samba - Jul 2017 - Can't create/update Group Policy in Samba 4.6.5

Hi,

I'm using Samba 4.6.5 and I have installed as follows:

wget -c https://download.samba.org/pub/samba/stable/samba-4.6.5.tar.gz

tar -xzvf samba-4.6.5.tar.gz

cd samba-4.6.5

./configure --enable-debug --enable-selftest

make

make install

It seems that is working properly, however I can't create or update GPO
with Windows Group Policy Management tool.

When I try, "Denied Access" message appear.

I'm using an user that is member of "Domain Admins", "Domain
Computers",
"Domain Controllers", "Group Policy Creators Owners" and
"Domain Users".

When I run "samba-tool ntacl sysvolreset" command, appear the
following
errors:

root at dc1:/usr/local/samba/bin# ./samba-tool ntacl sysvolreset
open: error=2 (No such file or directory)
ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error')
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
line
239, in run
    lp, use_ntvfs=use_ntvfs)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1609, in setsysvolacl
    set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
use_ntvfs, passdb=s4_passdb)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1502, in set_gpos_acl
    use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb,
service=SYSVOL_SERVICE)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py",
line
162, in setntacl
    smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP |
security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)


I have verified that permissions on my files in
"/usr/local/samba/var/locks/" are like this:

ls -l /usr/local/samba/var/locks/
total 1384
-rw------- 1 root staff 421888 Mai 15 21:57 account_policy.tdb
-rw------- 1 root staff 528384 Mai 15 21:57 registry.tdb
-rw------- 1 root staff 421888 Mai 15 21:57 share_info.tdb
drwxr-sr-x 3 root 30056   4096 Jul  1 19:40 sysvol
-rw------- 1 root staff  32768 Jul  1 19:45 winbindd_cache.tdb
drwxr-s--- 2 root staff   4096 Jul  1 19:45 winbindd_privileged

Following are my  fstab and smb.conf files:

/etc/fstab
# <file system> <mount point>   <type>  <options>      
<dump>  <pass>
/dev/mapper/disk2--vg-root /           ext4    errors=remount-ro 0       1
UUID=400ad8c2-9c4c-4a08-883b-3aaddcb24850 /boot           ext2
defaults        0       2
/dev/mapper/disk2--vg-swap_1 none      swap    sw              0       0
/dev/sr0     /media/cdrom0   udf,iso9660 user,noauto     0       0
######################################################################

/usr/local/samba/etc/smb.conf

# Global parameters
[global]
 workgroup = EMPRESA
 realm = EMPREA.COM.BR
 netbios name = DC1
 server role = active directory domain controller
 dns forwarder = 192.168.0.5
 idmap_ldb:use rfc2307 = yes
 ldap server require strong auth = no

[netlogon]
 path = /usr/local/samba/var/locks/sysvol/empresa.com.br/scripts
 read only = No

[sysvol]
 path = /usr/local/samba/var/locks/sysvol
 read only = No
 acl_xattr:ignore system acls = yes
##################################################

Some tests with attr:

root at dc1:~# touch testando.txt
root at dc1:~# setfattr -n user.test -v test testando.txt
root at dc1:~# setfattr -n security.test -v test2 testando.txt

root at dc1:~# getfattr -d testando.txt
# file: testando.txt
user.test="test"

root at dc1:~# getfattr -n security.test -d testando.txt
# file: testando.txt
security.test="test2"

Anybody have an idea how solve this problem?


Regards,

Márcio Bacci

On Sun, 2 Jul 2017 11:30:32 -0300
Marcio Demetrio Bacci via samba <samba at lists.samba.org> wrote:
> Hi,
> 
> I'm using Samba 4.6.5 and I have installed as follows:
> 
> wget -c https://download.samba.org/pub/samba/stable/samba-4.6.5.tar.gz
> 
> tar -xzvf samba-4.6.5.tar.gz
> 
> cd samba-4.6.5
> 
> ./configure --enable-debug --enable-selftest
Why ? you only need './configure' , unless you are going to run the
tests.
> 
> make
> 
> make install
> 
> It seems that is working properly, however I can't create or update
> GPO with Windows Group Policy Management tool.
> 
> When I try, "Denied Access" message appear.
> 
> I'm using an user that is member of "Domain Admins",
"Domain
> Computers", "Domain Controllers", "Group Policy
Creators Owners" and
> "Domain Users".
> 
> When I run "samba-tool ntacl sysvolreset" command, appear the
> following errors:
> 
> root at dc1:/usr/local/samba/bin# ./samba-tool ntacl sysvolreset
Why are you running samba-tool like that, haven't you set up your PATH
correctly, if you run (in a terminal):

echo $PATH

it should return your path and that should start like this:

