samba - Jan 2017 - Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies

Hi Rowland, 

I've done the below and retried to log on as a normal user, but sadly:

C:\> gpupdate /force     still returns

The processing of Group Policy failed. Windows attempted to read the file
\\ct.mydomain.com\sysvol\ct.mydomain.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini
from a domain controller and was not successful. Group Policy settings may not
be applied until this event is resolved. This issue may be transient and could
be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller
has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.

Also a normal domain user still can't get a listing on sysvol

smbclient //localhost/sysvol -Urichard.h -c 'ls'
Enter richard.h's password: 
Domain=[CT] OS=[Windows 6.1] Server=[Samba 4.5.3]
NT_STATUS_ACCESS_DENIED listing \*

but Administrator can fine:

smbclient //localhost/sysvol -UAdministrator -c 'ls'
Enter Administrator's password: 
Domain=[CT] OS=[Windows 6.1] Server=[Samba 4.5.3]
  .                                   D        0  Thu Jan 12 20:58:10 2017
  ..                                  D        0  Thu Jan 12 21:21:00 2017
  ct.mydomain.com    D        0  Thu Feb 18 00:16:24 2016

		244669724 blocks of size 1024. 235669456 blocks available


Also, I've rerun getfacl and I see that GID 10013 still exists for both
group and other, even though I have removed it from "domain admins"

group::rwx
group:10013:rwx
group:10014:r-x
group:3000002:rwx
group:3000003:r-x
group:3000006:rwx
group:3000010:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000002:rwx
default:user:3000003:r-x
default:user:3000006:rwx
default:user:3000010:r-x
default:group::---
default:group:10013:rwx
default:group:10014:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:group:3000006:rwx
default:group:3000010:r-x
default:mask::rwx
default:other::---

so not really sure where to go from here

(btw - I won't keep saying thank you but just to let you know that I really
really appreciate all the help you guys are giving on this)

Richard

PS - I just thought may be worthwhile pasting my smb.conf file here (domain name
and forwarder ips changed)

 [global]
	workgroup = CT
	realm = ct.mydomain.com
	netbios name = DC1
	server role = active directory domain controller

              allow dns updates = nonsecure and secure
        
	dns forwarder = 1.2.3.4 10.20.30.40
	idmap_ldb:use rfc2307 = yes
        
              ldap server require strong auth = no

[netlogon]
	path = /usr/local/samba/var/locks/sysvol/ct.mydomain.com/scripts
	read only = No

[sysvol]
	path = /usr/local/samba/var/locks/sysvol
	read only = No


-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
via samba
Sent: 12 January 2017 21:10
To: samba at lists.samba.org
Subject: Re: [Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up
Group Policies

On Thu, 12 Jan 2017 20:46:15 +0200
Richard via samba <samba at lists.samba.org> wrote:
> Hi James
> 
> The output is as follows...
> 
> wbinfo --gid-info=10013    =>  CT\domain admins:x:10013:
> 
> wbinfo --uid-info=3000008 => CT\domain 
> admins:*:3000008:3000008::/home/CT/domain admins:/bin/false
If you remove the gidNumber from Domain Admins, you will find that it gets the
same GID as its UID '3000008'
> 
> Yes I have set "domain admins" to have NIS domain "CT"
and GID "10013"
> - I can remove this no problem
See above and I would suggest removing the gidNumber, then run 'net cache
flush'
> 
> Yes I have set "domain users" to have NIS domain "CT"
and GID "10014"
> - I can remove this no problem
No that is OK
> 
> No I haven't set a UID or GID for Administrator
Good, you just Administrator into a normal Unix user if you do.
> 
> I do indeed have 'idmap_ldb:use rfc2307 = Yes' - should I remove
this
> from smb.conf?
No, you need it

