Hello Marc,> Hi Anantha, > > Am 06.07.2017 um 10:02 schrieb Anantha Raghava via samba: >> Is there any way we can rebuild corrupt Default Domain Policy and >> Default Domain Controller Policy. > What is broken?Entire Default Domain and Default Domain Controller Policies along with other Polices that we had built are broken.>> In windows AD we can use dcgpofix utility to recreate the Default Domain >> and Domain Controller Policies. Something similar available in Samba AD DC? > You can recover the files from your backup and to reset Sysvol/directory > ACLs, run > # samba-tool ntacl sysvolresetI believe, samba-tool ntacl sysvolreset does not function the manner in which it is supposed to. I have seen many discussions on this.> Regards, > Marc-- Thanks & Regards, Anantha Raghava
On Fri, 7 Jul 2017 05:29:30 +0530 Anantha Raghava via samba <samba at lists.samba.org> wrote:> Hello Marc, > > > Hi Anantha, > > > > Am 06.07.2017 um 10:02 schrieb Anantha Raghava via samba: > >> Is there any way we can rebuild corrupt Default Domain Policy and > >> Default Domain Controller Policy. > > What is broken? > Entire Default Domain and Default Domain Controller Policies along > with other Polices that we had built are broken.I have written a bash script that should do what you need and I have attached a copy. I haven't tested it (never had need to), but it should work, it is just a bash interpretation of the python code used during provision. It was written on Devuan (Debian without systemd), so if you are using some other OS, or have moved sysvol (not a good idea), then you may need to tweak it.> >> In windows AD we can use dcgpofix utility to recreate the Default > >> Domain and Domain Controller Policies. Something similar available > >> in Samba AD DC? > > You can recover the files from your backup and to reset > > Sysvol/directory ACLs, run > > # samba-tool ntacl sysvolreset > I believe, samba-tool ntacl sysvolreset does not function the manner > in which it is supposed to. I have seen many discussions on this.The problem with sysvolreset isn't so much with the default policies, it is with any extra policies you might add, this is further compounded by giving 'Domain Admins' a gidNumber. 'Domain Admins' needs to own directories in the extra policies added, it cannot do this if it has a gidNumber, this is because it is then only a group and a group in Unix cannot own anything. In your case, after you have recreated sysvol, I would run sysvolreset, then add your other policies and then never run sysvolrest again. Rowland
Hello Rowland, Thank you very much. Give me two days of time. Will test it here in my setup and give you feedback. Regards, Ananth On 7 Jul 2017 2:39 p.m., "Rowland Penny" <rpenny at samba.org> wrote:> On Fri, 7 Jul 2017 05:29:30 +0530 > Anantha Raghava via samba <samba at lists.samba.org> wrote: > > > Hello Marc, > > > > > Hi Anantha, > > > > > > Am 06.07.2017 um 10:02 schrieb Anantha Raghava via samba: > > >> Is there any way we can rebuild corrupt Default Domain Policy and > > >> Default Domain Controller Policy. > > > What is broken? > > Entire Default Domain and Default Domain Controller Policies along > > with other Polices that we had built are broken. > > I have written a bash script that should do what you need and I have > attached a copy. I haven't tested it (never had need to), but it > should work, it is just a bash interpretation of the python code used > during provision. > It was written on Devuan (Debian without systemd), so if you are using > some other OS, or have moved sysvol (not a good idea), then you may > need to tweak it. > > > >> In windows AD we can use dcgpofix utility to recreate the Default > > >> Domain and Domain Controller Policies. Something similar available > > >> in Samba AD DC? > > > You can recover the files from your backup and to reset > > > Sysvol/directory ACLs, run > > > # samba-tool ntacl sysvolreset > > I believe, samba-tool ntacl sysvolreset does not function the manner > > in which it is supposed to. I have seen many discussions on this. > > The problem with sysvolreset isn't so much with the default policies, > it is with any extra policies you might add, this is further compounded > by giving 'Domain Admins' a gidNumber. 'Domain Admins' needs to own > directories in the extra policies added, it cannot do this if it has a > gidNumber, this is because it is then only a group and a group in Unix > cannot own anything. > > In your case, after you have recreated sysvol, I would run sysvolreset, > then add your other policies and then never run sysvolrest again. > > Rowland > >