samba - Jun 2015 - Clients unable to get group policy...

On 6/3/2015 11:43 AM, Ryan Ashley wrote:
> James, I cloned it using git. I installed it to a private partition
> (/samba) back when I was first testing Samba4. It is in the path and
> this worked for ages, but recently just stopped. No errors, no warnings,
> nothing. Just dead.
>
> The GP in question is the default domain policy. I already tried
> unlinking it and it fails on the next one. I only have two GPOs, so it
> cannot "read" either one. I also noted that, during one of my
angry
> moments, I just kept spamming "gpupdate" in a DOS box on the
workstation
> and suddenly it worked once, then went back to erroring out. Spamming it
> has not fixed it since. I even wrote a small batch script which looped
> until gpupdate returned success. It went into an endless loop which
> lasted about 20hrs before I stopped it.
>
> As for the sysvol location, it is in "/samba/var/locks/sysvol",
which
> worked for a few years, and has just stopped. Permissions appear to be
> correct.
>
> On 05/29/2015 11:24 AM, James wrote:
>> On 5/29/2015 10:40 AM, Ryan Ashley wrote:
>>> Thank you, Louis. This has not corrected the getent and id issue,
however.
>>>
>>> On 05/29/2015 10:13 AM, L.P.H. van Belle wrote:
>>>
>> Ryan,
>>
>>     Is it a specific GP that can't be read? Can you remove all
links to
>> one workstation and leave just the default domain GP and test? Did you
>> install samba from tar and provide the location for sysvol in the
build?
>>
Ryan,

    It definitely sounds like a permission problem. I can only think of
one other thing. Try

samba-tool ntacl sysvolreset --use-ntvfs

See if gpupdate works. If it works try

samba-tool ntacl sysvolreset --use-s3fs

Are you using a central store for group policy? I'm not sure what else
to try.

-- 
-James

I tried resetting dozens of times, neither works. I do remember a
permissions issue from ages back, where the Unix permissions had to be
777 on a share and then the ACL stuff worked. Do I need to set the
sysvol to 777?

What about getent and id not working on the DC? I cannot find any
information relevant to my situation with them online.

On 06/04/2015 08:46 AM, James wrote:
> On 6/3/2015 11:43 AM, Ryan Ashley wrote:
>> James, I cloned it using git. I installed it to a private partition
>> (/samba) back when I was first testing Samba4. It is in the path and
>> this worked for ages, but recently just stopped. No errors, no
warnings,
>> nothing. Just dead.
>>
>> The GP in question is the default domain policy. I already tried
>> unlinking it and it fails on the next one. I only have two GPOs, so it
>> cannot "read" either one. I also noted that, during one of my
angry
>> moments, I just kept spamming "gpupdate" in a DOS box on the
workstation
>> and suddenly it worked once, then went back to erroring out. Spamming
it
>> has not fixed it since. I even wrote a small batch script which looped
>> until gpupdate returned success. It went into an endless loop which
>> lasted about 20hrs before I stopped it.
>>
>> As for the sysvol location, it is in
"/samba/var/locks/sysvol", which
>> worked for a few years, and has just stopped. Permissions appear to be
>> correct.
>>
>> On 05/29/2015 11:24 AM, James wrote:
>>> On 5/29/2015 10:40 AM, Ryan Ashley wrote:
>>>> Thank you, Louis. This has not corrected the getent and id
issue, however.
>>>>
>>>> On 05/29/2015 10:13 AM, L.P.H. van Belle wrote:
>>>>
>>> Ryan,
>>>
>>>     Is it a specific GP that can't be read? Can you remove all
links to
>>> one workstation and leave just the default domain GP and test? Did
you
>>> install samba from tar and provide the location for sysvol in the
build?
>>>
> Ryan,
>
>     It definitely sounds like a permission problem. I can only think of
> one other thing. Try
>
> samba-tool ntacl sysvolreset --use-ntvfs
>
> See if gpupdate works. If it works try
>
> samba-tool ntacl sysvolreset --use-s3fs
>
> Are you using a central store for group policy? I'm not sure what else
> to try.
>
-- 
Lead IT/IS Specialist
Reach Technology FP, Inc

