samba - Mar 2021 - Sysvol issues after DC migration

Ok, thanks Rowland. I've made it a further now, and the script runs to 
the point it tells me the following:

Set your sysvol SHARE permissions as followed. EVERYONE: READ 
Authenticated Users: FULL CONTROL (BUILTIN or NTDOM)\Administrators: 
FULL CONTROL (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL User/Group system 
is added compaired to a win2008R2 sysvol, you need this for some GPO 
settings. Set your sysvol FOLDER permissions as followed. Authenticated 
Users: Read & Exec, Show folder content, Read (BUILTIN or 
NTDOM)\Administrators: FULL CONTROL (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL


I've opened up Computer Management as the domain admin, but I can't do 
any changes in the permissions. It keeps telling me "Access is denied"
whenever I try to modify the share or security permissions. Right now 
"Everyone" have full access in the share permissions. I can't even
see
the owners there.

Any point in modifying the sysvol folder with setfacl? Where should I 
look next?

Oleg


On 2021-03-15 18:53, Rowland penny via samba wrote:
> On 15/03/2021 17:32, Oleg Blyahher via samba wrote:
>> No, it currently has the gidNumber 544 (checked by running samba-tool 
>> group edit Administrators).
>>
>> What gid should it have otherwise? Something in the 5000-6000 range?
>
>
> Perhaps I should have said "does the 'Administrators' group
have a
> gidNumber".
>
> So, in the Administrators object in AD there is this line:
>
> gidNumber: 544
>
> If so, edit the group again and remove that line, 'Administrators' 
> should not have a gidNumber, it just turns 'Administrators' into a 
> group. You aare probably now thinking 'What' ? Administrators is a 
> group, well yes, but it is a Windows group and Windows groups can 
> 'own' things like a user, something that doesn't happen on
Unix. To
> allow this on a Samba DC (Administrators has to own things in Sysvol), 
> groups are mapped to 'ID_TYPE_BOTH' in idmap.ldb, giving a group a 
> gidNumber breaks this.
>
> This applies to all the groups in the 'Well Known SIDs' (basicaly
the
> groups created by a provision), apart from Domain Users.
>
> Rowland
>
>
>

On 15/03/2021 19:30, Oleg Blyahher via samba wrote:
> Ok, thanks Rowland. I've made it a further now, and the script runs to 
> the point it tells me the following:
>
> Set your sysvol SHARE permissions as followed. EVERYONE: READ 
> Authenticated Users: FULL CONTROL (BUILTIN or NTDOM)\Administrators: 
> FULL CONTROL (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL User/Group system 
> is added compaired to a win2008R2 sysvol, you need this for some GPO 
> settings. Set your sysvol FOLDER permissions as followed. 
> Authenticated Users: Read & Exec, Show folder content, Read (BUILTIN 
> or NTDOM)\Administrators: FULL CONTROL (BUILTIN or NTDOM)\SYSTEM, FULL 
> CONTROL
>
>
> I've opened up Computer Management as the domain admin, but I can't
do
> any changes in the permissions. It keeps telling me "Access is
denied"
> whenever I try to modify the share or security permissions. Right now 
> "Everyone" have full access in the share permissions. I can't
even see
> the owners there.
>
> Any point in modifying the sysvol folder with setfacl? Where should I 
> look next?

Does 'Administrator' have a uidNumber ?

Does:

wbinfo -i Administrator | awk -F ':' '{print $3}'

Return '0' ?

If it doesn't, remove the uidNumber from Administrator.

Rowland