Good morning people, I make the case that Achim Gottinger passed. samba-tool ntacl sysvolreset and received the following information: Segmentation fault (core of the recorded image) then sent a samba-tool ntacl sysvolcheck and received the following: ERROR (<type 'exceptions.TypeError'>): uncaught exception - (61 'No data available') File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run self.run return (* args, ** kwargs) File "/usr/lib64/python2.7/site-packages/samba/netcmd/ntacl.py", line 249, in run lp) File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line 1717, in checksysvolacl fsacl = getntacl (lp, dir_path, direct_db_access = direct_db_access, service = SYSVOL_SERVICE) File "/usr/lib64/python2.7/site-packages/samba/ntacls.py", line 73, in getntacl xattr.XATTR_NTACL_NAME) Will there this the source of my problem? hehehehe Remembering that I'm using Centos 7 and Samba version 4.1.17-Sernet-RedHat-11.el7 Sincerely, Gabriel Franca> Em 22/05/2015, ?(s) 11:22, Achim Gottinger <achim at ag-web.biz> escreveu: > > Hello Gabriel, > > I recommend you use > > gpupdate /force > > on the windows command line after login. > The results of above command can be checked afterwards with the "gpresults" command. > > Can be you have an permission problem on your samba server. Only skimmed ofver the thread but did you try > samba-tools ntacl sysvolreset > on your samba server? > > achim~ > > Am 22.05.2015 um 12:08 schrieb Gabriel Franca: >> Good morning Daniel, >> >> The amendment that I spoke have to be done on the server. >> >> All user created in Samba4 receives the "Domain Users" group as primary. >> >> I did several tests on the GPO to no avail. >> >> When I took the User of the "Domain Users" and put in "Domain Admins" the GPO to make any changes now operates. >> >> I believe that because of the "Domain Users" did not have privileges to edit the GPO record in the station can not be applied. >> >> I wonder if the guys who are using Samba 4, is using successfully GPOS the "Domain Users" >> >> Sincerely, >> >> Gabriel Franca >> >> >> >>> Em 22/05/2015, ?(s) 09:01, Daniel Carrasco Mar?n <danielmadrid19 at gmail.com> escreveu: >>> >>> >>> >>> 2015-05-22 13:32 GMT+02:00 Gabriel Franca <gabriel.franca at gmail.com <mailto:gabriel.franca at gmail.com> <mailto:gabriel.franca at gmail.com <mailto:gabriel.franca at gmail.com>>>: >>> >>> I found it strange more and something I have already noticed a while. >>> >>> No GPO is applied when the User is the "Domain Users", so I wonder if I'm doing something wrong or I have to change something. >>> >>> I believe the "Domain Users" are not allowed to change the Windows registry so the issue. >>> >>> Sincerely, >>> >>> Gabriel Franca >>> >>> >>> I don't know if is a Windows problem, but i've got the same behavior trying to set Firewall rules. I've fixed the problem changing the "Domain Users" in GPO "Security Filter" for "Authenticated Users" and now is working fine. >>> >>> I hope this help. >>> >>> Greetings!! >>> >>>> Em 22/05/2015, ?(s) 02:31, Neil <nwilson123 at gmail.com <mailto:nwilson123 at gmail.com> <mailto:nwilson123 at gmail.com <mailto:nwilson123 at gmail.com>>> escreveu: >>>> >>>> Good morning everyone, >>>> >>>> Gabriel: I haven't had a chance to test this yet, but I'm also needing the same IE: Domain Users to have the GPO applied. Did you come right with this? >>>> >>>> Andrey: Thank you for letting me know about the SysVol replication across DC's, I haven't enabled this yet and will be doing so, is there anything I should watch out for? I'll just be using the "https://wiki.samba.org/index.php/SysVol_Replication <https://wiki.samba.org/index.php/SysVol_Replication> <https://wiki.samba.org/index.php/SysVol_Replication <https://wiki.samba.org/index.php/SysVol_Replication>> <https://wiki.samba.org/index.php/SysVol_Replication <https://wiki.samba.org/index.php/SysVol_Replication> <https://wiki.samba.org/index.php/SysVol_Replication <https://wiki.samba.org/index.php/SysVol_Replication>>>" because I don't require Bi-Directional Replication. >>>> >>>> Thank you. >>>> >>>> Regards. >>>> >>>> Neil Wilson. >>>> >>>> >>>> On Thu, May 21, 2015 at 1:22 PM, Gabriel Franca <gabriel.franca at gmail.com <mailto:gabriel.franca at gmail.com> <mailto:gabriel.franca at gmail.com <mailto:gabriel.franca at gmail.com>> <mailto:gabriel.franca at gmail.com <mailto:gabriel.franca at gmail.com><mailto:gabriel.franca at gmail.com <mailto:gabriel.franca at gmail.com>>>> wrote: >>>> Good morning friends !!! >>>> >>>> I am following this topic and performed some tests to validate the process and noted the following. >>>> >>>> 1) when the User is the "Domain Users" GPO is not applied. >>>> >>>> 2) when the user is the "Domain Admins" the GPO is applied. >>>> >>>> Is there any way to apply the GPOS "Domain Users" ??? >>>> >>>> Sincerely, >>>> >>>> Gabriel Franca >>>> >>>> >>>>> Em 20/05/2015, ?(s) 09:37, Neil <nwilson123 at gmail.com <mailto:nwilson123 at gmail.com> <mailto:nwilson123 at gmail.com <mailto:nwilson123 at gmail.com>> <mailto:nwilson123 at gmail.com <mailto:nwilson123 at gmail.com><mailto:nwilson123 at gmail.com <mailto:nwilson123 at gmail.com>>>> escreveu: >>>>> >>>>> Hi Louis, >>>>> >>>>> Thank you very much for your speedy response. I'll definitely go ahead and >>>>> investigate further. >>>>> >>>>> Much appreciated. >>>>> >>>>> Regards. >>>>> >>>>> Neil Wilson. >>>>> >>>>> On Wed, May 20, 2015 at 1:24 PM, L.P.H. van Belle <belle at bazuin.nl <mailto:belle at bazuin.nl> <mailto:belle at bazuin.nl <mailto:belle at bazuin.nl>> <mailto:belle at bazuin.nl <mailto:belle at bazuin.nl> <mailto:belle at bazuin.nl <mailto:belle at bazuin.nl>>>> wrote: >>>>> >>>>>> yes, this is possible, by GPO. >>>>>> >>>>>> In GPO, go to: >>>>>> (user or computer )Configuration >>>>>> - Policy >>>>>> ? Administrative template >>>>>> ? System >>>>>> ? Removable storage Access >>>>>> >>>>>> Play with these settings to get what you want. >>>>>> >>>>>> for Managing Hardware Restrictions via Group Policy read : >>>>>> http://technet.microsoft.com/en-us/magazine/cc138012.aspx <http://technet.microsoft.com/en-us/magazine/cc138012.aspx> <http://technet.microsoft.com/en-us/magazine/cc138012.aspx <http://technet.microsoft.com/en-us/magazine/cc138012.aspx>> <http://technet.microsoft.com/en-us/magazine/cc138012.aspx <http://technet.microsoft.com/en-us/magazine/cc138012.aspx> <http://technet.microsoft.com/en-us/magazine/cc138012.aspx <http://technet.microsoft.com/en-us/magazine/cc138012.aspx>>> >>>>>> >>>>>> >>>>>> Greetz, >>>>>> >>>>>> Louis >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> -----Oorspronkelijk bericht----- >>>>>>> Van: nwilson123 at gmail.com <mailto:nwilson123 at gmail.com> <mailto:nwilson123 at gmail.com <mailto:nwilson123 at gmail.com>> <mailto:nwilson123 at gmail.com <mailto:nwilson123 at gmail.com> <mailto:nwilson123 at gmail.com <mailto:nwilson123 at gmail.com>>> >>>>>>> [mailto:samba-bounces at lists.samba.org <mailto:samba-bounces at lists.samba.org> <mailto:samba-bounces at lists.samba.org <mailto:samba-bounces at lists.samba.org>> <mailto:samba-bounces at lists.samba.org <mailto:samba-bounces at lists.samba.org> <mailto:samba-bounces at lists.samba.org <mailto:samba-bounces at lists.samba.org>>>] Namens Neil >>>>>>> Verzonden: woensdag 20 mei 2015 12:10 >>>>>>> Aan: samba >>>>>>> Onderwerp: [Samba] Samba4 Disable USB ports >>>>>>> >>>>>>> Hi guys, >>>>>>> >>>>>>> I'm running a Sernet-samba-ad-4.1.17-11.el6.x86_64 PDC with another 4 >>>>>>> Samba4 DC's all joined to the same AD domain myorg.local >>>>>>> >>>>>>> My client wants me to disable all USB ports for all the users >>>>>>> joined to the >>>>>>> domain. >>>>>>> >>>>>>> Is it possible to do this via a group policy so that users >>>>>>> logging onto any >>>>>>> of the DC's will not be able to use their USB ports? >>>>>>> >>>>>>> I currently admin my AD with a combination of the samba-tool >>>>>>> as well as the >>>>>>> AD Users and Groups MMC Windows utility. >>>>>>> >>>>>>> Any guidance is greatly appreciated. >>>>>>> >>>>>>> Thank you. >>>>>>> >>>>>>> Regards. >>>>>>> >>>>>>> Neil Wilson >>>>>>> -- >>>>>>> To unsubscribe from this list go to the following URL and read the >>>>>>> instructions: https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba> <https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>> <https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba> <https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>>> >>>>>>> >>>>>>> >>>>>> -- >>>>>> To unsubscribe from this list go to the following URL and read the >>>>>> instructions: https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba> <https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>> <https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba> <https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>>> >>>>>> >>>>> -- >>>>> To unsubscribe from this list go to the following URL and read the >>>>> instructions: https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba> <https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>> <https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba> <https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>>> >>>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba> <https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>> > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>
Hello Gabriel, Am 22.05.2015 um 15:23 schrieb Gabriel Franca:> Good morning people, > > I make the case that Achim Gottinger passed. > > samba-tool ntacl sysvolreset and received the following information: > Segmentation fault (core of the recorded image) > > then sent a samba-tool ntacl sysvolcheck and received the following: > ERROR (<type 'exceptions.TypeError'>): uncaught exception - (61 'No > data available') > File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", > line 175, in _run > self.run return (* args, ** kwargs) > File "/usr/lib64/python2.7/site-packages/samba/netcmd/ntacl.py", > line 249, in run > lp) > File > "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line > 1717, in checksysvolacl > fsacl = getntacl (lp, dir_path, direct_db_access = > direct_db_access, service = SYSVOL_SERVICE) > File "/usr/lib64/python2.7/site-packages/samba/ntacls.py", line 73, > in getntacl > xattr.XATTR_NTACL_NAME) > > Will there this the source of my problem? hehehehe > > Remembering that I'm using Centos 7 and Samba version > 4.1.17-Sernet-RedHat-11.el7 > > Sincerely, > > Gabriel Franca > >This error looks like you have not enabled xattrs on the partition sysvol resides. In case it is an ext3/4 partition do you have acl and user_xattr in the mount options? What is the output of attr -l /var/lib/samba/sysvol use the localtion of the sysvol folder on your server in above example. On my server i get Attribute "NTACL" has a 320 byte value for /var/lib/samba/sysvol achim~> >> Em 22/05/2015, ?(s) 11:22, Achim Gottinger <achim at ag-web.biz >> <mailto:achim at ag-web.biz>> escreveu: >> >> Hello Gabriel, >> >> I recommend you use >> >> gpupdate /force >> >> on the windows command line after login. >> The results of above command can be checked afterwards with the >> "gpresults" command. >> >> Can be you have an permission problem on your samba server. Only >> skimmed ofver the thread but did you try >> samba-tools ntacl sysvolreset >> on your samba server? >> >> achim~ >> >> Am 22.05.2015 um 12:08 schrieb Gabriel Franca: >>> Good morning Daniel, >>> >>> The amendment that I spoke have to be done on the server. >>> >>> All user created in Samba4 receives the "Domain Users" group as primary. >>> >>> I did several tests on the GPO to no avail. >>> >>> When I took the User of the "Domain Users" and put in "Domain >>> Admins" the GPO to make any changes now operates. >>> >>> I believe that because of the "Domain Users" did not have privileges >>> to edit the GPO record in the station can not be applied. >>> >>> I wonder if the guys who are using Samba 4, is using successfully >>> GPOS the "Domain Users" >>> >>> Sincerely, >>> >>> Gabriel Franca >>> >>> >>> >>>> Em 22/05/2015, ?