>What about getent and id not working on the DC? I cannot find any
>information relevant to my situation with them online.
ok, try the following. 

chown -R root:root /samba/var/locks/sysvol
chmod -R 755 /samba/var/locks/sysvol

kinit Administrator
samba-tool ntacl sysvolreset
kdestroy 

the id/getent issue.. 
install libnss-winbind

and check your server again with. 
read : 
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server 
from : Make domain users/groups available locally through Winbind  


Greetz, 

Louis

>-----Oorspronkelijk bericht-----
>Van: ryana at reachtechfp.com 
>[mailto:samba-bounces at lists.samba.org] Namens Ryan Ashley
>Verzonden: donderdag 4 juni 2015 18:42
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] Clients unable to get group policy...
>
>I tried resetting dozens of times, neither works. I do remember a
>permissions issue from ages back, where the Unix permissions had to be
>777 on a share and then the ACL stuff worked. Do I need to set the
>sysvol to 777?
>
>What about getent and id not working on the DC? I cannot find any
>information relevant to my situation with them online.
>
>On 06/04/2015 08:46 AM, James wrote:
>> On 6/3/2015 11:43 AM, Ryan Ashley wrote:
>>> James, I cloned it using git. I installed it to a private partition
>>> (/samba) back when I was first testing Samba4. It is in the path
and
>>> this worked for ages, but recently just stopped. No errors, 
>no warnings,
>>> nothing. Just dead.
>>>
>>> The GP in question is the default domain policy. I already tried
>>> unlinking it and it fails on the next one. I only have two 
>GPOs, so it
>>> cannot "read" either one. I also noted that, during one
of my angry
>>> moments, I just kept spamming "gpupdate" in a DOS box on 
>the workstation
>>> and suddenly it worked once, then went back to erroring 
>out. Spamming it
>>> has not fixed it since. I even wrote a small batch script 
>which looped
>>> until gpupdate returned success. It went into an endless loop which
>>> lasted about 20hrs before I stopped it.
>>>
>>> As for the sysvol location, it is in 
>"/samba/var/locks/sysvol", which
>>> worked for a few years, and has just stopped. Permissions 
>appear to be
>>> correct.
>>>
>>> On 05/29/2015 11:24 AM, James wrote:
>>>> On 5/29/2015 10:40 AM, Ryan Ashley wrote:
>>>>> Thank you, Louis. This has not corrected the getent and 
>id issue, however.
>>>>>
>>>>> On 05/29/2015 10:13 AM, L.P.H. van Belle wrote:
>>>>>
>>>> Ryan,
>>>>
>>>>     Is it a specific GP that can't be read? Can you remove 
>all links to
>>>> one workstation and leave just the default domain GP and 
>test? Did you
>>>> install samba from tar and provide the location for sysvol 
>in the build?
>>>>
>> Ryan,
>>
>>     It definitely sounds like a permission problem. I can 
>only think of
>> one other thing. Try
>>
>> samba-tool ntacl sysvolreset --use-ntvfs
>>
>> See if gpupdate works. If it works try
>>
>> samba-tool ntacl sysvolreset --use-s3fs
>>
>> Are you using a central store for group policy? I'm not sure 
>what else
>> to try.
>>
>
>-- 
>Lead IT/IS Specialist
>Reach Technology FP, Inc
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

Louis, I have not used kinit prior to doing the reset but I just did it.
Everything worked flawlessly but I won't know if it worked until I get
to a PC at their location. Also, libnss-winbind is installed correctly.
I have done this a few times but this is the only domain with issues.
Maybe I am looking at something incorrectly, and I will re-read the
guide, again. Assuming my configuration, or the parts you asked for
here, are done correctly, what should I look at next?

root at dc01:/lib# l | grep winbind
lrwxrwxrwx  1 root root      30 Aug 22  2014 libnss_winbind.so ->
/samba/lib/libnss_winbind.so.2
root at dc01:/lib# chown -R root:root /samba/var/locks/sysvol
root at dc01:/lib# chmod -R 755 /samba/var/locks/sysvol
root at dc01:/lib# kinit reachfp
Password for reachfp at KIGM.LOCAL:
root at dc01:/lib# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: reachfp at KIGM.LOCAL

Valid starting     Expires            Service principal
06/05/15 10:44:25  06/05/15 20:44:25  krbtgt/KIGM.LOCAL at KIGM.LOCAL
        renew until 06/06/15 10:44:19
root at dc01:/lib# samba-tool ntacl sysvolreset
root at dc01:/lib# kdestroy

Just so you know, the domain administrator is renamed to reachfp. That
is why I did not use "Administrator" as you said.

