On Fri, 2022-02-18 at 22:08 +0000, Rowland Penny via samba
wrote:> On Fri, 2022-02-18 at 13:59 -0800, Matt via samba wrote:
> > On Fri, 2022-02-18 at 14:38 -0700, David Mulder via samba wrote:
> > > On 2/18/22 2:16 PM, Matt via samba <samba at
lists.samba.org> wrote:
> > > > Somewhere along the way my SYSVOL permissions got messed up.
I
> > > > can't
> > > > change anything from windows as a domain admin user. I get a
> > > > message
> > > > that I don't have permissions. I'm not sure even
where to begin
> > > > with
> > > > this problem and any direction would be appreciated.
> > > >
> > >
> > > Try doing a `samba-tool ntacl sysvolreset`
> > >
> > I did try that but it didn't help. I did read in some places about
> > being cautious with that if you already have GPOs, which I do. I
> > wonder
> > if that may be why this is no longer working.
> >
> > I just removed the requirement from the samba share configuration
> > on
> > sysvol to limit to root. Maybe I've broken something in the
mapping
> > of
> > "Domain Admins" to root?
>
> There is only a problem with sysvolreset if you do two things:
> Add any extra GPO's
> Give 'Domain Admins' a gidNumber attribute
>
I'm not aware of how to give 'Domain Admins' a gidNumber attribute.
Is
this something that can happen inadvertently though another action or
is it an explicit action?> You also shouldn't map 'Domain Admins' to root (incidentally,
how
> have
> you done this ?)
>
This was a wild guess. I vaguely remember from back in the day having
to map unix users to windows users.
> It may help if you post your smb.conf from the DC and explain any
> changes you may have made to the DC.
>
The only changes I am aware of was running "samba-tool ntacl
sysvolcheck" and "samba-tool ntacl sysvolreset".
Removing the "valid users = root" line and adding "vfs objects
dfs_samba4 acl_attr full_audit" seems to have given access back to
sysvol.
My config is below:
[global]
dns forwarder = 205.171.3.26 205.171.2.26
name resolve order = wins host bcast
ntlm auth = ntlmv1-permitted
passdb backend = samba_dsdb
realm = COWPOKES.COWBOYSTATETRUCKING.COM
server role = active directory domain controller
workgroup = COWPOKES
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
winbindd:use external pipes = true
idmap_ldb:use rfc2307 = yes
idmap config * : backend = tdb
map archive = No
vfs objects = dfs_samba4 acl_xattr
[netlogon]
path /var/lib/samba/sysvol/cowpokes.cowboystatetrucking.com/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
vfs objects = dfs_samba4 acl_attr full_audit