(s) 09:01, Daniel Carrasco Mar?n >>>> <danielmadrid19 at gmail.com <mailto:danielmadrid19 at gmail.com>> escreveu: >>>> >>>> >>>> >>>> 2015-05-22 13:32 GMT+02:00 Gabriel Franca <gabriel.franca at gmail.com >>>> <mailto:gabriel.franca at gmail.com><mailto:gabriel.franca at gmail.com>>: >>>> >>>> I found it strange more and something I have already noticed a while. >>>> >>>> No GPO is applied when the User is the "Domain Users", so I wonder >>>> if I'm doing something wrong or I have to change something. >>>> >>>> I believe the "Domain Users" are not allowed to change the Windows >>>> registry so the issue. >>>> >>>> Sincerely, >>>> >>>> Gabriel Franca >>>> >>>> >>>> I don't know if is a Windows problem, but i've got the same >>>> behavior trying to set Firewall rules. I've fixed the problem >>>> changing the "Domain Users" in GPO "Security Filter" for >>>> "Authenticated Users" and now is working fine. >>>> >>>> I hope this help. >>>> >>>> Greetings!! >>>> >>>>> Em 22/05/2015, ?(s) 02:31, Neil <nwilson123 at gmail.com >>>>> <mailto:nwilson123 at gmail.com><mailto:nwilson123 at gmail.com>> escreveu: >>>>> >>>>> Good morning everyone, >>>>> >>>>> Gabriel: I haven't had a chance to test this yet, but I'm also >>>>> needing the same IE: Domain Users to have the GPO applied. Did you >>>>> come right with this? >>>>> >>>>> Andrey: Thank you for letting me know about the SysVol replication >>>>> across DC's, I haven't enabled this yet and will be doing so, is >>>>> there anything I should watch out for? I'll just be using the >>>>> "https://wiki.samba.org/index.php/SysVol_Replication<https://wiki.samba.org/index.php/SysVol_Replication> >>>>> <https://wiki.samba.org/index.php/SysVol_Replication<https://wiki.samba.org/index.php/SysVol_Replication>>" >>>>> because I don't require Bi-Directional Replication. >>>>> >>>>> Thank you. >>>>> >>>>> Regards. >>>>> >>>>> Neil Wilson. >>>>> >>>>> >>>>> On Thu, May 21, 2015 at 1:22 PM, Gabriel Franca >>>>> <gabriel.franca at gmail.com >>>>> <mailto:gabriel.franca at gmail.com><mailto:gabriel.franca at gmail.com> >>>>> <mailto:gabriel.franca at gmail.com<mailto:gabriel.franca at gmail.com>>> wrote: >>>>> Good morning friends !!! >>>>> >>>>> I am following this topic and performed some tests to validate the >>>>> process and noted the following. >>>>> >>>>> 1) when the User is the "Domain Users" GPO is not applied. >>>>> >>>>> 2) when the user is the "Domain Admins" the GPO is applied. >>>>> >>>>> Is there any way to apply the GPOS "Domain Users" ??? >>>>> >>>>> Sincerely, >>>>> >>>>> Gabriel Franca >>>>> >>>>> >>>>>> Em 20/05/2015, ?(s) 09:37, Neil <nwilson123 at gmail.com >>>>>> <mailto:nwilson123 at gmail.com><mailto:nwilson123 at gmail.com> >>>>>> <mailto:nwilson123 at gmail.com<mailto:nwilson123 at gmail.com>>> escreveu: >>>>>> >>>>>> Hi Louis, >>>>>> >>>>>> Thank you very much for your speedy response. I'll definitely go >>>>>> ahead and >>>>>> investigate further. >>>>>> >>>>>> Much appreciated. >>>>>> >>>>>> Regards. >>>>>> >>>>>> Neil Wilson. >>>>>> >>>>>> On Wed, May 20, 2015 at 1:24 PM, L.P.H. van Belle >>>>>> <belle at bazuin.nl <mailto:belle at bazuin.nl><mailto:belle at bazuin.nl> >>>>>> <mailto:belle at bazuin.nl<mailto:belle at bazuin.nl>>> wrote: >>>>>> >>>>>>> yes, this is possible, by GPO. >>>>>>> >>>>>>> In GPO, go to: >>>>>>> (user or computer )Configuration >>>>>>> - Policy >>>>>>> ? Administrative template >>>>>>> ? System >>>>>>> ? Removable storage Access >>>>>>> >>>>>>> Play with these settings to get what you want. >>>>>>> >>>>>>> for Managing Hardware Restrictions via Group Policy read : >>>>>>> http://technet.microsoft.com/en-us/magazine/cc138012.aspx<http://technet.microsoft.com/en-us/magazine/cc138012.aspx> >>>>>>> <http://technet.microsoft.com/en-us/magazine/cc138012.aspx<http://technet.microsoft.com/en-us/magazine/cc138012.aspx>> >>>>>>> >>>>>>> >>>>>>> Greetz, >>>>>>> >>>>>>> Louis >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>> -----Oorspronkelijk bericht----- >>>>>>>> Van:nwilson123 at gmail.com >>>>>>>> <mailto:nwilson123 at gmail.com><mailto:nwilson123 at gmail.com> >>>>>>>> <mailto:nwilson123 at gmail.com<mailto:nwilson123 at gmail.com>> >>>>>>>> [mailto:samba-bounces at lists.samba.org<mailto:samba-bounces at lists.samba.org> >>>>>>>> <mailto:samba-bounces at lists.samba.org<mailto:samba-bounces at lists.samba.org>>] >>>>>>>> Namens Neil >>>>>>>> Verzonden: woensdag 20 mei 2015 12:10 >>>>>>>> Aan: samba >>>>>>>> Onderwerp: [Samba] Samba4 Disable USB ports >>>>>>>> >>>>>>>> Hi guys, >>>>>>>> >>>>>>>> I'm running a Sernet-samba-ad-4.1.17-11.el6.x86_64 PDC with >>>>>>>> another 4 >>>>>>>> Samba4 DC's all joined to the same AD domain myorg.local >>>>>>>> >>>>>>>> My client wants me to disable all USB ports for all the users >>>>>>>> joined to the >>>>>>>> domain. >>>>>>>> >>>>>>>> Is it possible to do this via a group policy so that users >>>>>>>> logging onto any >>>>>>>> of the DC's will not be able to use their USB ports? >>>>>>>> >>>>>>>> I currently admin my AD with a combination of the samba-tool >>>>>>>> as well as the >>>>>>>> AD Users and Groups MMC Windows utility. >>>>>>>> >>>>>>>> Any guidance is greatly appreciated. >>>>>>>> >>>>>>>> Thank you. >>>>>>>> >>>>>>>> Regards. >>>>>>>> >>>>>>>> Neil Wilson >>>>>>>> -- >>>>>>>> To unsubscribe from this list go to the following URL and read the >>>>>>>> instructions: >>>>>>>> https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba> >>>>>>>> <https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba>> >>>>>>>> >>>>>>>> >>>>>>> -- >>>>>>> To unsubscribe from this list go to the following URL and read the >>>>>>> instructions: >>>>>>> https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba> >>>>>>> <https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba>> >>>>>>> >>>>>> -- >>>>>> To unsubscribe from this list go to the following URL and read the >>>>>> instructions: >>>>>> https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba> >>>>>> <https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba>> >>>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: >>>> https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >
Hello Gabriel, I recommend you use gpupdate /force on the windows command line after login. The results of above command can be checked afterwards with the "gpresults" command. Can be you have an permission problem on your samba server. Only skimmed ofver the thread but did you try samba-tools ntacl sysvolreset on your samba server? achim~ Am 22.05.2015 um 12:08 schrieb Gabriel Franca:> Good morning Daniel, > > The amendment that I spoke have to be done on the server. > > All user created in Samba4 receives the "Domain Users" group as primary. > > I did several tests on the GPO to no avail. > > When I took the User of the "Domain Users" and put in "Domain Admins" the GPO to make any changes now operates. > > I believe that because of the "Domain Users" did not have privileges to edit the GPO record in the station can not be applied. > > I wonder if the guys who are using Samba 4, is using successfully GPOS the "Domain Users" > > Sincerely, > > Gabriel Franca > > > >> Em 22/05/2015, ?(s) 09:01, Daniel Carrasco Mar?n <danielmadrid19 at gmail.com> escreveu: >> >> >> >> 2015-05-22 13:32 GMT+02:00 Gabriel Franca <gabriel.franca at gmail.com <mailto:gabriel.franca at gmail.com>>: >> >> I found it strange more and something I have already noticed a while. >> >> No GPO is applied when the User is the "Domain Users", so I wonder if I'm doing something wrong or I have to change something. >> >> I believe the "Domain Users" are not allowed to change the Windows registry so the issue. >> >> Sincerely, >> >> Gabriel Franca >> >> >> I don't know if is a Windows problem, but i've got the same behavior trying to set Firewall rules. I've fixed the problem changing the "Domain Users" in GPO "Security Filter" for "Authenticated Users" and now is working fine. >> >> I hope this help. >> >> Greetings!! >> >> >>> Em 22/05/2015, ?(s) 02:31, Neil <nwilson123 at gmail.com <mailto:nwilson123 at gmail.com>> escreveu: >>> >>> Good morning everyone, >>> >>> Gabriel: I haven't had a chance to test this yet, but I'm also needing the same IE: Domain Users to have the GPO applied. Did you come right with this? >>> >>> Andrey: Thank you for letting me know about the SysVol replication across DC's, I haven't enabled this yet and will be doing so, is there anything I should watch out for? I'll just be using the "https://wiki.samba.org/index.php/SysVol_Replication <https://wiki.samba.org/index.php/SysVol_Replication> <https://wiki.samba.org/index.php/SysVol_Replication <https://wiki.samba.org/index.php/SysVol_Replication>>" because I don't require Bi-Directional Replication. >>> >>> Thank you. >>> >>> Regards. >>> >>> Neil Wilson. >>> >>> >>> On Thu, May 21, 2015 at 1:22 PM, Gabriel Franca <gabriel.franca at gmail.com <mailto:gabriel.franca at gmail.com> <mailto:gabriel.franca at gmail.com <mailto:gabriel.franca at gmail.com>>> wrote: >>> Good morning friends !!! >>> >>> I am following this topic and performed some tests to validate the process and noted the following. >>> >>> 1) when the User is the "Domain Users" GPO is not applied. >>> >>> 2) when the user is the "Domain Admins" the GPO is applied. >>> >>> Is there any way to apply the GPOS "Domain Users" ??? >>> >>> Sincerely, >>> >>> Gabriel Franca >>> >>> >>>> Em 20/05/2015, ?(s) 09:37, Neil <nwilson123 at gmail.com <mailto:nwilson123 at gmail.com> <mailto:nwilson123 at gmail.com <mailto:nwilson123 at gmail.com>>> escreveu: >>>> >>>> Hi Louis, >>>> >>>> Thank you very much for your speedy response. I'll definitely go ahead and >>>> investigate further. >>>> >>>> Much appreciated. >>>> >>>> Regards. >>>> >>>> Neil Wilson. >>>> >>>> On Wed, May 20, 2015 at 1:24 PM, L.P.H. van Belle <belle at bazuin.nl <mailto:belle at bazuin.nl> <mailto:belle at bazuin.nl <mailto:belle at bazuin.nl>>> wrote: >>>> >>>>> yes, this is possible, by GPO. >>>>> >>>>> In GPO, go to: >>>>> (user or computer )Configuration >>>>> - Policy >>>>> ? Administrative template >>>>> ? System >>>>> ? Removable storage Access >>>>> >>>>> Play with these settings to get what you want. >>>>> >>>>> for Managing Hardware Restrictions via Group Policy read : >>>>> http://technet.microsoft.com/en-us/magazine/cc138012.aspx <http://technet.microsoft.com/en-us/magazine/cc138012.aspx> <http://technet.microsoft.com/en-us/magazine/cc138012.aspx <http://technet.microsoft.com/en-us/magazine/cc138012.aspx>> >>>>> >>>>> >>>>> Greetz, >>>>> >>>>> Louis >>>>> >>>>> >>>>> >>>>> >>>>>> -----Oorspronkelijk bericht----- >>>>>> Van: nwilson123 at gmail.com <mailto:nwilson123 at gmail.com> <mailto:nwilson123 at gmail.com <mailto:nwilson123 at gmail.com>> >>>>>> [mailto:samba-bounces at lists.samba.org <mailto:samba-bounces at lists.samba.org> <mailto:samba-bounces at lists.samba.org <mailto:samba-bounces at lists.samba.org>>] Namens Neil >>>>>> Verzonden: woensdag 20 mei 2015 12:10 >>>>>> Aan: samba >>>>>> Onderwerp: [Samba] Samba4 Disable USB ports >>>>>> >>>>>> Hi guys, >>>>>> >>>>>> I'm running a Sernet-samba-ad-4.1.17-11.el6.x86_64 PDC with another 4 >>>>>> Samba4 DC's all joined to the same AD domain myorg.local >>>>>> >>>>>> My client wants me to disable all USB ports for all the users >>>>>> joined to the >>>>>> domain. >>>>>> >>>>>> Is it possible to do this via a group policy so that users >>>>>> logging onto any >>>>>> of the DC's will not be able to use their USB ports? >>>>>> >>>>>> I currently admin my AD with a combination of the samba-tool >>>>>> as well as the >>>>>> AD Users and Groups MMC Windows utility. >>>>>> >>>>>> Any guidance is greatly appreciated. >>>>>> >>>>>> Thank you. >>>>>> >>>>>> Regards. >>>>>> >>>>>> Neil Wilson >>>>>> -- >>>>>> To unsubscribe from this list go to the following URL and read the >>>>>> instructions: https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba> <https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>> >>>>>> >>>>>> >>>>> -- >>>>> To unsubscribe from this list go to the following URL and read the >>>>> instructions: https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba> <https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>> >>>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba> <https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>> >>> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>
