Richard
2017-Jan-13 07:00 UTC
[Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies
Also, I'm not sure whether this has any relevance to the problem but I did at one point try to set up a secondary AD server but was struggling to get it going so demoted it using "Demote an Offline Domain Controller" from this page https://wiki.samba.org/index.php/Demote_a_Samba_AD_DC I also went through the "Verifying the Demotion" checks on this page and all looked fine -----Original Message----- From: Richard [mailto:p1 at originsystems.co.za] Sent: 12 January 2017 23:34 To: 'samba at lists.samba.org' <samba at lists.samba.org> Subject: RE: [Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies I'm not sure if of value but here also is the richard.h group information as reported by Windows on the client: C:\WINDOWS\system32>whoami /groups GROUP INFORMATION ----------------- Group Name Type SID Attributes ========================================= ================ ============================================ ==============================================================CT\osDirector Group S-1-5-21-962076006-582617201-2751578557-1107 Mandatory group, Enabled by default, Enabled group Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner BUILTIN\Performance Log Users Alias S-1-5-32-559 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group CT\Domain Admins Group S-1-5-21-962076006-582617201-2751578557-512 Mandatory group, Enabled by default, Enabled group CT\Denied RODC Password Replication Group Alias S-1-5-21-962076006-582617201-2751578557-572 Mandatory group, Enabled by default, Enabled group CT\osDevelopment Group S-1-5-21-962076006-582617201-2751578557-1110 Mandatory group, Enabled by default, Enabled group CT\osSecurity Group S-1-5-21-962076006-582617201-2751578557-1111 Mandatory group, Enabled by default, Enabled group CT\osVPN Group S-1-5-21-962076006-582617201-2751578557-1112 Mandatory group, Enabled by default, Enabled group Mandatory Label\High Mandatory Level Label S-1-16-12288 -----Original Message----- From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Richard via samba Sent: 12 January 2017 23:21 To: samba at lists.samba.org Subject: Re: [Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies cool! root at dc1:~ # wbinfo -r richard.h 10001 3000008 10000 10014 10004 10005 3000005 3000009 3000000 -----Original Message----- From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of lingpanda101 via samba Sent: 12 January 2017 22:57 To: samba at lists.samba.org Subject: Re: [Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies On 1/12/2017 3:47 PM, Richard via samba wrote:> Hi > > root at dc1:~ # samba-tool dbcheck --cross-ncs --reset-well-known-acls > --fix --yes ...some error information... > Checked 3647 objects (2 errors) > root at dc1:~ # samba-tool dbcheck --cross-ncs --reset-well-known-acls > --fix Checking 3647 objects Checked 3647 objects (0 errors) > > root at dc1:~ # getfacl /usr/local/samba/var/locks/sysvol/ > getfacl: Removing leading '/' from absolute path names # file: > usr/local/samba/var/locks/sysvol/ # owner: root # group: 3000000 > user::rwx user:root:rwx user:3000000:rwx user:3000001:r-x > user:3000002:rwx user:3000003:r-x group::rwx group:3000000:rwx > group:3000001:r-x group:3000002:rwx group:3000003:r-x mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:user:3000000:rwx > default:user:3000001:r-x > default:user:3000002:rwx > default:user:3000003:r-x > default:group::--- > default:group:3000000:rwx > default:group:3000001:r-x > default:group:3000002:rwx > default:group:3000003:r-x > default:mask::rwx > default:other::--- > > > gpupdate /force still fails :o( > > -----Original Message----- > From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of > lingpanda101 via samba > Sent: 12 January 2017 22:34 > To: samba at lists.samba.org > Subject: Re: [Samba] Samba 4.5.3 AD DC - issues with sysvol when > setting up Group Policies > > On 1/12/2017 3:25 PM, Richard via samba wrote: >> Hi >> >> here are the commands in the order I ran them: >> >> root at dc1:~ # systemctl stop samba >> root at dc1:~ # net cache flush >> root at dc1:~ # samba-tool ntacl sysvolreset root at dc1:~ # net cache >> flush root at dc1:~ # samba-tool ntacl sysvolcheck root at dc1:~ # >> systemctl start samba root at dc1:~ # smbclient //localhost/sysvol >> -UAdministrator -c 'ls' >> Enter Administrator's password: >> Domain=[CT] OS=[Windows 6.1] Server=[Samba 4.5.3] >> . D 0 Thu Jan 12 22:14:18 2017 >> .. D 0 Thu Jan 12 22:14:45 2017 >> ct.mydomain.com D 0 Thu Feb 18 00:16:24 2016 >> >> 244669724 blocks of size 1024. 