/usr/local/samba/bin:/usr/local/samba/sbin:

If your PATH is set correctly, you should be able to run samba-tool
from anywhere, from /root for instance.
> I have verified that permissions on my files in
> "/usr/local/samba/var/locks/" are like this:
> 
> ls -l /usr/local/samba/var/locks/
> total 1384
> -rw------- 1 root staff 421888 Mai 15 21:57 account_policy.tdb
> -rw------- 1 root staff 528384 Mai 15 21:57 registry.tdb
> -rw------- 1 root staff 421888 Mai 15 21:57 share_info.tdb
> drwxr-sr-x 3 root 30056   4096 Jul  1 19:40 sysvol
> -rw------- 1 root staff  32768 Jul  1 19:45 winbindd_cache.tdb
> drwxr-s--- 2 root staff   4096 Jul  1 19:45 winbindd_privileged
Who is '30056' ? 
Have you given 'Administrator' a uidNumber ?
Have you given 'Domain Admins' the 'SeDiskOperatorPrivilege' ?
> /usr/local/samba/etc/smb.conf
> 
> [sysvol]
>  path = /usr/local/samba/var/locks/sysvol
>  read only = No
>  acl_xattr:ignore system acls = yes
You should remove the above line, it isn't required.

Rowland

Am 2017-07-02 um 17:26 schrieb Rowland Penny via samba:
>> [sysvol]
>>   path = /usr/local/samba/var/locks/sysvol
>>   read only = No
>>   acl_xattr:ignore system acls = yes
> 
> You should remove the above line, it isn't required.
Louis recommended that one to me a few weeks ago.
Could you explain?

Hi Rowland

Now, I set up my PATH adding /usr/local/samba/bin:/usr/local/samba/sbin:

echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/samba/bin:/usr/local/samba/sbin


 ls -l /usr/local/samba/var/locks/
> total 1384
> -rw------- 1 root staff 421888 Mai 15 21:57 account_policy.tdb
> -rw------- 1 root staff 528384 Mai 15 21:57 registry.tdb
> -rw------- 1 root staff 421888 Mai 15 21:57 share_info.tdb
> drwxr-sr-x 3 root 30056   4096 Jul  1 19:40 sysvol
> -rw------- 1 root staff  32768 Jul  1 19:45 winbindd_cache.tdb
> drwxr-s--- 2 root staff   4096 Jul  1 19:45 winbindd_privileged
1) Who is '30056' ? 30056 is the Administrator user.
2) Have you given 'Administrator' a uidNumber ? Yes, I set up Unix
Attribute to Administrator and "Domain Admins", "Domain
Controllers" and
others groups.
3) Have you given 'Domain Admins' the 'SeDiskOperatorPrivilege'
? No. Is
necessary?

Now, I excluded "acl_xattr:ignore system acls = yes" line in the
"/usr/local/samba/etc/smb.conf"

I have executed "chown root:root -R /usr/local/samba/var/locks"
command,
and now I can create and update GPOs, but I don't know if is correct? What
is the better way to correct files permissions on sysvol?

The "samba-tool ntacl sysvolreset" command continues display errors:
open: error=2 (No such file or directory)
ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error')
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
line
239, in run
    lp, use_ntvfs=use_ntvfs)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1609, in setsysvolacl
    set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
use_ntvfs, passdb=s4_passdb)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1502, in set_gpos_acl
    use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb,
service=SYSVOL_SERVICE)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py",
line
162, in setntacl
    smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP |
security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)

I have created Wsus GPO and I typed "gpupdate /force" in prompt of the
Winsows Stations a error appears.

"Group Policy was not processed. Windows can not apply the registry-based
policy settings to the Group Policy object
LDAP://CN=User, CN={31B2F340-016D-11D2-945F-00C04FB984F9}, CN=policies,
CN=System,DC=empresa,DC=com,DC=br. The Group Policy settings will not be
resolved until this event is resolved."

How could I solve this problem?

