On 08/01/2021 12:48, karel de macil via samba wrote:> Hi all, > > having some trouble with my samba 4 ad gpo's, i have launch a sysvol > reset BEFORE reading it was wrong. > I'm attemting to fix thing now following this page : > > https://wiki.samba.org/index.php/Sysvolreset > > but thing's don't goes well and i'm stuck. > > My AD have two DC : > > - 1 :a debian 8.11 jessie with samba 4.2.14 > - 2 :a debian bulleye with samba 4.13.2 > > Current situation is : > > - any attempt to create a new GPO get a "Group Policy Object Creation > Failed - This security ID may not be assigned as the owner of this > object" msg > - when a try to change folder permissions on sysvol for the second DC > from a windows computer permissions display instantly reset to no > permission > as soon as i apply the permissions BUT they still appear in the > advanced permissions management windows... > - when i go to my? /var/lib/samba/sysvol/domain/Policies repository i > have something like this : > > > drwxrwxr--+? 5 3000008 3000008 4,0K sept. 24? 2014 > {D044195A-B603-4F3D-9A3D-D26CD8693AAE} > drwxrwxr--+? 4?? 10001?? 20012 4,0K mai?? 21? 2019 > {D2391757-C80E-4063-852F-990A3BBEC517} > drwxrwxr--+? 4 3000008 3000008 4,0K mai??? 9? 2014 > {D42A7541-4EE3-4F7F-9CE8-C7B933D79851} > drwxrwxr--+? 4?? 10001?? 20012 4,0K juil.? 3? 2015 > {DEFA441E-1400-4E86-82FE-0C5C04B5E05F} > > wbinfo --gid-to-sid=3000008 > S-1-5-21-2718981395-2814295682-4030710678-512 > ?wbinfo --sid-to-name=S-1-5-21-2718981395-2814295682-4030710678-512 > Domain\Domain Admins 2 > wbinfo --gid-to-sid=20012 > S-1-5-21-2718981395-2814295682-4030710678-512 > wbinfo --sid-to-name=S-1-5-21-2718981395-2814295682-4030710678-512 > Domain\Domain Admins 2 > wbinfo --gid-to-sid=10001 > S-1-22-2-10001 > wbinfo --sid-to-name=S-1-22-2-10001 > failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND > Could not lookup sid S-1-22-2-10001 > wbinfo --sid-to-gid=S-1-5-21-2718981395-2814295682-4030710678-512 > 20012 > > strange... > > so, my question are : > > - is there a way to fix the : two gid leading to a same sid thing ? > any clue on what have lead to a change ? > - should i change the owner of the GPO i have with the 10001 user > considering the fact that this correspond to no real user ? > > - is there a way to fix my sysvol right so i can create GPO again. > > - in the worst case scenario is there a way to recreate sysvol with no > gpo inside BUT with some correct right. > > - subsidiary question but linked to the previous one : > - does anyone know (or can lead my to some documentation on the > subject) how to > understand the answer given by the samba-tools ntacl get command as > this one : > > samba-tool ntacl get /var/lib/samba/sysvol --as-sddl 2> /dev/null > O:LAG:BAD:PAI(A;OICI;0x00120089;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x00100000;;;CG)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001f01ff;;;LA)(A;OICI;0x001f01ff;;;BA)(A;OICI;0x00120089;;;BU)(A;OICI;0x001200a9;;;SO) > > > - does anyone know what Linux user and group? should own > /var/lib/samba/sysvol, /var/lib/samba/sysvol/domain, > /var/lib/samba/sysvol/domain/Policies > - does anyone know what Windows user and group should own > /var/lib/samba/sysvol, /var/lib/samba/sysvol/domain, > /var/lib/samba/sysvol/domain/Policies > > As usual, any advice ,any help will be most welcome. >In answer to your questions, then the answer would be 'yes, I do', but before we get deeper in to this, can I ask you to do two things: Post your smb.conf files Transfer all the FSMO roles to your bullseye DC (if they are not already there), then demote the jessie DC, upgrade it to bullseye and join it to the domain again. Rowland
karel.de.macil at free.fr
2021-Jan-12 16:06 UTC
[Samba] sysvol right error and how to correct it.