235669260 blocks available >> root at dc1:~ # smbclient //localhost/sysvol -Urichard.h -c 'ls' >> Enter richard.h's password: >> Domain=[CT] OS=[Windows 6.1] Server=[Samba 4.5.3] >> NT_STATUS_ACCESS_DENIED listing \* root at dc1:~ # >> >> then on the client: >> >> C:\WINDOWS\system32>gpupdate /force >> Updating policy... >> >> Computer policy could not be updated successfully. The following errors were encountered: >> >> The processing of Group Policy failed. Windows attempted to read the file \\ct.mydomain.com\SysVol\ct.mydomain.com\Policies\{073A6C41-BE24-4CA2-8F00-386A9F2D3908}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: >> a) Name Resolution/Network Connectivity to the current domain controller. >> b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller). >> c) The Distributed File System (DFS) client has been disabled. >> User Policy could not be updated successfully. The following errors were encountered: >> >> >> >> >> >> >> >> >> >> >> -----Original Message----- >> From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of >> lingpanda101 via samba >> Sent: 12 January 2017 21:54 >> To: samba at lists.samba.org >> Subject: Re: [Samba] Samba 4.5.3 AD DC - issues with sysvol when >> setting up Group Policies >> >> On 1/12/2017 2:47 PM, Richard via samba wrote: >>> Hi Rowland, >>> >>> I've done the below and retried to log on as a normal user, but sadly: >>> >>> C:\> gpupdate /force still returns >>> >>> The processing of Group Policy failed. Windows attempted to read the file \\ct.mydomain.com\sysvol\ct.mydomain.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: >>> a) Name Resolution/Network Connectivity to the current domain controller. >>> b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller). >>> c) The Distributed File System (DFS) client has been disabled. >>> >>> Also a normal domain user still can't get a listing on sysvol >>> >>> smbclient //localhost/sysvol -Urichard.h -c 'ls' >>> Enter richard.h's password: >>> Domain=[CT] OS=[Windows 6.1] Server=[Samba 4.5.3] >>> NT_STATUS_ACCESS_DENIED listing \* >>> >>> but Administrator can fine: >>> >>> smbclient //localhost/sysvol -UAdministrator -c 'ls' >>> Enter Administrator's password: >>> Domain=[CT] OS=[Windows 6.1] Server=[Samba 4.5.3] >>> . D 0 Thu Jan 12 20:58:10 2017 >>> .. D 0 Thu Jan 12 21:21:00 2017 >>> ct.mydomain.com D 0 Thu Feb 18 00:16:24 2016 >>> >>> 244669724 blocks of size 1024. 235669456 blocks available >>> >>> >>> Also, I've rerun getfacl and I see that GID 10013 still exists for both group and other, even though I have removed it from "domain admins" >>> >>> group::rwx >>> group:10013:rwx >>> group:10014:r-x >>> group:3000002:rwx >>> group:3000003:r-x >>> group:3000006:rwx >>> group:3000010:r-x >>> mask::rwx >>> other::--- >>> default:user::rwx >>> default:user:root:rwx >>> default:user:3000002:rwx >>> default:user:3000003:r-x >>> default:user:3000006:rwx >>> default:user:3000010:r-x >>> default:group::--- >>> default:group:10013:rwx >>> default:group:10014:r-x >>> default:group:3000002:rwx >>> default:group:3000003:r-x >>> default:group:3000006:rwx >>> default:group:3000010:r-x >>> default:mask::rwx >>> default:other::--- >>> >>> so not really sure where to go from here >>> >>> (btw - I won't keep saying thank you but just to let you know that I >>> really really appreciate all the help you guys are giving on this) >>> >>> Richard >>> >>> PS - I just thought may be worthwhile pasting my smb.conf file here >>> (domain name and forwarder ips changed) >>> >>> [global] >>> workgroup = CT >>> realm = ct.mydomain.com >>> netbios name = DC1 >>> server role = active directory domain controller >>> >>> allow dns updates = nonsecure and secure >>> >>> dns forwarder = 1.2.3.4 10.20.30.40 >>> idmap_ldb:use rfc2307 = yes >>> >>> ldap server require strong auth = no >>> >>> [netlogon] >>> path = /usr/local/samba/var/locks/sysvol/ct.mydomain.com/scripts >>> read only = No >>> >>> [sysvol] >>> path = /usr/local/samba/var/locks/sysvol >>> read only = No >>> >>> >>> -----Original Message----- >>> From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of >>> Rowland Penny via samba >>> Sent: 12 January 2017 21:10 >>> To: samba at lists.samba.org >>> Subject: Re: [Samba] Samba 4.5.3 AD DC - issues with sysvol when >>> setting up Group Policies >>> >>> On Thu, 12 Jan 2017 20:46:15 +0200 >>> Richard via samba <samba at lists.samba.org> wrote: >>> >>>> Hi James >>>> >>>> The output is as follows... >>>> >>>> wbinfo --gid-info=10013 => CT\domain admins:x:10013: >>>> >>>> wbinfo --uid-info=3000008 => CT\domain >>>> admins:*:3000008:3000008::/home/CT/domain admins:/bin/false >>> If you remove the gidNumber from Domain Admins, you will find that it gets the same GID as its UID '3000008' >>> >>>> Yes I have set "domain admins" to have NIS domain "CT" and GID "10013" >>>> - I can remove this no problem >>> See above and I would suggest removing the gidNumber, then run 'net cache flush' >>> >>>> Yes I have set "domain users" to have NIS domain "CT" and GID "10014" >>>> - I can remove this no problem >>> No that is OK >>> >>>> No I haven't set a UID or GID for Administrator >>> Good, you just Administrator into a normal Unix user if you do. >>> >>>> I do indeed have 'idmap_ldb:use rfc2307 = Yes' - should I remove >>>> this from smb.conf? >>> No, you need it >>> >>> Rowland >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> >> Did you run 'net cache flush'? >> >> -- >> - James >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> > What is the output of the below now? > > getfacl /usr/local/samba/var/locks/sysvol/ > > You may also need to run > > samba-tool dbcheck --cross-ncs --reset-well-known-acls --fix > > > -- > - James > >Progress What is the output of 'wbinfo -r richard.h' -- - James -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Jonathan Hunter
2017-Jan-14 17:09 UTC
[Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies
Hi All, Trying to avoid making this into a "Me too" response :) but this is the single largest issue I have with Samba at the moment, I've struggled with this for literally years, both before I switched to rfc2307 (which did help in many areas) and since switching. I am following this thread with great interest, in the hope that I can get my GPOs working, too. Currently I've hit a different issue (Samba bug ID 12363) that has stopped me from being able to debug this further; but suffice to say - I feel your pain. I am particularly interested in the interaction between giving 'Domain Users' its own GID, and having GPOs stored in sysvol on the DCs, which is historically the place that has the most trouble with user mappings etc. (that is why I initially switched to rfc2307, and subsequently demoted my main file server from being a DC, also) If we don't give built-in groups their own UID/GID though, then how do we ensure consistency between multiple DCs and also member fileservers? This is probably the area of samba I'm least expert on (uids, XIDs, rfc2307, idmap, file servers vs DCs, etc..) Cheers, Jonathan On 13 January 2017 at 07:00, Richard via samba <samba at lists.samba.org> wrote:> Also, I'm not sure whether this has any relevance to the problem but I did at one point try to set up a secondary AD server but was struggling to get it going so demoted it using "Demote an Offline Domain Controller" from this page > > https://wiki.samba.org/index.php/Demote_a_Samba_AD_DC > > I also went through the "Verifying the Demotion" checks on this page and all looked fine > > -----Original Message----- > From: Richard [mailto:p1 at originsystems.co.za] > Sent: 12 January 2017 23:34 > To: 'samba at lists.samba.org' <samba at lists.samba.org> > Subject: RE: [Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies > > I'm not sure if of value but here also is the richard.h group information as reported by Windows on the client: > > C:\WINDOWS\system32>whoami /groups > > GROUP INFORMATION > ----------------- > > Group Name Type SID Attributes > ========================================= ================ ============================================ ==============================================================> CT\osDirector Group S-1-5-21-962076006-582617201-2751578557-1107 Mandatory group, Enabled by default, Enabled group > Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group > BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner > BUILTIN\Performance Log Users Alias S-1-5-32-559 Mandatory group, Enabled by default, Enabled group > BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group > NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group > CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group > NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group > NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group > LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group > CT\Domain Admins Group S-1-5-21-962076006-582617201-2751578557-512 Mandatory group, Enabled by default, Enabled group > CT\Denied RODC Password Replication Group Alias S-1-5-21-962076006-582617201-2751578557-572 Mandatory group, Enabled by default, Enabled group > CT\osDevelopment Group S-1-5-21-962076006-582617201-2751578557-1110 Mandatory group, Enabled by default, Enabled group > CT\osSecurity Group S-1-5-21-962076006-582617201-2751578557-1111 Mandatory group, Enabled by default, Enabled group > CT\osVPN Group S-1-5-21-962076006-582617201-2751578557-1112 Mandatory group, Enabled by default, Enabled group > Mandatory Label\High Mandatory Level Label S-1-16-12288 > > -----Original Message----- > From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Richard via samba > Sent: 12 January 2017 23:21 > To: samba at lists.samba.org > Subject: Re: [Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies > > cool! > > root at dc1:~ # wbinfo -r richard.h > 10001 > 3000008 > 10000 > 10014 > 10004 > 10005 > 3000005 > 3000009 > 3000000 > > -----Original Message----- > From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of lingpanda101 via samba > Sent: 12 January 2017 22:57 > To: samba at lists.samba.org > Subject: Re: [Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies > > On 1/12/2017 3:47 PM, Richard via samba wrote: >> Hi >> >> root at dc1:~ # samba-tool dbcheck --cross-ncs --reset-well-known-acls >> --fix --yes ...some error information... >> Checked 3647 objects (2 errors) >> root at dc1:~ # samba-tool dbcheck --cross-ncs --reset-well-known-acls >> --fix Checking 3647 objects Checked 3647 objects (0 errors) >> >> root at dc1:~ # getfacl /usr/local/samba/var/locks/sysvol/ >> getfacl: Removing leading '/' from absolute path names # file: >> usr/local/samba/var/locks/sysvol/ # owner: root # group: 3000000 >> user::rwx user:root:rwx user:3000000:rwx user:3000001:r-x >> user:3000002:rwx user:3000003:r-x group::rwx group:3000000:rwx >> group:3000001:r-x group:3000002:rwx group:3000003:r-x mask::rwx >> other::--- >> default:user::rwx >> default:user:root:rwx >> default:user:3000000:rwx >> default:user:3000001:r-x >> default:user:3000002:rwx >> default:user:3000003:r-x >> default:group::--- >> default:group:3000000:rwx >> default:group:3000001:r-x >> default:group:3000002:rwx >> default:group:3000003:r-x >> default:mask::rwx >> default:other::--- >> >> >> gpupdate /force still fails :o( >> >> -----Original Message----- >> From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of >> lingpanda101 via samba >> Sent: 12 January 2017 22:34 >> To: samba at lists.samba.org >> Subject: Re: [Samba] Samba 4.5.3 AD DC - issues with sysvol when >> setting up Group Policies >> >> On 1/12/2017 3:25 PM, Richard via samba wrote: >>> Hi >>> >>> here are the commands in the order I ran them: >>> >>> root at dc1:~ # systemctl stop samba >>> root at dc1:~ # net cache flush >>> root at dc1:~ # samba-tool ntacl sysvolreset root at dc1:~ # net cache >>> flush root at dc1:~ # samba-tool ntacl sysvolcheck root at dc1:~ # >>> systemctl start samba root at dc1:~ # smbclient //localhost/sysvol >>> -UAdministrator -c 'ls' >>> Enter Administrator's password: >>> Domain=[CT] OS=[Windows 6.1] Server=[Samba 4.5.3] >>> . D 0 Thu Jan 12 22:14:18 2017 >>> .. D 0 Thu Jan 12 22:14:45 2017 >>> ct.mydomain.com D 0 Thu Feb 18 00:16:24 2016 >>> >>> 244669724 blocks of size 1024. 235669260 blocks available >>> root at dc1:~ # smbclient //localhost/sysvol -Urichard.h -c 'ls' >>> Enter richard.h's password: >>> Domain=[CT] OS=[Windows 6.1] Server=[Samba 4.5.3] >>> NT_STATUS_ACCESS_DENIED listing \* root at dc1:~ # >>> >>> then on the client: >>> >>> C:\WINDOWS\system32>gpupdate /force >>> Updating policy... >>> >>> Computer policy could not be updated successfully. The following errors were encountered: >>> >>> The processing of Group Policy failed. Windows attempted to read the file \\ct.mydomain.com\SysVol\ct.mydomain.com\Policies\{073A6C41-BE24-4CA2-8F00-386A9F2D3908}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: >>> a) Name Resolution/Network