Regards,

Márcio Bacci



2017-07-02 12:26 GMT-03:00 Rowland Penny via samba <samba at
lists.samba.org>:
> On Sun, 2 Jul 2017 11:30:32 -0300
> Marcio Demetrio Bacci via samba <samba at lists.samba.org> wrote:
>
> > Hi,
> >
> > I'm using Samba 4.6.5 and I have installed as follows:
> >
> > wget -c https://download.samba.org/pub/samba/stable/samba-4.6.5.tar.gz
> >
> > tar -xzvf samba-4.6.5.tar.gz
> >
> > cd samba-4.6.5
> >
> > ./configure --enable-debug --enable-selftest
>
> Why ? you only need './configure' , unless you are going to run the
> tests.
>
> >
> > make
> >
> > make install
> >
> > It seems that is working properly, however I can't create or
update
> > GPO with Windows Group Policy Management tool.
> >
> > When I try, "Denied Access" message appear.
> >
> > I'm using an user that is member of "Domain Admins",
"Domain
> > Computers", "Domain Controllers", "Group Policy
Creators Owners" and
> > "Domain Users".
> >
> > When I run "samba-tool ntacl sysvolreset" command, appear
the
> > following errors:
> >
> > root at dc1:/usr/local/samba/bin# ./samba-tool ntacl sysvolreset
>
> Why are you running samba-tool like that, haven't you set up your PATH
> correctly, if you run (in a terminal):
>
> echo $PATH
>
> it should return your path and that should start like this:
>
> /usr/local/samba/bin:/usr/local/samba/sbin:
>
> If your PATH is set correctly, you should be able to run samba-tool
> from anywhere, from /root for instance.
>
> > I have verified that permissions on my files in
> > "/usr/local/samba/var/locks/" are like this:
> >
> > ls -l /usr/local/samba/var/locks/
> > total 1384
> > -rw------- 1 root staff 421888 Mai 15 21:57 account_policy.tdb
> > -rw------- 1 root staff 528384 Mai 15 21:57 registry.tdb
> > -rw------- 1 root staff 421888 Mai 15 21:57 share_info.tdb
> > drwxr-sr-x 3 root 30056   4096 Jul  1 19:40 sysvol
> > -rw------- 1 root staff  32768 Jul  1 19:45 winbindd_cache.tdb
> > drwxr-s--- 2 root staff   4096 Jul  1 19:45 winbindd_privileged
>
> Who is '30056' ?
> Have you given 'Administrator' a uidNumber ?
> Have you given 'Domain Admins' the
'SeDiskOperatorPrivilege' ?
>
> > /usr/local/samba/etc/smb.conf
> >
> > [sysvol]
> >  path = /usr/local/samba/var/locks/sysvol
> >  read only = No
> >  acl_xattr:ignore system acls = yes
>
> You should remove the above line, it isn't required.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Hai, 

In reponse to the why i recommend that. 

Since this is a "windows" only share, i recomment to set it up for
that usage, with results in better matching for windows rights.
Resulting in better working policies. 
The current POSIX rights did not match to my needs and resulted in inconsistant
policies.
This is why i use these for profiles and sysvol. 

And this is my setup order:

setup the sysvol share with : acl_xattr:ignore system acls = yes

Setup SeDiskOperatorPrivilege. For sysvol, setup 2 ! Groups. 
net rpc rights grant "SAMDOM\Domain Admins" SeDiskOperatorPrivilege -U
"SAMDOM\administrator"
net rpc rights grant "SAMDOM\Group Policy Creator Owners"
SeDiskOperatorPrivilege -U "SAMDOM\administrator"
  And use the default windows group for extra users: "Group Policy Creator
Owners"

Setup Share rights, (you must re-apply them if you use "ignore system
acls" )

Setup Security rights, but since your using, "ignore system acls" the
default sysvol rights are now ok.
But check if creator group also on the security rights. 

Check from with GPO manament tools, you wil get some messages about rights to
fix, do that.
And dont run samba-tools sysvolreset, if you do, then you wil have to repeat
above again.

Now you GPO should work as normal. 

Try it out and report your result. 


Greetz, 

Louis 
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Stefan G. Weichinger via samba
> Verzonden: zondag 2 juli 2017 20:41
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Can't create/update Group Policy in Samba 4.6.5
> 
> Am 2017-07-02 um 17:26 schrieb Rowland Penny via samba:
> 
> >> [sysvol]
> >>   path = /usr/local/samba/var/locks/sysvol
> >>   read only = No
> >>   acl_xattr:ignore system acls = yes
> > 
> > You should remove the above line, it isn't required.
> 
> Louis recommended that one to me a few weeks ago.
> Could you explain?
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>