Hi Gabriel, I"ll answer to the lists email adress. Am 22.05.2015 um 16:54 schrieb Gabriel Franca:> follows the output of the command: > > attr -l / var / lib / samba / sysvol > Attribute "SGI_ACL_FILE" has a 124 byte value for / var / lib / samba > / sysvol > Attribute "SGI_ACL_DEFAULT" has a 124 byte value for / var / lib / > samba / sysvol > Attribute "NTACL" has a 320 byte value for / var / lib / samba / sysvol > > att, > > Gabriel FrancaThank you for the test xfs should have xattrs enabled by default. Can you post your smb.conf here please. Another xattr test i found here https://www.samba.org/samba/docs/man/manpages/vfs_acl_xattr.8.html is getfattr -n security.NTACL /var/lib/samba/sysvol Also are there any other errors if you run sysvolreset? achim~> > >> Em 22/05/2015, ?(s) 10:40, Achim Gottinger <achim at ag-web.biz >> <mailto:achim at ag-web.biz>> escreveu: >> >> Hello Gabriel, >> >> >> Am 22.05.2015 um 15:23 schrieb Gabriel Franca: >>> Good morning people, >>> >>> I make the case that Achim Gottinger passed. >>> >>> samba-tool ntacl sysvolreset and received the following information: >>> Segmentation fault (core of the recorded image) >>> >>> then sent a samba-tool ntacl sysvolcheck and received the following: >>> ERROR (<type 'exceptions.TypeError'>): uncaught exception - (61 'No >>> data available') >>> File >>> "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line >>> 175, in _run >>> self.run return (* args, ** kwargs) >>> File "/usr/lib64/python2.7/site-packages/samba/netcmd/ntacl.py", >>> line 249, in run >>> lp) >>> File >>> "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", >>> line 1717, in checksysvolacl >>> fsacl = getntacl (lp, dir_path, direct_db_access = >>> direct_db_access, service = SYSVOL_SERVICE) >>> File "/usr/lib64/python2.7/site-packages/samba/ntacls.py", line >>> 73, in getntacl >>> xattr.XATTR_NTACL_NAME) >>> >>> Will there this the source of my problem? hehehehe >>> >>> Remembering that I'm using Centos 7 and Samba version >>> 4.1.17-Sernet-RedHat-11.el7 >>> >>> Sincerely, >>> >>> Gabriel Franca >>> >>> >> This error looks like you have not enabled xattrs on the partition >> sysvol resides. In case it is an ext3/4 partition do you have acl and >> user_xattr in the mount options? >> >> What is the output of >> >> attr -l /var/lib/samba/sysvol >> >> use the localtion of the sysvol folder on your server in above example. >> On my server i get >> >> Attribute "NTACL" has a 320 byte value for /var/lib/samba/sysvol >> >> achim~ >>> >>>> Em 22/05/2015, ?(s) 11:22, Achim Gottinger <achim at ag-web.biz >>>> <mailto:achim at ag-web.biz>> escreveu: >>>> >>>> Hello Gabriel, >>>> >>>> I recommend you use >>>> >>>> gpupdate /force >>>> >>>> on the windows command line after login. >>>> The results of above command can be checked afterwards with the >>>> "gpresults" command. >>>> >>>> Can be you have an permission problem on your samba server. Only >>>> skimmed ofver the thread but did you try >>>> samba-tools ntacl sysvolreset >>>> on your samba server? >>>> >>>> achim~ >>>> >>>> Am 22.05.2015 um 12:08 schrieb Gabriel Franca: >>>>> Good morning Daniel, >>>>> >>>>> The amendment that I spoke have to be done on the server. >>>>> >>>>> All user created in Samba4 receives the "Domain Users" group as >>>>> primary. >>>>> >>>>> I did several tests on the GPO to no avail. >>>>> >>>>> When I took the User of the "Domain Users" and put in "Domain >>>>> Admins" the GPO to make any changes now operates. >>>>> >>>>> I believe that because of the "Domain Users" did not have >>>>> privileges to edit the GPO record in the station can not be applied. >>>>> >>>>> I wonder if the guys who are using Samba 4, is using successfully >>>>> GPOS the "Domain Users" >>>>> >>>>> Sincerely, >>>>> >>>>> Gabriel Franca >>>>> >>>>> >>>>> >>>>>> Em 22/05/2015, ?(s) 09:01, Daniel Carrasco Mar?n >>>>>> <danielmadrid19 at gmail.com <mailto:danielmadrid19 at gmail.com>> >>>>>> escreveu: >>>>>> >>>>>> >>>>>> >>>>>> 2015-05-22 13:32 GMT+02:00 Gabriel Franca >>>>>> <gabriel.franca at gmail.com >>>>>> <mailto:gabriel.franca at gmail.com><mailto:gabriel.franca at gmail.com>>: >>>>>> >>>>>> I found it strange more and something I have already noticed a while. >>>>>> >>>>>> No GPO is applied when the User is the "Domain Users", so I >>>>>> wonder if I'm doing something wrong or I have to change something. >>>>>> >>>>>> I believe the "Domain Users" are not allowed to change the >>>>>> Windows registry so the issue. >>>>>> >>>>>> Sincerely, >>>>>> >>>>>> Gabriel Franca >>>>>> >>>>>> >>>>>> I don't know if is a Windows problem, but i've got the same >>>>>> behavior trying to set Firewall rules. I've fixed the problem >>>>>> changing the "Domain Users" in GPO "Security Filter" for >>>>>> "Authenticated Users" and now is working fine. >>>>>> >>>>>> I hope this help. >>>>>> >>>>>> Greetings!! >>>>>> >>>>>>> Em 22/05/2015, ?(s) 02:31, Neil <nwilson123 at gmail.com >>>>>>> <mailto:nwilson123 at gmail.com><mailto:nwilson123 at gmail.com>> >>>>>>> escreveu: >>>>>>> >>>>>>> Good morning everyone, >>>>>>> >>>>>>> Gabriel: I haven't had a chance to test this yet, but I'm also >>>>>>> needing the same IE: Domain Users to have the GPO applied. Did >>>>>>> you come right with this? >>>>>>> >>>>>>> Andrey: Thank you for letting me know about the SysVol >>>>>>> replication across DC's, I haven't enabled this yet and will be >>>>>>> doing so, is there anything I should watch out for? I'll just be >>>>>>> using the >>>>>>> "https://wiki.samba.org/index.php/SysVol_Replication<https://wiki.samba.org/index.php/SysVol_Replication> >>>>>>> <https://wiki.samba.org/index.php/SysVol_Replication<https://wiki.samba.org/index.php/SysVol_Replication>>" >>>>>>> because I don't require Bi-Directional Replication. >>>>>>> >>>>>>> Thank you. >>>>>>> >>>>>>> Regards. >>>>>>> >>>>>>> Neil Wilson. >>>>>>> >>>>>>> >>>>>>> On Thu, May 21, 2015 at 1:22 PM, Gabriel Franca >>>>>>> <gabriel.franca at gmail.com >>>>>>> <mailto:gabriel.franca at gmail.com><mailto:gabriel.franca at gmail.com> >>>>>>> <mailto:gabriel.franca at gmail.com<mailto:gabriel.franca at gmail.com>>> >>>>>>> wrote: >>>>>>> Good morning friends !!! >>>>>>> >>>>>>> I am following this topic and performed some tests to validate >>>>>>> the process and noted the following. >>>>>>> >>>>>>> 1) when the User is the "Domain Users" GPO is not applied. >>>>>>> >>>>>>> 2) when the user is the "Domain Admins" the GPO is applied. >>>>>>> >>>>>>> Is there any way to apply the GPOS "Domain Users" ??? >>>>>>> >>>>>>> Sincerely, >>>>>>> >>>>>>> Gabriel Franca >>>>>>> >>>>>>> >>>>>>>> Em 20/05/2015, ?(s) 09:37, Neil <nwilson123 at gmail.com >>>>>>>> <mailto:nwilson123 at gmail.com><mailto:nwilson123 at gmail.com> >>>>>>>> <mailto:nwilson123 at gmail.com<mailto:nwilson123 at gmail.com>>> >>>>>>>> escreveu: >>>>>>>> >>>>>>>> Hi Louis, >>>>>>>> >>>>>>>> Thank you very much for your speedy response. I'll definitely >>>>>>>> go ahead and >>>>>>>> investigate further. >>>>>>>> >>>>>>>> Much appreciated. >>>>>>>> >>>>>>>> Regards. >>>>>>>> >>>>>>>> Neil Wilson. >>>>>>>> >>>>>>>> On Wed, May 20, 2015 at 1:24 PM, L.P.H. van Belle >>>>>>>> <belle at bazuin.nl >>>>>>>> <mailto:belle at bazuin.nl><mailto:belle at bazuin.nl> >>>>>>>> <mailto:belle at bazuin.nl<mailto:belle at bazuin.nl>>> wrote: >>>>>>>> >>>>>>>>> yes, this is possible, by GPO. >>>>>>>>> >>>>>>>>> In GPO, go to: >>>>>>>>> (user or computer )Configuration >>>>>>>>> - Policy >>>>>>>>> ? Administrative template >>>>>>>>> ? System >>>>>>>>> ? Removable storage Access >>>>>>>>> >>>>>>>>> Play with these settings to get what you want. >>>>>>>>> >>>>>>>>> for Managing Hardware Restrictions via Group Policy read : >>>>>>>>> http://technet.microsoft.com/en-us/magazine/cc138012.aspx<http://technet.microsoft.com/en-us/magazine/cc138012.aspx> >>>>>>>>> <http://technet.microsoft.com/en-us/magazine/cc138012.aspx<http://technet.microsoft.com/en-us/magazine/cc138012.aspx>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Greetz, >>>>>>>>> >>>>>>>>> Louis >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>> -----Oorspronkelijk bericht----- >>>>>>>>>> Van:nwilson123 at gmail.com >>>>>>>>>> <mailto:nwilson123 at gmail.com><mailto:nwilson123 at gmail.com> >>>>>>>>>> <mailto:nwilson123 at gmail.com<mailto:nwilson123 at gmail.com>> >>>>>>>>>> [mailto:samba-bounces at lists.samba.org<mailto:samba-bounces at lists.samba.org> >>>>>>>>>> <mailto:samba-bounces at lists.samba.org<mailto:samba-bounces at lists.samba.org>>] >>>>>>>>>> Namens Neil >>>>>>>>>> Verzonden: woensdag 20 mei 2015 12:10 >>>>>>>>>> Aan: samba >>>>>>>>>> Onderwerp: [Samba] Samba4 Disable USB ports >>>>>>>>>> >>>>>>>>>> Hi guys, >>>>>>>>>> >>>>>>>>>> I'm running a Sernet-samba-ad-4.1.17-11.el6.x86_64 PDC with >>>>>>>>>> another 4 >>>>>>>>>> Samba4 DC's all joined to the same AD domain myorg.local >>>>>>>>>> >>>>>>>>>> My client wants me to disable all USB ports for all the users >>>>>>>>>> joined to the >>>>>>>>>> domain. >>>>>>>>>> >>>>>>>>>> Is it possible to do this via a group policy so that users >>>>>>>>>> logging onto any >>>>>>>>>> of the DC's will not be able to use their USB ports? >>>>>>>>>> >>>>>>>>>> I currently admin my AD with a combination of the samba-tool >>>>>>>>>> as well as the >>>>>>>>>> AD Users and Groups MMC Windows utility. >>>>>>>>>> >>>>>>>>>> Any guidance is greatly appreciated. >>>>>>>>>> >>>>>>>>>> Thank you. >>>>>>>>>> >>>>>>>>>> Regards. >>>>>>>>>> >>>>>>>>>> Neil Wilson >>>>>>>>>> -- >>>>>>>>>> To unsubscribe from this list go to the following URL and >>>>>>>>>> read the >>>>>>>>>> instructions: >>>>>>>>>> https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba> >>>>>>>>>> <https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> -- >>>>>>>>> To unsubscribe from this list go to the following URL and read the >>>>>>>>> instructions: >>>>>>>>> https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba> >>>>>>>>> <https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba>> >>>>>>>>> >>>>>>>> -- >>>>>>>> To unsubscribe from this list go to the following URL and read the >>>>>>>> instructions: >>>>>>>> https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba> >>>>>>>> <https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba>> >>>>>>> >>>>>> -- >>>>>> To unsubscribe from this list go to the following URL and read the >>>>>> instructions: >>>>>> https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba> >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>> >> >
Good morning List On Friday I had to leave so I could no longer continue with our lab. Weekend and holy all have to rest as much as possible. = D So I'm back and I will put the smb.conf for analysis. # Global parameters [global] workgroup = CMC realm = CMC.CORP netbios name = SAMBA server role = active directory domain controller dns forwarder = 172.16.1.1 # Habilitar Impressoras. printing = cups load printers = yes #Ativar a internacionalizacao: permitir caracteres acentuados pelo windows dos charset = CP850 unix charset = ISO8859-1 # Tratar os arquivos que comecam com "." como ocultos para maquinas Windows hidedotfiles = yes # nao tentar fazer um lock nestes arquivos veto files = /*.mp3/*.nws/*.{*}/ veto oplock files = /*.doc/*.xls/*.mdb/*.docx/*.DOC/*.DOCX/*.XLSX/*.xlsx/*.rtf/*.RTF/ #Auditoria de Arquivos vfs objects = full_audit recycle full_audit:success = open, opendir, write, unlink, rename, mkdir, rmdir, chmod, chown full_audit:prefix = %u|%I|%S full_audit:failure = none full_audit:facility = local5 full_audit:priority = notice #Lixeira individual recycle:keeptree = yes recycle:versions = yes recycle:repository = /dados/trash/%U recycle:exclude = *.tmp, *.log, *.obj, ~*.*, *.bak, *.iso recycle:exclude_dir = tmp, cache [netlogon] # path = /var/lib/samba/sysvol/cmc.corp/scripts path = /dados/scripts read only = No acl_xattr:ignore system acl = yes [sysvol] path = /var/lib/samba/sysvol read only = No acl_xattr:ignore system acl = yes [home] comment = Diretorio Pessoal de Cada Usuario path = /dados/users/%U browseable = No read only = No [dpto] comment = Pasta Departamental path = /dados/dpto read only = No #Bloqueio de extensoes de midia no samba veto files = /*.mp3/*.nws/*.{*}/*.avi/*.mpeg/*.mpg/*.wma/*.wmv/*.exe #nao tentar fazer um lock nesses arquivos veto oplock files = /*.doc/*.xls/*.mdb/*.docx/*.DOC/*.DOCX/*.XLSX/*.xlsx/*.rtf/*.RTF/ [share] comment = Pasta Compartilhada path = /dados/share read only = No #Bloqueio de extensoes de midia no samba # veto files = /*.mp3/*.nws/*.{*}/*.avi/*.mpeg/*.mpg/*.wma/*.wmv/*.exe #nao tentar fazer um lock nesses arquivos veto oplock files = /*.doc/*.xls/*.mdb/*.docx/*.DOC/*.DOCX/*.XLSX/*.xlsx/*.rtf/*.RTF/ [lixeira] path = /dados/trash/%U read only = No [printers] comment = Todas as Impressoras path = /var/spool/samba print ok = yes guest ok = yes browseable = yes if possible give any tips to improve my setup will be very grateful. Sincerely, Gabriel Franca> Em 22/05/2015, ?(s) 12:26, Achim Gottinger <achim at ag-web.biz> escreveu: > > Hi Gabriel, > > I"ll answer to the lists email adress. > > Am 22.05.2015 um 16:54 schrieb Gabriel Franca: >> follows the output of the command: >> >> attr -l / var / lib / samba / sysvol >> Attribute "SGI_ACL_FILE" has a 124 byte value for / var / lib / samba / sysvol >> Attribute "SGI_ACL_DEFAULT" has a 124 byte value for / var / lib / samba / sysvol >> Attribute "NTACL" has a 320 byte value for / var / lib / samba / sysvol >> >> att, >> >> Gabriel Franca > Thank you for the test xfs should have xattrs enabled by default. Can you post your smb.conf here please. > > Another xattr test i found here https://www.samba.org/samba/docs/man/manpages/vfs_acl_xattr.8.html is > > getfattr -n security.NTACL /var/lib/samba/sysvol > > Also are there any other errors if you run sysvolreset? > > achim~ >> >> >>> Em 22/05/2015, ?(s) 10:40, Achim Gottinger <achim at ag-web.biz <mailto:achim at ag-web.biz>> escreveu: >>> >>> Hello Gabriel, >>> >>> >>> Am 22.05.2015 um 15:23 schrieb Gabriel Franca: >>>> Good morning people, >>>> >>>> I make the case that Achim Gottinger passed. >>>> >>>> samba-tool ntacl sysvolreset and received the following information: >>>> Segmentation fault (core of the recorded image) >>>> >>>> then sent a samba-tool ntacl sysvolcheck and received the following: >>>> ERROR (<type 'exceptions.TypeError'>): uncaught exception - (61 'No data available') >>>> File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run >>>> self.run return (* args, ** kwargs) >>>> File "/usr/lib64/python2.7/site-packages/samba/netcmd/ntacl.py", line 249, in run >>>> lp) >>>> File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line 1717, in checksysvolacl >>>> fsacl = getntacl (lp, dir_path, direct_db_access = direct_db_access, service = SYSVOL_SERVICE) >>>> File "/usr/lib64/python2.7/site-packages/samba/ntacls.py", line 73, in getntacl >>>> xattr.XATTR_NTACL_NAME) >>>> >>>> Will there this the source of my problem? hehehehe >>>> >>>> Remembering that I'm using Centos 7 and Samba version 4.1.17-Sernet-RedHat-11.el7 >>>> >>>> Sincerely, >>>> >>>> Gabriel Franca >>>> >>>> >>> This error looks like you have not enabled xattrs on the partition sysvol resides. In case it is an ext3/4 partition do you have acl and user_xattr in the mount options? >>> >>> What is the output of >>> >>> attr -l /var/lib/samba/sysvol >>> >>> use the localtion of the sysvol folder on your server in above example. >>> On my server i get >>> >>> Attribute "NTACL" has a 320 byte value for /var/lib/samba/sysvol >>> >>> achim~ >>>> >>>>> Em 22/05/2015, ?(s) 11:22, Achim Gottinger <achim at ag-web.biz <mailto:achim at ag-web.biz>> escreveu: >>>>> >>>>> Hello Gabriel, >>>>> >>>>> I recommend you use >>>>> >>>>> gpupdate /force >>>>> >>>>> on the windows command line after login. >>>>> The results of above command can be checked afterwards with the "gpresults" command. >>>>> >>>>> Can be you have an permission problem on your samba server. Only skimmed ofver the thread but did you try >>>>> samba-tools ntacl sysvolreset >>>>> on your samba server? >>>>> >>>>> achim~ >>>>> >>>>> Am 22.05.2015 um 12:08 schrieb Gabriel Franca: >>>>>> Good morning Daniel, >>>>>> >>>>>> The amendment that I spoke have to be done on the server. >>>>>> >>>>>> All user created in Samba4 receives the "Domain Users" group as primary. >>>>>> >>>>>> I did several tests on the GPO to no avail. >>>>>> >>>>>> When I took the User of the "Domain Users" and put in "Domain Admins" the GPO to make any changes now operates. >>>>>> >>>>>> I believe that because of the "Domain Users" did not have privileges to edit the GPO record in the station can not be applied. >>>>>> >>>>>> I wonder if the guys who are using Samba 4, is using successfully GPOS the "Domain Users" >>>>>> >>>>>> Sincerely, >>>>>> >>>>>> Gabriel Franca >>>>>> >>>>>> >>>>>> >>>>>>> Em 22/05/2015, ?(s) 09:01, Daniel Carrasco Mar?n <danielmadrid19 at gmail.com <mailto:danielmadrid19 at gmail.com>> escreveu: >>>>>>> >>>>>>> >>>>>>> >>>>>>> 2015-05-22 13:32 GMT+02:00 Gabriel Franca <gabriel.franca at gmail.com <mailto:gabriel.franca at gmail.com><mailto:gabriel.franca at gmail.com>>: >>>>>>> >>>>>>> I found it strange more and something I have already noticed a while. >>>>>>> >>>>>>> No GPO is applied when the User is the "Domain Users", so I wonder if I'm doing something wrong or I have to change something. >>>>>>> >>>>>>> I believe the "Domain Users" are not allowed to change the Windows registry so the issue. >>>>>>> >>>>>>> Sincerely, >>>>>>> >>>>>>> Gabriel Franca >>>>>>> >>>>>>> >>>>>>> I don't know if is a Windows problem, but i've got the same behavior trying to set Firewall rules. I've fixed the problem changing the "Domain Users" in GPO "Security Filter" for "Authenticated Users" and now is working fine. >>>>>>> >>>>>>> I hope this help. >>>>>>> >>>>>>> Greetings!! >>>>>>> >>>>>>>> Em 22/05/2015, ?