On Fri, 2022-02-18 at 14:38 -0700, David Mulder via samba wrote:> On 2/18/22 2:16 PM, Matt via samba <samba at lists.samba.org> wrote: > > Somewhere along the way my SYSVOL permissions got messed up. I > > can't > > change anything from windows as a domain admin user. I get a > > message > > that I don't have permissions. I'm not sure even where to begin > > with > > this problem and any direction would be appreciated. > > > > Try doing a `samba-tool ntacl sysvolreset` >I did try that but it didn't help. I did read in some places about being cautious with that if you already have GPOs, which I do. I wonder if that may be why this is no longer working. I just removed the requirement from the samba share configuration on sysvol to limit to root. Maybe I've broken something in the mapping of "Domain Admins" to root?
On 18-02-2022 22:59, Matt via samba wrote:> On Fri, 2022-02-18 at 14:38 -0700, David Mulder via samba wrote: >> On 2/18/22 2:16 PM, Matt via samba <samba at lists.samba.org> wrote: >>> Somewhere along the way my SYSVOL permissions got messed up. I >>> can't >>> change anything from windows as a domain admin user. I get a >>> message >>> that I don't have permissions. I'm not sure even where to begin >>> with >>> this problem and any direction would be appreciated. >>> >> Try doing a `samba-tool ntacl sysvolreset` >> > I did try that but it didn't help. I did read in some places about > being cautious with that if you already have GPOs, which I do. I wonder > if that may be why this is no longer working. > > I just removed the requirement from the samba share configuration on > sysvol to limit to root. Maybe I've broken something in the mapping of > "Domain Admins" to root? >I am using 'samba-tool ntacl sysvolreset' after every change on sysvol (but on 4.15.5), I have not experienced issues with it. I have left the sysvol definition in /etc/samba/smb.conf default, which is: [sysvol] ??????? path = /var/lib/samba/sysvol ??????? read only = No ??????? vfs objects = dfs_samba4, acl_xattr, full_audit As there are no limitations here, access is entirely arranged by ntacls on filesystem objects in the share path. When you mess up those? the 'sysvolreset' command is there to the rescue. - Kees>
On Fri, 2022-02-18 at 13:59 -0800, Matt via samba wrote:> On Fri, 2022-02-18 at 14:38 -0700, David Mulder via samba wrote: > > On 2/18/22 2:16 PM, Matt via samba <samba at lists.samba.org> wrote: > > > Somewhere along the way my SYSVOL permissions got messed up. I > > > can't > > > change anything from windows as a domain admin user. I get a > > > message > > > that I don't have permissions. I'm not sure even where to begin > > > with > > > this problem and any direction would be appreciated. > > > > > > > Try doing a `samba-tool ntacl sysvolreset` > > > I did try that but it didn't help. I did read in some places about > being cautious with that if you already have GPOs, which I do. I > wonder > if that may be why this is no longer working. > > I just removed the requirement from the samba share configuration on > sysvol to limit to root. Maybe I've broken something in the mapping > of > "Domain Admins" to root?There is only a problem with sysvolreset if you do two things: Add any extra GPO's Give 'Domain Admins' a gidNumber attribute You also shouldn't map 'Domain Admins' to root (incidentally, how have you done this ?) It may help if you post your smb.conf from the DC and explain any changes you may have made to the DC. Rowland