Le 08/01/2021 15:47, Rowland penny via samba a ?crit?:> On 08/01/2021 12:48, karel de macil via samba wrote: >> Hi all, >> >> having some trouble with my samba 4 ad gpo's, i have launch a sysvol >> reset BEFORE reading it was wrong. >> I'm attemting to fix thing now following this page : >> >> https://wiki.samba.org/index.php/Sysvolreset >> >> but thing's don't goes well and i'm stuck. >> >> My AD have two DC : >> >> - 1 :a debian 8.11 jessie with samba 4.2.14 >> - 2 :a debian bulleye with samba 4.13.2 >> >> Current situation is : >> >> - any attempt to create a new GPO get a "Group Policy Object Creation >> Failed - This security ID may not be assigned as the owner of this >> object" msg >> - when a try to change folder permissions on sysvol for the second DC >> from a windows computer permissions display instantly reset to no >> permission >> as soon as i apply the permissions BUT they still appear in the >> advanced permissions management windows... >> - when i go to my? /var/lib/samba/sysvol/domain/Policies repository i >> have something like this : >> >> >> drwxrwxr--+? 5 3000008 3000008 4,0K sept. 24? 2014 >> {D044195A-B603-4F3D-9A3D-D26CD8693AAE} >> drwxrwxr--+? 4?? 10001?? 20012 4,0K mai?? 21? 2019 >> {D2391757-C80E-4063-852F-990A3BBEC517} >> drwxrwxr--+? 4 3000008 3000008 4,0K mai??? 9? 2014 >> {D42A7541-4EE3-4F7F-9CE8-C7B933D79851} >> drwxrwxr--+? 4?? 10001?? 20012 4,0K juil.? 3? 2015 >> {DEFA441E-1400-4E86-82FE-0C5C04B5E05F} >> >> wbinfo --gid-to-sid=3000008 >> S-1-5-21-2718981395-2814295682-4030710678-512 >> ?wbinfo --sid-to-name=S-1-5-21-2718981395-2814295682-4030710678-512 >> Domain\Domain Admins 2 >> wbinfo --gid-to-sid=20012 >> S-1-5-21-2718981395-2814295682-4030710678-512 >> wbinfo --sid-to-name=S-1-5-21-2718981395-2814295682-4030710678-512 >> Domain\Domain Admins 2 >> wbinfo --gid-to-sid=10001 >> S-1-22-2-10001 >> wbinfo --sid-to-name=S-1-22-2-10001 >> failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND >> Could not lookup sid S-1-22-2-10001 >> wbinfo --sid-to-gid=S-1-5-21-2718981395-2814295682-4030710678-512 >> 20012 >> >> strange... >> >> so, my question are : >> >> - is there a way to fix the : two gid leading to a same sid thing ? >> any clue on what have lead to a change ? >> - should i change the owner of the GPO i have with the 10001 user >> considering the fact that this correspond to no real user ? >> >> - is there a way to fix my sysvol right so i can create GPO again. >> >> - in the worst case scenario is there a way to recreate sysvol with no >> gpo inside BUT with some correct right. >> >> - subsidiary question but linked to the previous one : >> - does anyone know (or can lead my to some documentation on the >> subject) how to >> understand the answer given by the samba-tools ntacl get command as >> this one : >> >> samba-tool ntacl get /var/lib/samba/sysvol --as-sddl 2> /dev/null >> O:LAG:BAD:PAI(A;OICI;0x00120089;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x00100000;;;CG)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001f01ff;;;LA)(A;OICI;0x001f01ff;;;BA)(A;OICI;0x00120089;;;BU)(A;OICI;0x001200a9;;;SO) >> - does anyone know what Linux user and group? should own >> /var/lib/samba/sysvol, /var/lib/samba/sysvol/domain, >> /var/lib/samba/sysvol/domain/Policies >> - does anyone know what Windows user and group should own >> /var/lib/samba/sysvol, /var/lib/samba/sysvol/domain, >> /var/lib/samba/sysvol/domain/Policies >> >> As usual, any advice ,any help will be most welcome. >> > In answer to your questions, then the answer would be 'yes, I do', but > before we get deeper in to this, can I ask you to do two things: > > Post your smb.conf files > > Transfer all the FSMO roles to your bullseye DC (if they are not > already there), then demote the jessie DC, upgrade it to bullseye and > join it to the domain again. > > RowlandHi Rowland, here is the smb.conf file. - Can you explain why you want me to demote the Jessie DC and is it necessary to update it to bulleye or can i update it to stable with the same samba version as in bulleye ? - Can you please tell me what to do next ? smb.conf on bulley (let's call it DCA) [global] netbios name = XXXXXXX realm = DOMAIN.FR server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns workgroup = DOMAIN idmap_ldb:use rfc2307 = yes dns forwarder = 8.8.8.8 allow dns updates = nonsecure dns update command=/usr/sbin/samba_dnsupdate --use-samba-tool restrict anonymous = 2 printcap name = /dev/null load printers = no disable spoolss = yes printing = bsd log level = 6 #auth_audit:10@/var/log/samba/log.auth_audit disable netbios = yes smb ports = 445 server schannel = yes ntlm auth = true [netlogon] path = /var/lib/samba/sysvol/domain.fr/scripts read only = No vfs objects = full_audit [sysvol] path = /var/lib/samba/sysvol read only = No vfs objects = dfs_samba4 full_audit smb.conf on jessie (let's call it DCB) [global] workgroup = DOMAIN realm = DOMAIN.FR netbios name = XXXXXXY server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns idmap_ldb:use rfc2307 = yes dns forwarder = 8.8.8.8 allow dns updates = nonsecure # winbind rpc only = yes log level = 5 ntp signd socket directory = /var/lib/samba/ntp_signd server schannel = yes # ntlm auth = ntlmv1-permitted min protocol = SMB2 [netlogon] path = /var/lib/samba/sysvol/domain.fr/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No [demo] path = /share/demo read only = no