computers >> domain controllers >> schema admins >> enterprise admins >> group policy creator owners >> read-only domain controllers >> >> Then run 'net cache flush' on all Unix domain members. >> >> If you still cannot use? Administrator to change things on a Samba DC, >> then check if idmap.ldb contains an object similar to this: >> >> dn: CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500 >> cn: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500 >> objectClass: sidMap >> objectSid: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500 >> type: ID_TYPE_UID >> xidNumber: 0 >> distinguishedName: CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500 >> >> Where 'S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz' is your domain SID >> >> Rowland >> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > >
> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Oleg Blyahher via > samba > Verzonden: dinsdag 16 maart 2021 12:23 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Sysvol issues after DC migration > > I've followed Rowland's advice regarding removing uidNumber and > gidNumber from all the aforementioned users and groups. > > It did help me a little bit on the way - I can now change the sysvol > SHARE permissions, but nothing else :/ > > idmap.ldb *does *contain an object as described in Rowland's last email, > with dn CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500 > > Louis, could you please elaborate? I just want to make sure I understood > you correctly. > > After removing uidNumber and gidNumber from the Administrator, guest, > and all the groups mentioned, I need to run > > chown -R root:root > > on > > /var/lib/samba/sysvol/my-domain.com > > ?yes, and depending on the samba version you can use samba-tool sysvolreset.> > What's the next step? Or would that be enough? Do I need to delete the > folders within the Policies directory?thats not needed.> > I can also see, in the GPO editor, that if I select "Default Domain > Policy", it says "The permission for thi GPO in the SYSVOL folder are > inconsisten with those in AD". This does not happen when I click on a > GPO that was manually created on the previous DC. In case that helps..that inconsistend will be fixed if you do that within the Gpo editor. run this and veryfy the output https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-set-sysvol.sh Greetz, Louis> > Oleg > > > On 2021-03-16 11:48, L.P.H. van Belle via samba wrote: > > You need to reset this in total. > > > > If you had at first UID 2500 for Administrator, > > then the owner still is UID 2500 and its all restriced, > > you must enforce it to change it to root. > > > > setfacl -b -R .... > > often i also do > > chown -R root:root to make sure root is the owner now. > > and reapply them again. > > > > > > Greetz, > > > > Louis > > > > > > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny > via > >> samba > >> Verzonden: dinsdag 16 maart 2021 11:09 > >> Aan: samba at lists.samba.org > >> Onderwerp: Re: [Samba] Sysvol issues after DC migration > >> > >> On 16/03/2021 08:58, Oleg Blyahher via samba wrote: > >>> I've removed uidNumber from the Administrator user (it had 2500). > >>> Still getting the same "Access is denied" when trying to change > >>> things, and can't set the owner. > >>> > >>> The Administrator user also has the gidNumber 512, if that helps > >>> anything. > >> > >> It sounds like someone has given everything a uidNumber or gidNumber, > >> try checking the following users for a uidNumber or gidNumber > attribute: > >> > >> administrator > >> guest > >> krbtgt > >> > >> Remove any that you find. Do the same for these groups: > >> > >> cert publishers > >> ras and ias servers > >> allowed rodc password replication group > >> denied rodc password replication group > >> enterprise read-only domain controllers > >> domain admins > >> domain guests > >> domain computers > >> domain controllers > >> schema admins > >> enterprise admins > >> group policy creator owners > >> read-only domain controllers > >> > >> Then run 'net cache flush' on all Unix domain members. > >> > >> If you still cannot use? Administrator to change things on a Samba DC, > >> then check if idmap.ldb contains an object similar to this: > >> > >> dn: CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500 > >> cn: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500 > >> objectClass: sidMap > >> objectSid: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500 > >> type: ID_TYPE_UID > >> xidNumber: 0 > >> distinguishedName: CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500 > >> > >> Where 'S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz' is your domain SID > >> > >> Rowland > >> > >> > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba