Rebuid the Corrupt default Group Policy

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Rebuid the Corrupt default Group Policy

Samba - General mailing list
Hi,

Is there any way we can rebuild corrupt Default Domain Policy and
Default Domain Controller Policy.

In windows AD we can use dcgpofix utility to recreate the Default Domain
and Domain Controller Policies. Something similar available in Samba AD DC?

--

Thanks & Regards,


Anantha Raghava

Do not print this e-mail unless required. Save Paper & trees.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Rebuid the Corrupt default Group Policy

Samba - General mailing list
Hi Anantha,

Am 06.07.2017 um 10:02 schrieb Anantha Raghava via samba:
> Is there any way we can rebuild corrupt Default Domain Policy and
> Default Domain Controller Policy.

What is broken?



> In windows AD we can use dcgpofix utility to recreate the Default Domain
> and Domain Controller Policies. Something similar available in Samba AD DC?

You can recover the files from your backup and to reset Sysvol/directory
ACLs, run
# samba-tool ntacl sysvolreset


Regards,
Marc

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Rebuid the Corrupt default Group Policy

Samba - General mailing list
Hello Marc,

> Hi Anantha,
>
> Am 06.07.2017 um 10:02 schrieb Anantha Raghava via samba:
>> Is there any way we can rebuild corrupt Default Domain Policy and
>> Default Domain Controller Policy.
> What is broken?
Entire Default Domain and Default Domain Controller Policies along with
other Polices that we had built are broken.
>> In windows AD we can use dcgpofix utility to recreate the Default Domain
>> and Domain Controller Policies. Something similar available in Samba AD DC?
> You can recover the files from your backup and to reset Sysvol/directory
> ACLs, run
> # samba-tool ntacl sysvolreset
I believe, samba-tool ntacl sysvolreset does not function the manner in
which it is supposed to. I have seen many discussions on this.
> Regards,
> Marc

--

Thanks & Regards,


Anantha Raghava



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Rebuid the Corrupt default Group Policy

Samba - General mailing list
On Fri, 7 Jul 2017 05:29:30 +0530
Anantha Raghava via samba <[hidden email]> wrote:

> Hello Marc,
>
> > Hi Anantha,
> >
> > Am 06.07.2017 um 10:02 schrieb Anantha Raghava via samba:
> >> Is there any way we can rebuild corrupt Default Domain Policy and
> >> Default Domain Controller Policy.
> > What is broken?
> Entire Default Domain and Default Domain Controller Policies along
> with other Polices that we had built are broken.

I have written a bash script that should do what you need and I have
attached a copy. I haven't tested it (never had need to), but it
should work, it is just a bash interpretation of the python code used
during provision.
It was written on Devuan (Debian without systemd), so if you are using
some other OS, or have moved sysvol (not a good idea), then you may
need to tweak it.
 
> >> In windows AD we can use dcgpofix utility to recreate the Default
> >> Domain and Domain Controller Policies. Something similar available
> >> in Samba AD DC?
> > You can recover the files from your backup and to reset
> > Sysvol/directory ACLs, run
> > # samba-tool ntacl sysvolreset
> I believe, samba-tool ntacl sysvolreset does not function the manner
> in which it is supposed to. I have seen many discussions on this.

The problem with sysvolreset isn't so much with the default policies,
it is with any extra policies you might add, this is further compounded
by giving 'Domain Admins' a gidNumber. 'Domain Admins' needs to own
directories in the extra policies added, it cannot do this if it has a
gidNumber, this is because it is then only a group and a group in Unix
cannot own anything.

In your case, after you have recreated sysvol, I would run sysvolreset,
then add your other policies and then never run sysvolrest again.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Rebuid the Corrupt default Group Policy

Samba - General mailing list
Hello Rowland,

Thank you very much.  Give me two days of time.  Will test it here in my
setup and give you feedback.

Regards,

Ananth

On 7 Jul 2017 2:39 p.m., "Rowland Penny" <[hidden email]> wrote:

> On Fri, 7 Jul 2017 05:29:30 +0530
> Anantha Raghava via samba <[hidden email]> wrote:
>
> > Hello Marc,
> >
> > > Hi Anantha,
> > >
> > > Am 06.07.2017 um 10:02 schrieb Anantha Raghava via samba:
> > >> Is there any way we can rebuild corrupt Default Domain Policy and
> > >> Default Domain Controller Policy.
> > > What is broken?
> > Entire Default Domain and Default Domain Controller Policies along
> > with other Polices that we had built are broken.
>
> I have written a bash script that should do what you need and I have
> attached a copy. I haven't tested it (never had need to), but it
> should work, it is just a bash interpretation of the python code used
> during provision.
> It was written on Devuan (Debian without systemd), so if you are using
> some other OS, or have moved sysvol (not a good idea), then you may
> need to tweak it.
>
> > >> In windows AD we can use dcgpofix utility to recreate the Default
> > >> Domain and Domain Controller Policies. Something similar available
> > >> in Samba AD DC?
> > > You can recover the files from your backup and to reset
> > > Sysvol/directory ACLs, run
> > > # samba-tool ntacl sysvolreset
> > I believe, samba-tool ntacl sysvolreset does not function the manner
> > in which it is supposed to. I have seen many discussions on this.
>
> The problem with sysvolreset isn't so much with the default policies,
> it is with any extra policies you might add, this is further compounded
> by giving 'Domain Admins' a gidNumber. 'Domain Admins' needs to own
> directories in the extra policies added, it cannot do this if it has a
> gidNumber, this is because it is then only a group and a group in Unix
> cannot own anything.
>
> In your case, after you have recreated sysvol, I would run sysvolreset,
> then add your other policies and then never run sysvolrest again.
>
> Rowland
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Rebuid the Corrupt default Group Policy

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hello Rowland,

The bash script you shared does not work. It doesn't reset the ACLs as
expected. Finally, I copied the default policies to the Domain
Controller SYSVOL folder and manually set the permissions and Windows
RSAT accepted those changes and it started working properly.

--

Thanks & Regards,


Anantha Raghava


Do not print this e-mail unless required. Save Paper & trees.
On 07/07/17 2:39 PM, Rowland Penny wrote:

> On Fri, 7 Jul 2017 05:29:30 +0530
> Anantha Raghava via samba <[hidden email]> wrote:
>
>> Hello Marc,
>>
>>> Hi Anantha,
>>>
>>> Am 06.07.2017 um 10:02 schrieb Anantha Raghava via samba:
>>>> Is there any way we can rebuild corrupt Default Domain Policy and
>>>> Default Domain Controller Policy.
>>> What is broken?
>> Entire Default Domain and Default Domain Controller Policies along
>> with other Polices that we had built are broken.
> I have written a bash script that should do what you need and I have
> attached a copy. I haven't tested it (never had need to), but it
> should work, it is just a bash interpretation of the python code used
> during provision.
> It was written on Devuan (Debian without systemd), so if you are using
> some other OS, or have moved sysvol (not a good idea), then you may
> need to tweak it.
>  
>>>> In windows AD we can use dcgpofix utility to recreate the Default
>>>> Domain and Domain Controller Policies. Something similar available
>>>> in Samba AD DC?
>>> You can recover the files from your backup and to reset
>>> Sysvol/directory ACLs, run
>>> # samba-tool ntacl sysvolreset
>> I believe, samba-tool ntacl sysvolreset does not function the manner
>> in which it is supposed to. I have seen many discussions on this.
> The problem with sysvolreset isn't so much with the default policies,
> it is with any extra policies you might add, this is further compounded
> by giving 'Domain Admins' a gidNumber. 'Domain Admins' needs to own
> directories in the extra policies added, it cannot do this if it has a
> gidNumber, this is because it is then only a group and a group in Unix
> cannot own anything.
>
> In your case, after you have recreated sysvol, I would run sysvolreset,
> then add your other policies and then never run sysvolrest again.
>
> Rowland
>

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Rebuid the Corrupt default Group Policy

Samba - General mailing list
This would be a good HOWTO for the wiki ... can you provide details on
restoring default policies?


Kris Lou
[hidden email]

On Thu, Jul 13, 2017 at 6:26 AM, Anantha Raghava via samba <
[hidden email]> wrote:

> Hello Rowland,
>
> The bash script you shared does not work. It doesn't reset the ACLs as
> expected. Finally, I copied the default policies to the Domain Controller
> SYSVOL folder and manually set the permissions and Windows RSAT accepted
> those changes and it started working properly.
>
> --
>
> Thanks & Regards,
>
>
> Anantha Raghava
>
>
> Do not print this e-mail unless required. Save Paper & trees.
> On 07/07/17 2:39 PM, Rowland Penny wrote:
>
>> On Fri, 7 Jul 2017 05:29:30 +0530
>> Anantha Raghava via samba <[hidden email]> wrote:
>>
>> Hello Marc,
>>>
>>> Hi Anantha,
>>>>
>>>> Am 06.07.2017 um 10:02 schrieb Anantha Raghava via samba:
>>>>
>>>>> Is there any way we can rebuild corrupt Default Domain Policy and
>>>>> Default Domain Controller Policy.
>>>>>
>>>> What is broken?
>>>>
>>> Entire Default Domain and Default Domain Controller Policies along
>>> with other Polices that we had built are broken.
>>>
>> I have written a bash script that should do what you need and I have
>> attached a copy. I haven't tested it (never had need to), but it
>> should work, it is just a bash interpretation of the python code used
>> during provision.
>> It was written on Devuan (Debian without systemd), so if you are using
>> some other OS, or have moved sysvol (not a good idea), then you may
>> need to tweak it.
>>
>>
>>> In windows AD we can use dcgpofix utility to recreate the Default
>>>>> Domain and Domain Controller Policies. Something similar available
>>>>> in Samba AD DC?
>>>>>
>>>> You can recover the files from your backup and to reset
>>>> Sysvol/directory ACLs, run
>>>> # samba-tool ntacl sysvolreset
>>>>
>>> I believe, samba-tool ntacl sysvolreset does not function the manner
>>> in which it is supposed to. I have seen many discussions on this.
>>>
>> The problem with sysvolreset isn't so much with the default policies,
>> it is with any extra policies you might add, this is further compounded
>> by giving 'Domain Admins' a gidNumber. 'Domain Admins' needs to own
>> directories in the extra policies added, it cannot do this if it has a
>> gidNumber, this is because it is then only a group and a group in Unix
>> cannot own anything.
>>
>> In your case, after you have recreated sysvol, I would run sysvolreset,
>> then add your other policies and then never run sysvolrest again.
>>
>> Rowland
>>
>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Rebuid the Corrupt default Group Policy

Samba - General mailing list
Hello Chris,

Good Morning..

Apologies for delay in replying this mail. I was on leave for a while.

To restore, all that we did was to create a separate Domain Controller
in which default policies were created. We noted their ownership and
then copied them to our primary domain controller. Then we changed the
ownership of policy objects to 3000008:3000008 manually using chown.

When we accessed these policies using Windows RSAT. RSAT reported that
it needs to change the ACL and we allowed Windows RSAT to change the ACL
automatically.

That's it. It started working properly.

Then we left the default policies as they were (no changes),  we created
new policies as needed using Windows RSAT. All ACLs are now proper and
it is working as expected, normally.

--

Thanks & Regards,


Anantha Raghava

Do not print this e-mail unless required. Save Paper & trees.

On 14/07/17 12:49 AM, Kris Lou via samba wrote:

> This would be a good HOWTO for the wiki ... can you provide details on
> restoring default policies?
>
>
> Kris Lou
> [hidden email]
>
> On Thu, Jul 13, 2017 at 6:26 AM, Anantha Raghava via samba <
> [hidden email]> wrote:
>
>> Hello Rowland,
>>
>> The bash script you shared does not work. It doesn't reset the ACLs as
>> expected. Finally, I copied the default policies to the Domain Controller
>> SYSVOL folder and manually set the permissions and Windows RSAT accepted
>> those changes and it started working properly.
>>
>> --
>>
>> Thanks & Regards,
>>
>>
>> Anantha Raghava
>>
>>
>> Do not print this e-mail unless required. Save Paper & trees.
>> On 07/07/17 2:39 PM, Rowland Penny wrote:
>>
>>> On Fri, 7 Jul 2017 05:29:30 +0530
>>> Anantha Raghava via samba <[hidden email]> wrote:
>>>
>>> Hello Marc,
>>>> Hi Anantha,
>>>>> Am 06.07.2017 um 10:02 schrieb Anantha Raghava via samba:
>>>>>
>>>>>> Is there any way we can rebuild corrupt Default Domain Policy and
>>>>>> Default Domain Controller Policy.
>>>>>>
>>>>> What is broken?
>>>>>
>>>> Entire Default Domain and Default Domain Controller Policies along
>>>> with other Polices that we had built are broken.
>>>>
>>> I have written a bash script that should do what you need and I have
>>> attached a copy. I haven't tested it (never had need to), but it
>>> should work, it is just a bash interpretation of the python code used
>>> during provision.
>>> It was written on Devuan (Debian without systemd), so if you are using
>>> some other OS, or have moved sysvol (not a good idea), then you may
>>> need to tweak it.
>>>
>>>
>>>> In windows AD we can use dcgpofix utility to recreate the Default
>>>>>> Domain and Domain Controller Policies. Something similar available
>>>>>> in Samba AD DC?
>>>>>>
>>>>> You can recover the files from your backup and to reset
>>>>> Sysvol/directory ACLs, run
>>>>> # samba-tool ntacl sysvolreset
>>>>>
>>>> I believe, samba-tool ntacl sysvolreset does not function the manner
>>>> in which it is supposed to. I have seen many discussions on this.
>>>>
>>> The problem with sysvolreset isn't so much with the default policies,
>>> it is with any extra policies you might add, this is further compounded
>>> by giving 'Domain Admins' a gidNumber. 'Domain Admins' needs to own
>>> directories in the extra policies added, it cannot do this if it has a
>>> gidNumber, this is because it is then only a group and a group in Unix
>>> cannot own anything.
>>>
>>> In your case, after you have recreated sysvol, I would run sysvolreset,
>>> then add your other policies and then never run sysvolrest again.
>>>
>>> Rowland
>>>
>>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...