Henry Jensen
2018-May-25 13:37 UTC
[Samba] syscolcheck error / Could not convert sid S-1-5-32-544 to uid
Hello, this is a Samba AD Domain upgraded from Samba 3.x with classicupgrade. Debian 9.4 Samba: 4.7.6 (packages from tranquil.it) # cat /etc/samba/smb.conf [global] netbios name = DC1 realm = IWW.LAN server role = active directory domain controller workgroup = IWW idmap_ldb:use rfc2307 = yes dns forwarder = 172.16.1.12 dsdb:schema update allowed=true [netlogon] path = /var/lib/samba/sysvol/iww.lan/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No # samba-tool ntacl sysvolcheck ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/iww.lan/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match expected value O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 270, in run lp) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1723, in checksysvolacl direct_db_access) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1674, in check_gpos_acl domainsid, direct_db_access) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1621, in check_dir_acl raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl)) running "samba-tool ntacl sysvolcheck" doesn't fix this. In my investigation for this I tried to use the script from https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-set-sysvol.sh. This lead to another error: root at dc1:~# wbinfo -S S-1-5-32-544 failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert sid S-1-5-32-544 to uid However, other SID's do work: root at dc1:~# wbinfo -S S-1-5-32-543 3000023 root at dc1:~# wbinfo -S S-1-5-32-545 3000007 S-1-5-32-544 is the Administrator group, which is a builtin group. I noticed, that this group already existed in the Samba 3 OpenLDAP DIT with gidNumber 514. There are other builtin groups which pre-existed in OpenLDAP. All this pre-existing groups have Posix attributes (gidNumber, objectClass posixGroup) set and raises the same error. Other well-known SIDs which have not pre-existed can be converted to UIDs So my first idea was to remove those Posix attributes from the problematic groups (I tried it on Backup Operators S-1-5-32-551), but to no avail. Is it possible, that sysvolcheck error is related to this? Any suggestions on how to proceed? Kind Regards, Henry
Rowland Penny
2018-May-25 14:07 UTC
[Samba] syscolcheck error / Could not convert sid S-1-5-32-544 to uid
On Fri, 25 May 2018 15:37:10 +0200 Henry Jensen via samba <samba at lists.samba.org> wrote:> Hello, > > this is a Samba AD Domain upgraded from Samba 3.x with > classicupgrade. > > Debian 9.4 > Samba: 4.7.6 (packages from tranquil.it) > > # samba-tool ntacl sysvolcheck > ERROR(<class 'samba.provision.ProvisioningError'>): uncaught > exception - ProvisioningError: DB ACL on GPO > directory /var/lib/samba/sysvol/iww.lan/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} > O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) > does not match expected value > O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) > from GPO object FileIf you look closely (very closely), you will see that there is only one letter different, it is at the very start: O:LAG:DAD:P( O:DAG:DAD:P( LA = Local Administrator DA = Domain Admins> > running "samba-tool ntacl sysvolcheck" doesn't fix this.Well it wouldn't, they are both borked. Just do administration from Windows> > S-1-5-32-544 is the Administrator group, which is a builtin group. INo, it is the 'Administrators' group> noticed, that this group already existed in the Samba 3 OpenLDAP DIT > with gidNumber 514.If we take it that '514' is actually a windows RID, then the group should be Domain Guests.> > There are other builtin groups which pre-existed in OpenLDAP. All > this pre-existing groups have Posix attributes (gidNumber, > objectClass posixGroup) set and raises the same error. Other > well-known SIDs which have not pre-existed can be converted to UIDs >From my experience, the only AD user/group in AD with a RID less than 1000 that should have a uidNumber or gidNumber is Domain Users.> So my first idea was to remove those Posix attributes from the > problematic groups (I tried it on Backup Operators S-1-5-32-551), but > to no avail.Ah, you probably missed the magic incantation 'net cache flush' ;-)> > Is it possible, that sysvolcheck error is related to this?No. Rowland
Henry Jensen
2018-May-25 14:39 UTC
[Samba] syscolcheck error / Could not convert sid S-1-5-32-544 to uid
On Fri, 25 May 2018 15:07:57 +0100 Rowland Penny via samba <samba at lists.samba.org> wrote:> > running "samba-tool ntacl sysvolcheck" doesn't fix this. > > Well it wouldn't, they are both borked. > > Just do administration from WindowsOK, maybe this is something which should be mentioned in the wiki. The reason I got to this was that I wanted to try sysvol replication. The wiki mentions at https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory you should i.e. copy idmap.ldb from the first DC to the new DC and then run "samba-tool ntacl sysvolreset". Is this instruction still valid?> > S-1-5-32-544 is the Administrator group, which is a builtin group. I > > No, it is the 'Administrators' groupYes, of course> > noticed, that this group already existed in the Samba 3 OpenLDAP DIT > > with gidNumber 514. > > If we take it that '514' is actually a windows RID, then the group > should be Domain Guests.Yeah, it was 544. It is Friday afternoon - maybe not the best time to write technical mails;)> From my experience, the only AD user/group in AD with a RID less than > 1000 that should have a uidNumber or gidNumber is Domain Users. > > > So my first idea was to remove those Posix attributes from the > > problematic groups (I tried it on Backup Operators S-1-5-32-551), but > > to no avail. > > Ah, you probably missed the magic incantation 'net cache flush' ;-)That was it. Thank you. Kind regards, Henry
Possibly Parallel Threads
- syscolcheck error / Could not convert sid S-1-5-32-544 to uid
- syscolcheck error / Could not convert sid S-1-5-32-544 to uid
- syscolcheck error / Could not convert sid S-1-5-32-544 to uid
- syscolcheck error / Could not convert sid S-1-5-32-544 to uid
- syscolcheck error / Could not convert sid S-1-5-32-544 to uid