On Sun, Oct 25, 2020 at 2:38 PM Rowland penny via samba <samba at lists.samba.org> wrote:> So '5035' is a computer, but what is '3000011' ? > You can find out by running this on the DC: > ldbsearch -H /path/to/idmap.ldb '(&(objectClass=sidMap)(xidNumber=3000011))'==================================# ldbsearch -H /usr/local/samba/private/idmap.ldb '(&(objectClass=sidMap)(xidNumber=3000011))' # record 1 dn: CN=S-1-5-21-546846319-217595157-9522986-1328 cn: S-1-5-21-546846319-217595157-9522986-1328 objectClass: sidMap objectSid: S-1-5-21-546846319-217595157-9522986-1328 type: ID_TYPE_BOTH xidNumber: 3000011 distinguishedName: CN=S-1-5-21-546846319-217595157-9522986-1328 # returned 1 records # 1 entries # 0 referrals ==================================S-1-5-21-546846319-217595157-9522986-1328 is the sid of the Windows 10 pro client I'm using to manage the domain. ==================================> Once you find out that, you should then be able to find out why the two> are being denied access, by examining the permissions on sysvol.Permissions on sysvol are: drwxrwx---+ 4 root 3000000 Compared with another domains DC (which has no GPO issues): drwxrws---+ 1 root 3000000 Looks like sgid is set on one and not the other. I have not touched those permissions. If sgid is needed shouldn't the classic upgrade have handled that? Should I add the sgid to sysvol and it's subdirectories (that's how it is on the working domain) or is this just a difference in the two releases (the working domain is running 4.10.16)? Chris
On 25/10/2020 19:21, Sonic wrote:> On Sun, Oct 25, 2020 at 2:38 PM Rowland penny via samba > <samba at lists.samba.org> wrote: >> So '5035' is a computer, but what is '3000011' ? >> You can find out by running this on the DC: >> ldbsearch -H /path/to/idmap.ldb '(&(objectClass=sidMap)(xidNumber=3000011))' > ==================================> # ldbsearch -H /usr/local/samba/private/idmap.ldb > '(&(objectClass=sidMap)(xidNumber=3000011))' > # record 1 > dn: CN=S-1-5-21-546846319-217595157-9522986-1328 > cn: S-1-5-21-546846319-217595157-9522986-1328 > objectClass: sidMap > objectSid: S-1-5-21-546846319-217595157-9522986-1328 > type: ID_TYPE_BOTH > xidNumber: 3000011 > distinguishedName: CN=S-1-5-21-546846319-217595157-9522986-1328 > > # returned 1 records > # 1 entries > # 0 referrals > ==================================> S-1-5-21-546846319-217595157-9522986-1328 is the sid of the Windows 10 > pro client I'm using to manage the domain. > ==================================>> Once you find out that, you should then be able to find out why the two >> are being denied access, by examining the permissions on sysvol. > Permissions on sysvol are: > drwxrwx---+ 4 root 3000000 > > Compared with another domains DC (which has no GPO issues): > drwxrws---+ 1 root 3000000 > > Looks like sgid is set on one and not the other. I have not touched > those permissions. If sgid is needed shouldn't the classic upgrade > have handled that? > Should I add the sgid to sysvol and it's subdirectories (that's how it > is on the working domain) or is this just a difference in the two > releases (the working domain is running 4.10.16)? > > ChrisOK, if you look at the end of the permissions, there is a '+' sign, this shows that extended acls set, to see these: getfacl /usr/local/samba/var/locks/sysvol You can also see the extended ACL's with: samba-tool ntacl get /usr/local/samba/var/locks/sysvol --as-sddl Rowland
On Sun, Oct 25, 2020 at 3:31 PM Rowland penny via samba <samba at lists.samba.org> wrote:> OK, if you look at the end of the permissions, there is a '+' sign, this > shows that extended acls set, to see these: > > getfacl /usr/local/samba/var/locks/sysvolThe difference in acls is that the non-working domain includes: user:3000001:r-x user:3000002:rwx user:3000003:r-x and default:user:3000001:r-x default:user:3000002:rwx default:user:3000003:r-x Otherwise they are identical.> You can also see the extended ACL's with: > samba-tool ntacl get /usr/local/samba/var/locks/sysvol --as-sddlWorking domain: O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU) Non-working domain: O:LAG:DAD:(A;OICI;0x001f01ff;;;LA)(A;OICI;0x001200a9;;;SA)(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;S-1-5-21-546846319-217595157-9522986-572)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;SA)(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;S-1-5-21-546846319-217595157-9522986-572)(A;OICI;;;;WD)(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;LA)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;;;;CG) I tried adding the sgid bit and restarting samba but there was no change in the results.