(s) 02:31, Neil <nwilson123 at gmail.com <mailto:nwilson123 at gmail.com><mailto:nwilson123 at gmail.com>> escreveu: >>>>>>>> >>>>>>>> Good morning everyone, >>>>>>>> >>>>>>>> Gabriel: I haven't had a chance to test this yet, but I'm also needing the same IE: Domain Users to have the GPO applied. Did you come right with this? >>>>>>>> >>>>>>>> Andrey: Thank you for letting me know about the SysVol replication across DC's, I haven't enabled this yet and will be doing so, is there anything I should watch out for? I'll just be using the "https://wiki.samba.org/index.php/SysVol_Replication<https://wiki.samba.org/index.php/SysVol_Replication> <https://wiki.samba.org/index.php/SysVol_Replication<https://wiki.samba.org/index.php/SysVol_Replication>>" because I don't require Bi-Directional Replication. >>>>>>>> >>>>>>>> Thank you. >>>>>>>> >>>>>>>> Regards. >>>>>>>> >>>>>>>> Neil Wilson. >>>>>>>> >>>>>>>> >>>>>>>> On Thu, May 21, 2015 at 1:22 PM, Gabriel Franca <gabriel.franca at gmail.com <mailto:gabriel.franca at gmail.com><mailto:gabriel.franca at gmail.com> <mailto:gabriel.franca at gmail.com<mailto:gabriel.franca at gmail.com>>> wrote: >>>>>>>> Good morning friends !!! >>>>>>>> >>>>>>>> I am following this topic and performed some tests to validate the process and noted the following. >>>>>>>> >>>>>>>> 1) when the User is the "Domain Users" GPO is not applied. >>>>>>>> >>>>>>>> 2) when the user is the "Domain Admins" the GPO is applied. >>>>>>>> >>>>>>>> Is there any way to apply the GPOS "Domain Users" ??? >>>>>>>> >>>>>>>> Sincerely, >>>>>>>> >>>>>>>> Gabriel Franca >>>>>>>> >>>>>>>> >>>>>>>>> Em 20/05/2015, ?(s) 09:37, Neil <nwilson123 at gmail.com <mailto:nwilson123 at gmail.com><mailto:nwilson123 at gmail.com> <mailto:nwilson123 at gmail.com<mailto:nwilson123 at gmail.com>>> escreveu: >>>>>>>>> >>>>>>>>> Hi Louis, >>>>>>>>> >>>>>>>>> Thank you very much for your speedy response. I'll definitely go ahead and >>>>>>>>> investigate further. >>>>>>>>> >>>>>>>>> Much appreciated. >>>>>>>>> >>>>>>>>> Regards. >>>>>>>>> >>>>>>>>> Neil Wilson. >>>>>>>>> >>>>>>>>> On Wed, May 20, 2015 at 1:24 PM, L.P.H. van Belle <belle at bazuin.nl <mailto:belle at bazuin.nl><mailto:belle at bazuin.nl> <mailto:belle at bazuin.nl<mailto:belle at bazuin.nl>>> wrote: >>>>>>>>> >>>>>>>>>> yes, this is possible, by GPO. >>>>>>>>>> >>>>>>>>>> In GPO, go to: >>>>>>>>>> (user or computer )Configuration >>>>>>>>>> - Policy >>>>>>>>>> ? Administrative template >>>>>>>>>> ? System >>>>>>>>>> ? Removable storage Access >>>>>>>>>> >>>>>>>>>> Play with these settings to get what you want. >>>>>>>>>> >>>>>>>>>> for Managing Hardware Restrictions via Group Policy read : >>>>>>>>>> http://technet.microsoft.com/en-us/magazine/cc138012.aspx<http://technet.microsoft.com/en-us/magazine/cc138012.aspx> <http://technet.microsoft.com/en-us/magazine/cc138012.aspx<http://technet.microsoft.com/en-us/magazine/cc138012.aspx>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Greetz, >>>>>>>>>> >>>>>>>>>> Louis >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> -----Oorspronkelijk bericht----- >>>>>>>>>>> Van:nwilson123 at gmail.com <mailto:nwilson123 at gmail.com><mailto:nwilson123 at gmail.com> <mailto:nwilson123 at gmail.com<mailto:nwilson123 at gmail.com>> >>>>>>>>>>> [mailto:samba-bounces at lists.samba.org<mailto:samba-bounces at lists.samba.org> <mailto:samba-bounces at lists.samba.org<mailto:samba-bounces at lists.samba.org>>] Namens Neil >>>>>>>>>>> Verzonden: woensdag 20 mei 2015 12:10 >>>>>>>>>>> Aan: samba >>>>>>>>>>> Onderwerp: [Samba] Samba4 Disable USB ports >>>>>>>>>>> >>>>>>>>>>> Hi guys, >>>>>>>>>>> >>>>>>>>>>> I'm running a Sernet-samba-ad-4.1.17-11.el6.x86_64 PDC with another 4 >>>>>>>>>>> Samba4 DC's all joined to the same AD domain myorg.local >>>>>>>>>>> >>>>>>>>>>> My client wants me to disable all USB ports for all the users >>>>>>>>>>> joined to the >>>>>>>>>>> domain. >>>>>>>>>>> >>>>>>>>>>> Is it possible to do this via a group policy so that users >>>>>>>>>>> logging onto any >>>>>>>>>>> of the DC's will not be able to use their USB ports? >>>>>>>>>>> >>>>>>>>>>> I currently admin my AD with a combination of the samba-tool >>>>>>>>>>> as well as the >>>>>>>>>>> AD Users and Groups MMC Windows utility. >>>>>>>>>>> >>>>>>>>>>> Any guidance is greatly appreciated. >>>>>>>>>>> >>>>>>>>>>> Thank you. >>>>>>>>>>> >>>>>>>>>>> Regards. >>>>>>>>>>> >>>>>>>>>>> Neil Wilson >>>>>>>>>>> -- >>>>>>>>>>> To unsubscribe from this list go to the following URL and read the >>>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba> <https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> To unsubscribe from this list go to the following URL and read the >>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba> <https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba>> >>>>>>>>>> >>>>>>>>> -- >>>>>>>>> To unsubscribe from this list go to the following URL and read the >>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba> <https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba>> >>>>>>>> >>>>>>> -- >>>>>>> To unsubscribe from this list go to the following URL and read the >>>>>>> instructions: https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba> >>>>> >>>>> -- >>>>> To unsubscribe from this list go to the following URL and read the >>>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>> >> > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
getfattr -n security.NTACL /var/lib/samba/sysvol: getfattr: Removing leading '/' from absolute path names # file: var/lib/samba/sysvol security.NTACL=0sBAAEAAAAAgAEAAIAAQDIfNE105P2UdhFwfWjcmv34BiCg5fIVEaj/j9hplFwGwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcG9zaXhfYWNsAEpBF3pKj9ABeG1k5vnP6zljcu+heBpvgrk+GlhuKaaipYfP8llvFUIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAFJC0AAAA0AAAAAAAAADgAAAAAQUAAAAAAAUVAAAAaZVmt9XijfMyfpwZ9AEAAAECAAAAAAAFIAAAACACAAAEAGAABAAAAAADGAD/AR8AAQIAAAAAAAUgAAAAIAIAAAADGACpABIAAQIAAAAAAAUgAAAAJQIAAAADFAD/AR8AAQEAAAAAAAUSAAAAAAMUAKkAEgABAQAAAAAABQsAAAA Also are there any other errors if you run sysvolreset? Not only the error that reported. att, Gabriel Franca> Em 22/05/2015, ?(s) 12:26, Achim Gottinger <achim at ag-web.biz> escreveu: > > getfattr -n security.NTACL /var/lib/samba/sysvol