On Thu, 3 Nov 2016 10:25:00 -0400 lingpanda101 via samba <samba at lists.samba.org> wrote:> On 11/3/2016 9:59 AM, Marcio Demetrio Bacci wrote: > > Thanks Lingpanda101 > > > > Following the result of command: > > > > # file: Policies/{0F1E5B10-3640-4FFE-AA6B-5DE4CFF73625} > > # owner: 10060 > > # group: 30028 > > user::rwx > > user:10060:rwx > > user:3000002:rwx > > user:3000010:r-x > > group::rwx > > group:30028:rwx > > group:30032:r-x > > group:30033:rwx > > group:3000002:rwx > > group:3000010:r-x > > mask::rwx > > other::--- > > default:user::rwx > > default:user:10060:rwx > > default:user:3000002:rwx > > default:user:3000010:r-x > > default:group::--- > > default:group:30028:rwx > > default:group:30032:r-x > > default:group:30033:rwx > > default:group:3000002:rwx > > default:group:3000010:r-x > > default:mask::rwx > > default:other::--- > > > > > > > > Regards, > > > > Márcio > > > > 2016-11-03 11:46 GMT-02:00 lingpanda101 via samba > > <samba at lists.samba.org <mailto:samba at lists.samba.org>>: > > > > On 11/2/2016 5:51 PM, Marcio Demetrio Bacci via samba wrote: > > > > I'm having problems with GPO in Samba 4.2.1 > > > > I created a GPO to Block Control Panel and applied in my > > Domain OU. > > > > In desktop client I typed "gpupdate /force" and appear a > > success message > > that to ask reboot my system. After rebuot the GPO don't > > work. > > > > Other GPOs as WSUS update, Wallpaper and others, don't work > > too. > > > > > > Following is the result of command: GPRESULT /H > > GPResult.html > > > > GPOs Applied > > Name Location Link Revision > > Default Domain Policy empresa.com.br > > <http://empresa.com.br> AD (1), Sysvol (65535) > > > > GPOs Denied > > Name Location Link Denial Reason > > Local Group Policies Location EMPTY > > {0F1E5B10-3640-4FFE-AA6B-5DE4CFF73625} empresa.com.br > > <http://empresa.com.br> > > Inacessible > > {D65C5B66-A380-48AD-AC8A-DE417173E293} > > empresa.comb.br/EMPRESA/SecInfor > > <http://empresa.comb.br/EMPRESA/SecInfor> > > Inacessible > > Wallpaper empresa.comb.br/EMPRESA/SecInfor > > <http://empresa.comb.br/EMPRESA/SecInfor> Inacessible > > > > How can I debug this problem ? > > > > Regards, > > > > Márcio > > > > > > The denial reason Inaccessible usually refers to a permissions > > problem. Verify your user and or computer the GPO applies to has > > the correct permissions. Can you run 'getfacl > > /Policies/{0F1E5B10-3640-4FFE-AA6B-5DE4CFF73625}' and post the > > results? > > > > -- > > - James > > > > > > -- > > To unsubscribe from this list go to the following URL and read > > the instructions: https://lists.samba.org/mailman/options/samba > > <https://lists.samba.org/mailman/options/samba> > > > > > I see you have given some users and groups a UID. Can you tell me the > results of > > wbinfo --uid-info=10060 > wbinfo --uid-info=30028 > wbinfo --uid-info=30032 > wbinfo --uid-info=10060 > wbinfo --uid-info=30033 > > I don't see user:3000003 which I believe is Authenticated Users. Did > you give this group a UID? > > >Seeing as this is not one of the two std GPOs, you have a problem. When you create a GPO, the owners are Domain Admins and the group is Domain Admins, so who is '10060' and what is '30028' ? Rowland
Hi Rowland Following the results to: *USER:* wbinfo --uid-info=10060: bacci:*:10060:30049:bacci:/home/EMPRESA/bacci:/bin/false *GROUP:* wbinfo --gid-info=30028: Domain Admins wbinfo --gid-info=30032: Domain Users wbinfo --gid-info=30033: Enterprise Admins "I don't see user:3000003" root at dc1:~# wbinfo -G 3000003 S-1-5-11 root at dc1:~# wbinfo -s S-1-5-11 failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND Could not lookup sid S-1-5-11 I have in my network two DC (Samba 4) and one member File Server (Samba 4). When I execute wbinfo -r <user>, I have different results: root at dc1:~# wbinfo -G 3000000 S-1-5-32-544 root at dc1o:~# wbinfo -G 30002 S-1-5-32-544 root at dc1:~# wbinfo -s S-1-5-32-544 BUILTIN\Administrators 4 The SID to Administrators is 3000000 in DC. In File Server the same group is 30002. *Different Groups to the same user* root@*dc1*:~# wbinfo -r bacci 30011 30025 30029 30030 30035 30049 30052 3000000 root@*server-file*:~# wbinfo -r bacci 30002 30003 30025 30028 30029 30030 30032 30035 30049 30052 30053 Regards, Márcio 2016-11-03 13:59 GMT-02:00 Rowland Penny via samba <samba at lists.samba.org>:> On Thu, 3 Nov 2016 10:25:00 -0400 > lingpanda101 via samba <samba at lists.samba.org> wrote: > > > On 11/3/2016 9:59 AM, Marcio Demetrio Bacci wrote: > > > Thanks Lingpanda101 > > > > > > Following the result of command: > > > > > > # file: Policies/{0F1E5B10-3640-4FFE-AA6B-5DE4CFF73625} > > > # owner: 10060 > > > # group: 30028 > > > user::rwx > > > user:10060:rwx > > > user:3000002:rwx > > > user:3000010:r-x > > > group::rwx > > > group:30028:rwx > > > group:30032:r-x > > > group:30033:rwx > > > group:3000002:rwx > > > group:3000010:r-x > > > mask::rwx > > > other::--- > > > default:user::rwx > > > default:user:10060:rwx > > > default:user:3000002:rwx > > > default:user:3000010:r-x > > > default:group::--- > > > default:group:30028:rwx > > > default:group:30032:r-x > > > default:group:30033:rwx > > > default:group:3000002:rwx > > > default:group:3000010:r-x > > > default:mask::rwx > > > default:other::--- > > > > > > > > > > > > Regards, > > > > > > Márcio > > > > > > 2016-11-03 11:46 GMT-02:00 lingpanda101 via samba > > > <samba at lists.samba.org <mailto:samba at lists.samba.org>>: > > > > > > On 11/2/2016 5:51 PM, Marcio Demetrio Bacci via samba wrote: > > > > > > I'm having problems with GPO in Samba 4.2.1 > > > > > > I created a GPO to Block Control Panel and applied in my > > > Domain OU. > > > > > > In desktop client I typed "gpupdate /force" and appear a > > > success message > > > that to ask reboot my system. After rebuot the GPO don't > > > work. > > > > > > Other GPOs as WSUS update, Wallpaper and others, don't work > > > too. > > > > > > > > > Following is the result of command: GPRESULT /H > > > GPResult.html > > > > > > GPOs Applied > > > Name Location Link Revision > > > Default Domain Policy empresa.com.br > > > <http://empresa.com.br> AD (1), Sysvol (65535) > > > > > > GPOs Denied > > > Name Location Link Denial Reason > > > Local Group Policies Location EMPTY > > > {0F1E5B10-3640-4FFE-AA6B-5DE4CFF73625} empresa.com.br > > > <http://empresa.com.br> > > > Inacessible > > > {D65C5B66-A380-48AD-AC8A-DE417173E293} > > > empresa.comb.br/EMPRESA/SecInfor > > > <http://empresa.comb.br/EMPRESA/SecInfor> > > > Inacessible > > > Wallpaper empresa.comb.br/EMPRESA/SecInfor > > > <http://empresa.comb.br/EMPRESA/SecInfor> Inacessible > > > > > > How can I debug this problem ? > > > > > > Regards, > > > > > > Márcio > > > > > > > > > The denial reason Inaccessible usually refers to a permissions > > > problem. Verify your user and or computer the GPO applies to has > > > the correct permissions. Can you run 'getfacl > > > /Policies/{0F1E5B10-3640-4FFE-AA6B-5DE4CFF73625}' and post the > > > results? > > > > > > -- > > > - James > > > > > > > > > -- > > > To unsubscribe from this list go to the following URL and read > > > the instructions: https://lists.samba.org/mailman/options/samba > > > <https://lists.samba.org/mailman/options/samba> > > > > > > > > I see you have given some users and groups a UID. Can you tell me the > > results of > > > > wbinfo --uid-info=10060 > > wbinfo --uid-info=30028 > > wbinfo --uid-info=30032 > > wbinfo --uid-info=10060 > > wbinfo --uid-info=30033 > > > > I don't see user:3000003 which I believe is Authenticated Users. Did > > you give this group a UID? > > > > > > > > Seeing as this is not one of the two std GPOs, you have a problem. When > you create a GPO, the owners are Domain Admins and the group is Domain > Admins, so who is '10060' and what is '30028' ? > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
See inline comments: On Thu, 3 Nov 2016 19:17:58 -0200 Marcio Demetrio Bacci <marciobacci at gmail.com> wrote:> Hi Rowland > > Following the results to: > > *USER:* > wbinfo --uid-info=10060: > bacci:*:10060:30049:bacci:/home/EMPRESA/bacci:/bin/false >It looks like 'bacci' is a normal user and the owner of the Policies GUID dir should be 'Domain Admins'> *GROUP:* > wbinfo --gid-info=30028: Domain AdminsThis is where one of the problems start, bit of a catch 22 problem, you need to give 'Domain Admins' a gidNumber to be visible to Unix, but if you do, it looses the 'ID_TYPE_BOTH' from idmap.ldb that means it can own dirs & files in sysvol.> > wbinfo --gid-info=30032: Domain Users > > wbinfo --gid-info=30033: Enterprise Admins > > > "I don't see user:3000003" > > root at dc1:~# wbinfo -G 3000003 > S-1-5-11 > > root at dc1:~# wbinfo -s S-1-5-11 > failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND > Could not lookup sid S-1-5-11 >You will need to look inside idmap.ldb to find this.> I have in my network two DC (Samba 4) and one member File Server > (Samba 4). When I execute wbinfo -r <user>, I have different results: > > root at dc1:~# wbinfo -G 3000000 > S-1-5-32-544 > > root at dc1o:~# wbinfo -G 30002 > S-1-5-32-544 > > root at dc1:~# wbinfo -s S-1-5-32-544 > BUILTIN\Administrators 4 > > The SID to Administrators is 3000000 in DC. In File Server the same > group is 30002.Don't give the BUILTIN users & groups uidNumbers & gidNumbers, let samba do this on the DC and set up smb.conf correctly on the domain member. You do this by using 'idmap config * : backend = tdb'> > *Different Groups to the same user* > root@*dc1*:~# wbinfo -r bacci > 30011 > 30025 > 30029 > 30030 > 30035 > 30049 > 30052 > 3000000 > > > root@*server-file*:~# wbinfo -r bacci > 30002 > 30003 > 30025 > 30028 > 30029 > 30030 > 30032 > 30035 > 30049 > 30052 > 30053 > > > Regards, > > Márcio >Rowland