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On 1/12/2017 2:47 PM, Richard via samba wrote:
> Hi Rowland,
>
> I've done the below and retried to log on as a normal user, but sadly:
>
> C:\> gpupdate /force     still returns
>
> The processing of Group Policy failed. Windows attempted to read the file
\\ct.mydomain.com\sysvol\ct.mydomain.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini
from a domain controller and was not successful. Group Policy settings may not
be applied until this event is resolved. This issue may be transient and could
be caused by one or more of the following:
> a) Name Resolution/Network Connectivity to the current domain controller.
> b) File Replication Service Latency (a file created on another domain
controller has not replicated to the current domain controller).
> c) The Distributed File System (DFS) client has been disabled.
>
> Also a normal domain user still can't get a listing on sysvol
>
> smbclient //localhost/sysvol -Urichard.h -c 'ls'
> Enter richard.h's password:
> Domain=[CT] OS=[Windows 6.1] Server=[Samba 4.5.3]
> NT_STATUS_ACCESS_DENIED listing \*
>
> but Administrator can fine:
>
> smbclient //localhost/sysvol -UAdministrator -c 'ls'
> Enter Administrator's password:
> Domain=[CT] OS=[Windows 6.1] Server=[Samba 4.5.3]
>    .                                   D        0  Thu Jan 12 20:58:10 2017
>    ..                                  D        0  Thu Jan 12 21:21:00 2017
>    ct.mydomain.com    D        0  Thu Feb 18 00:16:24 2016
>
> 		244669724 blocks of size 1024. 235669456 blocks available
>
>
> Also, I've rerun getfacl and I see that GID 10013 still exists for both
group and other, even though I have removed it from "domain admins"
>
> group::rwx
> group:10013:rwx
> group:10014:r-x
> group:3000002:rwx
> group:3000003:r-x
> group:3000006:rwx
> group:3000010:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:3000002:rwx
> default:user:3000003:r-x
> default:user:3000006:rwx
> default:user:3000010:r-x
> default:group::---
> default:group:10013:rwx
> default:group:10014:r-x
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:group:3000006:rwx
> default:group:3000010:r-x
> default:mask::rwx
> default:other::---
>
> so not really sure where to go from here
>
> (btw - I won't keep saying thank you but just to let you know that I
really really appreciate all the help you guys are giving on this)
>
> Richard
>
> PS - I just thought may be worthwhile pasting my smb.conf file here (domain
name and forwarder ips changed)
>
>   [global]
> 	workgroup = CT
> 	realm = ct.mydomain.com
> 	netbios name = DC1
> 	server role = active directory domain controller
>
>                allow dns updates = nonsecure and secure
>          
> 	dns forwarder = 1.2.3.4 10.20.30.40
> 	idmap_ldb:use rfc2307 = yes
>          
>                ldap server require strong auth = no
>
> [netlogon]
> 	path = /usr/local/samba/var/locks/sysvol/ct.mydomain.com/scripts
> 	read only = No
>
> [sysvol]
> 	path = /usr/local/samba/var/locks/sysvol
> 	read only = No
>
>
> -----Original Message-----
> From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland
Penny via samba
> Sent: 12 January 2017 21:10
> To: samba at lists.samba.org
> Subject: Re: [Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up
Group Policies
>
> On Thu, 12 Jan 2017 20:46:15 +0200
> Richard via samba <samba at lists.samba.org> wrote:
>
>> Hi James
>>
>> The output is as follows...
>>
>> wbinfo --gid-info=10013    =>  CT\domain admins:x:10013:
>>
>> wbinfo --uid-info=3000008 => CT\domain
>> admins:*:3000008:3000008::/home/CT/domain admins:/bin/false
> If you remove the gidNumber from Domain Admins, you will find that it gets
the same GID as its UID '3000008'
>
>> Yes I have set "domain admins" to have NIS domain
"CT" and GID "10013"
>> - I can remove this no problem
> See above and I would suggest removing the gidNumber, then run 'net
cache flush'
>
>> Yes I have set "domain users" to have NIS domain
"CT" and GID "10014"
>> - I can remove this no problem
> No that is OK
>
>> No I haven't set a UID or GID for Administrator
> Good, you just Administrator into a normal Unix user if you do.
>
>> I do indeed have 'idmap_ldb:use rfc2307 = Yes' - should I
remove this
>> from smb.conf?
> No, you need it
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>
Did you run 'net cache flush'?