Connectivity to the current domain controller. >>> b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller). >>> c) The Distributed File System (DFS) client has been disabled. >>> User Policy could not be updated successfully. The following errors were encountered: >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> -----Original Message----- >>> From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of >>> lingpanda101 via samba >>> Sent: 12 January 2017 21:54 >>> To: samba at lists.samba.org >>> Subject: Re: [Samba] Samba 4.5.3 AD DC - issues with sysvol when >>> setting up Group Policies >>> >>> On 1/12/2017 2:47 PM, Richard via samba wrote: >>>> Hi Rowland, >>>> >>>> I've done the below and retried to log on as a normal user, but sadly: >>>> >>>> C:\> gpupdate /force still returns >>>> >>>> The processing of Group Policy failed. Windows attempted to read the file \\ct.mydomain.com\sysvol\ct.mydomain.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: >>>> a) Name Resolution/Network Connectivity to the current domain controller. >>>> b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller). >>>> c) The Distributed File System (DFS) client has been disabled. >>>> >>>> Also a normal domain user still can't get a listing on sysvol >>>> >>>> smbclient //localhost/sysvol -Urichard.h -c 'ls' >>>> Enter richard.h's password: >>>> Domain=[CT] OS=[Windows 6.1] Server=[Samba 4.5.3] >>>> NT_STATUS_ACCESS_DENIED listing \* >>>> >>>> but Administrator can fine: >>>> >>>> smbclient //localhost/sysvol -UAdministrator -c 'ls' >>>> Enter Administrator's password: >>>> Domain=[CT] OS=[Windows 6.1] Server=[Samba 4.5.3] >>>> . D 0 Thu Jan 12 20:58:10 2017 >>>> .. D 0 Thu Jan 12 21:21:00 2017 >>>> ct.mydomain.com D 0 Thu Feb 18 00:16:24 2016 >>>> >>>> 244669724 blocks of size 1024. 235669456 blocks available >>>> >>>> >>>> Also, I've rerun getfacl and I see that GID 10013 still exists for both group and other, even though I have removed it from "domain admins" >>>> >>>> group::rwx >>>> group:10013:rwx >>>> group:10014:r-x >>>> group:3000002:rwx >>>> group:3000003:r-x >>>> group:3000006:rwx >>>> group:3000010:r-x >>>> mask::rwx >>>> other::--- >>>> default:user::rwx >>>> default:user:root:rwx >>>> default:user:3000002:rwx >>>> default:user:3000003:r-x >>>> default:user:3000006:rwx >>>> default:user:3000010:r-x >>>> default:group::--- >>>> default:group:10013:rwx >>>> default:group:10014:r-x >>>> default:group:3000002:rwx >>>> default:group:3000003:r-x >>>> default:group:3000006:rwx >>>> default:group:3000010:r-x >>>> default:mask::rwx >>>> default:other::--- >>>> >>>> so not really sure where to go from here >>>> >>>> (btw - I won't keep saying thank you but just to let you know that I >>>> really really appreciate all the help you guys are giving on this) >>>> >>>> Richard >>>> >>>> PS - I just thought may be worthwhile pasting my smb.conf file here >>>> (domain name and forwarder ips changed) >>>> >>>> [global] >>>> workgroup = CT >>>> realm = ct.mydomain.com >>>> netbios name = DC1 >>>> server role = active directory domain controller >>>> >>>> allow dns updates = nonsecure and secure >>>> >>>> dns forwarder = 1.2.3.4 10.20.30.40 >>>> idmap_ldb:use rfc2307 = yes >>>> >>>> ldap server require strong auth = no >>>> >>>> [netlogon] >>>> path = /usr/local/samba/var/locks/sysvol/ct.mydomain.com/scripts >>>> read only = No >>>> >>>> [sysvol] >>>> path = /usr/local/samba/var/locks/sysvol >>>> read only = No >>>> >>>> >>>> -----Original Message----- >>>> From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of >>>> Rowland Penny via samba >>>> Sent: 12 January 2017 21:10 >>>> To: samba at lists.samba.org >>>> Subject: Re: [Samba] Samba 4.5.3 AD DC - issues with sysvol when >>>> setting up Group Policies >>>> >>>> On Thu, 12 Jan 2017 20:46:15 +0200 >>>> Richard via samba <samba at lists.samba.org> wrote: >>>> >>>>> Hi James >>>>> >>>>> The output is as follows... >>>>> >>>>> wbinfo --gid-info=10013 => CT\domain admins:x:10013: >>>>> >>>>> wbinfo --uid-info=3000008 => CT\domain >>>>> admins:*:3000008:3000008::/home/CT/domain admins:/bin/false >>>> If you remove the gidNumber from Domain Admins, you will find that it gets the same GID as its UID '3000008' >>>> >>>>> Yes I have set "domain admins" to have NIS domain "CT" and GID "10013" >>>>> - I can remove this no problem >>>> See above and I would suggest removing the gidNumber, then