On 06/05/2015 02:44 AM, L.P.H. van Belle wrote:
>> What about getent and id not working on the DC? I cannot find any
>> information relevant to my situation with them online.
> ok, try the following. 
>
> chown -R root:root /samba/var/locks/sysvol
> chmod -R 755 /samba/var/locks/sysvol
>
> kinit Administrator
> samba-tool ntacl sysvolreset
> kdestroy 
>
> the id/getent issue.. 
> install libnss-winbind
>
> and check your server again with. 
> read : 
> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server 
> from : Make domain users/groups available locally through Winbind  
>
>
> Greetz, 
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: ryana at reachtechfp.com 
>> [mailto:samba-bounces at lists.samba.org] Namens Ryan Ashley
>> Verzonden: donderdag 4 juni 2015 18:42
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Clients unable to get group policy...
>>
>> I tried resetting dozens of times, neither works. I do remember a
>> permissions issue from ages back, where the Unix permissions had to be
>> 777 on a share and then the ACL stuff worked. Do I need to set the
>> sysvol to 777?
>>
>> What about getent and id not working on the DC? I cannot find any
>> information relevant to my situation with them online.
>>
>> On 06/04/2015 08:46 AM, James wrote:
>>> On 6/3/2015 11:43 AM, Ryan Ashley wrote:
>>>> James, I cloned it using git. I installed it to a private
partition
>>>> (/samba) back when I was first testing Samba4. It is in the
path and
>>>> this worked for ages, but recently just stopped. No errors, 
>> no warnings,
>>>> nothing. Just dead.
>>>>
>>>> The GP in question is the default domain policy. I already
tried
>>>> unlinking it and it fails on the next one. I only have two 
>> GPOs, so it
>>>> cannot "read" either one. I also noted that, during
one of my angry
>>>> moments, I just kept spamming "gpupdate" in a DOS box
on
>> the workstation
>>>> and suddenly it worked once, then went back to erroring 
>> out. Spamming it
>>>> has not fixed it since. I even wrote a small batch script 
>> which looped
>>>> until gpupdate returned success. It went into an endless loop
which
>>>> lasted about 20hrs before I stopped it.
>>>>
>>>> As for the sysvol location, it is in 
>> "/samba/var/locks/sysvol", which
>>>> worked for a few years, and has just stopped. Permissions 
>> appear to be
>>>> correct.
>>>>
>>>> On 05/29/2015 11:24 AM, James wrote:
>>>>> On 5/29/2015 10:40 AM, Ryan Ashley wrote:
>>>>>> Thank you, Louis. This has not corrected the getent and
>> id issue, however.
>>>>>> On 05/29/2015 10:13 AM, L.P.H. van Belle wrote:
>>>>>>
>>>>> Ryan,
>>>>>
>>>>>     Is it a specific GP that can't be read? Can you
remove
>> all links to
>>>>> one workstation and leave just the default domain GP and 
>> test? Did you
>>>>> install samba from tar and provide the location for sysvol 
>> in the build?
>>> Ryan,
>>>
>>>     It definitely sounds like a permission problem. I can 
>> only think of
>>> one other thing. Try
>>>
>>> samba-tool ntacl sysvolreset --use-ntvfs
>>>
>>> See if gpupdate works. If it works try
>>>
>>> samba-tool ntacl sysvolreset --use-s3fs
>>>
>>> Are you using a central store for group policy? I'm not sure 
>> what else
>>> to try.
>>>
>> -- 
>> Lead IT/IS Specialist
>> Reach Technology FP, Inc
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
-- 
Lead IT/IS Specialist
Reach Technology FP, Inc

I noticed something different on the page you linked. It must be
outdated or maybe it is setup for a different version of Debian. The
system runs Debian Wheezy AMD64. The paths referenced do not exist. I
also checked several other Debian systems and NONE have the
"x86_64-linux-gnu" directories.

root at dc01:~# uname -r
2.6.32-5-amd64
root at dc01:~# l /lib | grep x86
lrwxrwxrwx  1 root root      12 Dec 27  2012 ld-linux-x86-64.so.2 ->
ld-2.11.3.so
root at dc01:~# l /usr/lib | grep x86
root at dc01:~#

Is this the problem? What version of Debian is the guide for? I believe
Debian 8 was released recently but cannot be sure since it is a systemd
distro I now use Gentoo. If the guide is for 8, maybe we need one for 7
since it is supported until the release of 9.

On 06/05/2015 02:44 AM, L.P.H. van Belle wrote:
>> What about getent and id not working on the DC? I cannot find any
>> information relevant to my situation with them online.
> ok, try the following. 
>
> chown -R root:root /samba/var/locks/sysvol
> chmod -R 755 /samba/var/locks/sysvol
>
> kinit Administrator
> samba-tool ntacl sysvolreset
> kdestroy 
>
> the id/getent issue.. 
> install libnss-winbind
>
> and check your server again with. 
> read : 
> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server 
> from : Make domain users/groups available locally through Winbind  
>
>
> Greetz, 
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: ryana at reachtechfp.com 
>> [mailto:samba-bounces at lists.samba.org] Namens Ryan Ashley
>> Verzonden: donderdag 4 juni 2015 18:42
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Clients unable to get group policy...
>>
>> I tried resetting dozens of times, neither works. I do remember a
>> permissions issue from ages back, where the Unix permissions had to be
>> 777 on a share and then the ACL stuff worked. Do I need to set the
>> sysvol to 777?
>>
>> What about getent and id not working on the DC? I cannot find any
>> information relevant to my situation with them online.
>>
>> On 06/04/2015 08:46 AM, James wrote:
>>> On 6/3/2015 11:43 AM, Ryan Ashley wrote:
>>>> James, I cloned it using git. I installed it to a private
partition
>>>> (/samba) back when I was first testing Samba4. It is in the
path and
>>>> this worked for ages, but recently just stopped. No errors, 
>> no warnings,
>>>> nothing. Just dead.
>>>>
>>>> The GP in question is the default domain policy. I already
tried
>>>> unlinking it and it fails on the next one. I only have two 
>> GPOs, so it
>>>> cannot "read" either one. I also noted that, during
one of my angry
>>>> moments, I just kept spamming "gpupdate" in a DOS box
on
>> the workstation
>>>> and suddenly it worked once, then went back to erroring 
>> out. Spamming it
>>>> has not fixed it since. I even wrote a small batch script 
>> which looped
>>>> until gpupdate returned success. It went into an endless loop
which
>>>> lasted about 20hrs before I stopped it.
>>>>
>>>> As for the sysvol location, it is in 
>> "/samba/var/locks/sysvol", which
>>>> worked for a few years, and has just stopped. Permissions 
>> appear to be
>>>> correct.
>>>>
>>>> On 05/29/2015 11:24 AM, James wrote:
>>>>> On 5/29/2015 10:40 AM, Ryan Ashley wrote:
>>>>>> Thank you, Louis. This has not corrected the getent and
>> id issue, however.
>>>>>> On 05/29/2015 10:13 AM, L.P.H. van Belle wrote:
>>>>>>
>>>>> Ryan,
>>>>>
>>>>>     Is it a specific GP that can't be read? Can you
remove
>> all links to
>>>>> one workstation and leave just the default domain GP and 
>> test? Did you
>>>>> install samba from tar and provide the location for sysvol 
>> in the build?
>>> Ryan,
>>>
>>>     It definitely sounds like a permission problem. I can 
>> only think of
>>> one other thing. Try
>>>
>>> samba-tool ntacl sysvolreset --use-ntvfs
>>>
>>> See if gpupdate works. If it works try
>>>
>>> samba-tool ntacl sysvolreset --use-s3fs
>>>
>>> Are you using a central store for group policy? I'm not sure 
>> what else
>>> to try.
>>>
>> -- 
>> Lead IT/IS Specialist
>> Reach Technology FP, Inc
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
-- 
Lead IT/IS Specialist
Reach Technology FP, Inc