-- 
- James

On Thu, 12 Jan 2017 21:47:00 +0200
Richard via samba <samba at lists.samba.org> wrote:
> Hi Rowland, 
> 
> I've done the below and retried to log on as a normal user, but sadly:
> 
> C:\> gpupdate /force     still returns
> 
> The processing of Group Policy failed. Windows attempted to read the
> file
>
\\ct.mydomain.com\sysvol\ct.mydomain.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini
> from a domain controller and was not successful. Group Policy
> settings may not be applied until this event is resolved. This issue
> may be transient and could be caused by one or more of the following:
> a) Name Resolution/Network Connectivity to the current domain
> controller. b) File Replication Service Latency (a file created on
> another domain controller has not replicated to the current domain
> controller). c) The Distributed File System (DFS) client has been
> disabled.
> 
> Also a normal domain user still can't get a listing on sysvol
> 
> smbclient //localhost/sysvol -Urichard.h -c 'ls'
> Enter richard.h's password: 
> Domain=[CT] OS=[Windows 6.1] Server=[Samba 4.5.3]
> NT_STATUS_ACCESS_DENIED listing \*
> 
> but Administrator can fine:
> 
> smbclient //localhost/sysvol -UAdministrator -c 'ls'
> Enter Administrator's password: 
> Domain=[CT] OS=[Windows 6.1] Server=[Samba 4.5.3]
>   .                                   D        0  Thu Jan 12 20:58:10
> 2017 ..                                  D        0  Thu Jan 12
> 21:21:00 2017 ct.mydomain.com    D        0  Thu Feb 18 00:16:24 2016
> 
> 		244669724 blocks of size 1024. 235669456 blocks
> available
> 
> 
> Also, I've rerun getfacl and I see that GID 10013 still exists for
> both group and other, even though I have removed it from "domain
> admins"
Did you run 'net cache flush'

Rowland

Hi

here are the commands in the order I ran them:

root at dc1:~ # systemctl stop samba
root at dc1:~ # net cache flush
root at dc1:~ # samba-tool ntacl sysvolreset
root at dc1:~ # net cache flush
root at dc1:~ # samba-tool ntacl sysvolcheck
root at dc1:~ # systemctl start samba
root at dc1:~ # smbclient //localhost/sysvol -UAdministrator -c 'ls'
Enter Administrator's password: 
Domain=[CT] OS=[Windows 6.1] Server=[Samba 4.5.3]
  .                                   D        0  Thu Jan 12 22:14:18 2017
  ..                                  D        0  Thu Jan 12 22:14:45 2017
  ct.mydomain.com              D        0  Thu Feb 18 00:16:24 2016

		244669724 blocks of size 1024. 235669260 blocks available
root at dc1:~ # smbclient //localhost/sysvol -Urichard.h -c 'ls'
Enter richard.h's password: 
Domain=[CT] OS=[Windows 6.1] Server=[Samba 4.5.3]
NT_STATUS_ACCESS_DENIED listing \*
root at dc1:~ #

then on the client: 

C:\WINDOWS\system32>gpupdate /force
Updating policy...

Computer policy could not be updated successfully. The following errors were
encountered:

The processing of Group Policy failed. Windows attempted to read the file
\\ct.mydomain.com\SysVol\ct.mydomain.com\Policies\{073A6C41-BE24-4CA2-8F00-386A9F2D3908}\gpt.ini
from a domain controller and was not successful. Group Policy settings may not
be applied until this event is resolved. This issue may be transient and could
be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller
has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
User Policy could not be updated successfully. The following errors were
encountered:










-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of lingpanda101
via samba
Sent: 12 January 2017 21:54
To: samba at lists.samba.org
Subject: Re: [Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up
Group Policies

On 1/12/2017 2:47 PM, Richard via samba wrote:
> Hi Rowland,
>
> I've done the below and retried to log on as a normal user, but sadly:
>
> C:\> gpupdate /force     still returns
>
> The processing of Group Policy failed. Windows attempted to read the file
\\ct.mydomain.com\sysvol\ct.mydomain.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini
from a domain controller and was not successful. Group Policy settings may not
be applied until this event is resolved. This issue may be transient and could
be caused by one or more of the following:
> a) Name Resolution/Network Connectivity to the current domain controller.
> b) File Replication Service Latency (a file created on another domain
controller has not replicated to the current domain controller).
> c) The Distributed File System (DFS) client has been disabled.
>
> Also a normal domain user still can't get a listing on sysvol
>
> smbclient //localhost/sysvol -Urichard.h -c 'ls'
> Enter richard.h's password:
> Domain=[CT] OS=[Windows 6.1] Server=[Samba 4.5.3] 
> NT_STATUS_ACCESS_DENIED listing \*
>
> but Administrator can fine:
>
> smbclient //localhost/sysvol -UAdministrator -c 'ls'
> Enter Administrator's password:
> Domain=[CT] OS=[Windows 6.1] Server=[Samba 4.5.3]
>    .                                   D        0  Thu Jan 12 20:58:10 2017
>    ..                                  D        0  Thu Jan 12 21:21:00 2017
>    ct.mydomain.com    D        0  Thu Feb 18 00:16:24 2016
>
> 		244669724 blocks of size 1024. 235669456 blocks available
>
>
> Also, I've rerun getfacl and I see that GID 10013 still exists for both
group and other, even though I have removed it from "domain admins"
>
> group::rwx
> group:10013:rwx
> group:10014:r-x
> group:3000002:rwx
> group:3000003:r-x
> group:3000006:rwx
> group:3000010:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:3000002:rwx
> default:user:3000003:r-x
> default:user:3000006:rwx
> default:user:3000010:r-x
> default:group::---
> default:group:10013:rwx
> default:group:10014:r-x
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:group:3000006:rwx
> default:group:3000010:r-x
> default:mask::rwx
> default:other::---
>
> so not really sure where to go from here
>
> (btw - I won't keep saying thank you but just to let you know that I 
> really really appreciate all the help you guys are giving on this)
>
> Richard
>
> PS - I just thought may be worthwhile pasting my smb.conf file here 
> (domain name and forwarder ips changed)
>
>   [global]
> 	workgroup = CT
> 	realm = ct.mydomain.com
> 	netbios name = DC1
> 	server role = active directory domain controller
>
>                allow dns updates = nonsecure and secure
>          
> 	dns forwarder = 1.2.3.4 10.20.30.40
> 	idmap_ldb:use rfc2307 = yes
>          
>                ldap server require strong auth = no
>
> [netlogon]
> 	path = /usr/local/samba/var/locks/sysvol/ct.mydomain.com/scripts
> 	read only = No
>
> [sysvol]
> 	path = /usr/local/samba/var/locks/sysvol
> 	read only = No
>
>
> -----Original Message-----
> From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of 
> Rowland Penny via samba
> Sent: 12 January 2017 21:10
> To: samba at lists.samba.org
> Subject: Re: [Samba] Samba 4.5.3 AD DC - issues with sysvol when 
> setting up Group Policies
>
> On Thu, 12 Jan 2017 20:46:15 +0200
> Richard via samba <samba at lists.samba.org> wrote:
>
>> Hi James
>>
>> The output is as follows...
>>
>> wbinfo --gid-info=10013    =>  CT\domain admins:x:10013:
>>
>> wbinfo --uid-info=3000008 => CT\domain 
>> admins:*:3000008:3000008::/home/CT/domain admins:/bin/false
> If you remove the gidNumber from Domain Admins, you will find that it gets
the same GID as its UID '3000008'
>
>> Yes I have set "domain admins" to have NIS domain
"CT" and GID "10013"
>> - I can remove this no problem
> See above and I would suggest removing the gidNumber, then run 'net
cache flush'
>
>> Yes I have set "domain users" to have NIS domain
"CT" and GID "10014"
>> - I can remove this no problem
> No that is OK
>
>> No I haven't set a UID or GID for Administrator
> Good, you just Administrator into a normal Unix user if you do.
>
>> I do indeed have 'idmap_ldb:use rfc2307 = Yes' - should I
remove this
>> from smb.conf?
> No, you need it
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>
Did you run 'net cache flush'?

--
- James


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba