i don't know if the problem with the command samba-tool gpo aclcheck
is connect with the original problem, but is necesary resolv all
warinings.
I put de log level = 5 to check the report.
this is the output:
root at DC04:~# samba-tool gpo aclcheck
INFO: Current debug levels:
all: 5
tdb: 5
printdrivers: 5
lanman: 5
smb: 5
rpc_parse: 5
rpc_srv: 5
rpc_cli: 5
passdb: 5
sam: 5
auth: 5
winbind: 5
vfs: 5
idmap: 5
quota: 5
acls: 5
locking: 5
msdfs: 5
dmapi: 5
registry: 5
scavenger: 5
dns: 5
ldb: 5
tevent: 5
auth_audit: 5
auth_json_audit: 5
kerberos: 5
drs_repl: 5
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
added interface eth0 ip=192.168.50.58 bcast=192.168.50.255 netmask=255.255.255.0
added interface eth0 ip=192.168.50.58 bcast=192.168.50.255 netmask=255.255.255.0
added interface eth0 ip=192.168.50.58 bcast=192.168.50.255 netmask=255.255.255.0
added interface eth0 ip=192.168.50.58 bcast=192.168.50.255 netmask=255.255.255.0
finddcs: searching for a DC by DNS domain EXAMPLE.COM
finddcs: looking for SRV records for _ldap._tcp.EXAMPLE.COM
resolve_lmhosts: Attempting lmhosts lookup for name
_ldap._tcp.EXAMPLE.COM<0x0>
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No
such file or directory
ads_dns_lookup_srv: 5 records returned in the answer section.
finddcs: DNS SRV response 0 at '192.168.50.58'
finddcs: DNS SRV response 1 at '192.168.50.55'
finddcs: DNS SRV response 2 at '192.168.50.56'
finddcs: DNS SRV response 3 at '192.168.50.204'
finddcs: DNS SRV response 4 at '192.168.50.57'
finddcs: performing CLDAP query on 192.168.50.58
finddcs: Found matching DC 192.168.50.58 with server_type=0x000013fd
added interface eth0 ip=192.168.50.58 bcast=192.168.50.255 netmask=255.255.255.0
added interface eth0 ip=192.168.50.58 bcast=192.168.50.255 netmask=255.255.255.0
added interface eth0 ip=192.168.50.58 bcast=192.168.50.255 netmask=255.255.255.0
added interface eth0 ip=192.168.50.58 bcast=192.168.50.255 netmask=255.255.255.0
finddcs: searching for a DC by DNS domain EXAMPLE.COM
finddcs: looking for SRV records for _ldap._tcp.EXAMPLE.COM
resolve_lmhosts: Attempting lmhosts lookup for name
_ldap._tcp.EXAMPLE.COM<0x0>
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No
such file or directory
ads_dns_lookup_srv: 5 records returned in the answer section.
finddcs: DNS SRV response 0 at '192.168.50.58'
finddcs: DNS SRV response 1 at '192.168.50.55'
finddcs: DNS SRV response 2 at '192.168.50.56'
finddcs: DNS SRV response 3 at '192.168.50.204'
finddcs: DNS SRV response 4 at '192.168.50.57'
finddcs: performing CLDAP query on 192.168.50.58
finddcs: Found matching DC 192.168.50.58 with server_type=0x000013fd
added interface eth0 ip=192.168.50.58 bcast=192.168.50.255 netmask=255.255.255.0
added interface eth0 ip=192.168.50.58 bcast=192.168.50.255 netmask=255.255.255.0
resolve_lmhosts: Attempting lmhosts lookup for name
dc04.clinicaguemes.com.ar<0x20>
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No
such file or directory
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Received smb_krb5 packet of length 325
Received smb_krb5 packet of length 1370
Received smb_krb5 packet of length 1348
Received smb_krb5 packet of length 1341
gensec_gssapi: NO credentials were delegated
GSSAPI Connection will be cryptographically signed
added interface eth0 ip=192.168.50.58 bcast=192.168.50.255 netmask=255.255.255.0
added interface eth0 ip=192.168.50.58 bcast=192.168.50.255 netmask=255.255.255.0
resolve_lmhosts: Attempting lmhosts lookup for name
dc04.clinicaguemes.com.ar<0x20>
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No
such file or directory
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 2626560
SO_RCVBUF = 1061808
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
TCP_DEFER_ACCEPT = 0
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
GSSAPI credentials for DC04$@EXAMPLE.COM will expire in 35999 secs
Received smb_krb5 packet of length 1348
Received smb_krb5 packet of length 1341
gensec_gssapi: NO credentials were delegated
GSSAPI Connection will be cryptographically signed
ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No
such element'
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/gpo.py", line
1150, in run
ds_sd_ndr = m['nTSecurityDescriptor'][0]
El dom., 26 may. 2019 a las 14:50, Epsilon Minus
(<theepsilonminus at gmail.com>) escribió:>
> Hello. I have a problem with GPO manage. Sorry for my english is not the
best.
>
> On the windows, GPO manage, the system send me this error:
>
>
> "The permissions for this GPO in the SYSVOL folder are inconsistent
> with those in Active Directory. It is recommended that these permissions
> be consistent. To change the SYSVOL permissions to those in Active
> Directory, click OK.
> For more information, see the Microsoft Knowledge Base article:
> http://go.microsoft.com/fwlink/?LinkId=20066"
>
> Ask me if i want to resolve, if i press "yes" the sistem print
"access denied"
>
>
>
> my smb.conf
>
> root at DC04:~# cat /etc/samba/smb.conf
> # Global parameters
> [global]
> netbios name = DC04
> realm = EXAMPLE.COM
> server role = active directory domain controller
> workgroup = EXAMPLE
> idmap_ldb:use rfc2307 = yes
> ldap server require strong auth = No
> dns forwarder = 8.8.8.8
> log level = 2
>
> [netlogon]
> path = /var/lib/samba/sysvol/example.com/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> root at DC04:~# samba-tool ntacl sysvolreset | head -f10
> head: invalid option -- 'f'
> Try 'head --help' for more information.
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode
= true'
> and 'force unknown acl user = true' for service Unknown Service
(snum
> == -1)
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode
= true'
> and 'force unknown acl user = true' for service Unknown Service
(snum
> == -1)
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode
= true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode
= true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode
= true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode
= true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode
= true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode
= true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode
= true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode
= true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode
= true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode
= true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode
= true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode
= true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode
= true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode
= true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode
= true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode
= true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode
= true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode
= true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode
= true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode
= true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode
= true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode
= true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode
= true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode
= true'
> and 'force unknown acl user = true' for service sysvol
>
> continuis...
>
> I put de log level = 3
>
> root at DC04:~# samba-tool gpo aclcheck
> ldb_wrap open of secrets.ldb
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'ntlmssp_resume_ccache' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> resolve_lmhosts: Attempting lmhosts lookup for name
_ldap._tcp.EXAMPLE.COM<0x0>
> resolve_lmhosts: Attempting lmhosts lookup for name
_ldap._tcp.EXAMPLE.COM<0x0>
> resolve_lmhosts: Attempting lmhosts lookup for name
> dc04.clinicaguemes.com.ar<0x20>
> resolve_lmhosts: Attempting lmhosts lookup for name
> dc04.clinicaguemes.com.ar<0x20>
> ERROR(<type 'exceptions.KeyError'>): uncaught exception -
'No such element'
> File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> line 176, in _run
> return self.run(*args, **kwargs)
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/gpo.py",
line 1150, in run
> ds_sd_ndr = m['nTSecurityDescriptor'][0]
>
>
> I don't know how to diagnostic this problem.
>
> Thanks !
>
> Epsilon