run 'net cache flush' >>>> >>>>> Yes I have set "domain users" to have NIS domain "CT" and GID "10014" >>>>> - I can remove this no problem >>>> No that is OK >>>> >>>>> No I haven't set a UID or GID for Administrator >>>> Good, you just Administrator into a normal Unix user if you do. >>>> >>>>> I do indeed have 'idmap_ldb:use rfc2307 = Yes' - should I remove >>>>> this from smb.conf? >>>> No, you need it >>>> >>>> Rowland >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>>> >>> Did you run 'net cache flush'? >>> >>> -- >>> - James >>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> >> What is the output of the below now? >> >> getfacl /usr/local/samba/var/locks/sysvol/ >> >> You may also need to run >> >> samba-tool dbcheck --cross-ncs --reset-well-known-acls --fix >> >> >> -- >> - James >> >> > > Progress > > What is the output of > > 'wbinfo -r richard.h' > > > -- > - James > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein
Rowland Penny
2017-Jan-14 18:04 UTC
[Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies
On Sat, 14 Jan 2017 17:09:47 +0000 Jonathan Hunter via samba <samba at lists.samba.org> wrote:> Hi All, > > Trying to avoid making this into a "Me too" response :) but this is > the single largest issue I have with Samba at the moment, I've > struggled with this for literally years, both before I switched to > rfc2307 (which did help in many areas) and since switching. I am > following this thread with great interest, in the hope that I can get > my GPOs working, too. > > Currently I've hit a different issue (Samba bug ID 12363) that has > stopped me from being able to debug this further; but suffice to say - > I feel your pain. > > I am particularly interested in the interaction between giving 'Domain > Users' its own GID, and having GPOs stored in sysvol on the DCs, which > is historically the place that has the most trouble with user mappings > etc. (that is why I initially switched to rfc2307, and subsequently > demoted my main file server from being a DC, also)If you only have Samba AD DCs and Windows clients, you do not need to give any group a gidNumber. It is only when you throw Unix domain members in to the mix AND use the winbind 'ad' backend, that you need to give Domain Users a gidNumber.> > If we don't give built-in groups their own UID/GID though, then how do > we ensure consistency between multiple DCs and also member > fileservers? This is probably the area of samba I'm least expert on > (uids, XIDs, rfc2307, idmap, file servers vs DCs, etc..) >Samba AD DCs use idmap.ldb to store the mappings between SIDs and xidNumbers, the numbers are always in the '3000000' range. They are also allocated on a first come basis, when a user or group first contacts a Samba DC it is allocated the next xidNumber, this is why you are not sure to get the same ID number on every DC. This is not a problem however, as each DC knows the xidNumber for the the group. So if you rsync sysvol between DCs and then run sysvolrest, the correct xidNumber for that DC will be set. You can also copy idmap.ldb between DCs as well, but I don't see the point. The only way to get consistent IDs for the users and groups that matter, is to use the winbind 'ad' backend. This means giving users a unique UidNumber and Domain Users a gidNumber. These numbers will be used on DCs instead of the xidNumbers and on Unix domain members provided that the 'idmap config' lines are set up correctly. This is what I use on domain members: idmap config *:backend = tdb idmap config *:range = 2000-9999 ## map ids from the domain the ranges may not overlap ! idmap config SAMDOM : backend = ad idmap config SAMDOM : schema_mode = rfc2307 idmap config SAMDOM : range = 10000-999999 The '*' range is for the well known SIDs (Domain Admins, Administrators etc) The 'SAMDOM' range is for the DOMAIN users & groups that you create and Domain Users. It doesn't really matter what ID the well known SIDs get, as long as the Unix machine knows which SID the ID belongs to. Hope this help, but feel free to ask questions. Rowland
Reasonably Related Threads
- Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies
- Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies
- Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies
- Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies
- Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies