Marcio Demetrio Bacci
2017-Jul-02 14:30 UTC
[Samba] Can't create/update Group Policy in Samba 4.6.5
Hi, I'm using Samba 4.6.5 and I have installed as follows: wget -c https://download.samba.org/pub/samba/stable/samba-4.6.5.tar.gz tar -xzvf samba-4.6.5.tar.gz cd samba-4.6.5 ./configure --enable-debug --enable-selftest make make install It seems that is working properly, however I can't create or update GPO with Windows Group Policy Management tool. When I try, "Denied Access" message appear. I'm using an user that is member of "Domain Admins", "Domain Computers", "Domain Controllers", "Group Policy Creators Owners" and "Domain Users". When I run "samba-tool ntacl sysvolreset" command, appear the following errors: root at dc1:/usr/local/samba/bin# ./samba-tool ntacl sysvolreset open: error=2 (No such file or directory) ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error') File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", line 239, in run lp, use_ntvfs=use_ntvfs) File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1609, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb) File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1502, in set_gpos_acl use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=SYSVOL_SERVICE) File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py", line 162, in setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service) I have verified that permissions on my files in "/usr/local/samba/var/locks/" are like this: ls -l /usr/local/samba/var/locks/ total 1384 -rw------- 1 root staff 421888 Mai 15 21:57 account_policy.tdb -rw------- 1 root staff 528384 Mai 15 21:57 registry.tdb -rw------- 1 root staff 421888 Mai 15 21:57 share_info.tdb drwxr-sr-x 3 root 30056 4096 Jul 1 19:40 sysvol -rw------- 1 root staff 32768 Jul 1 19:45 winbindd_cache.tdb drwxr-s--- 2 root staff 4096 Jul 1 19:45 winbindd_privileged Following are my fstab and smb.conf files: /etc/fstab # <file system> <mount point> <type> <options> <dump> <pass> /dev/mapper/disk2--vg-root / ext4 errors=remount-ro 0 1 UUID=400ad8c2-9c4c-4a08-883b-3aaddcb24850 /boot ext2 defaults 0 2 /dev/mapper/disk2--vg-swap_1 none swap sw 0 0 /dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0 ###################################################################### /usr/local/samba/etc/smb.conf # Global parameters [global] workgroup = EMPRESA realm = EMPREA.COM.BR netbios name = DC1 server role = active directory domain controller dns forwarder = 192.168.0.5 idmap_ldb:use rfc2307 = yes ldap server require strong auth = no [netlogon] path = /usr/local/samba/var/locks/sysvol/empresa.com.br/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No acl_xattr:ignore system acls = yes ################################################## Some tests with attr: root at dc1:~# touch testando.txt root at dc1:~# setfattr -n user.test -v test testando.txt root at dc1:~# setfattr -n security.test -v test2 testando.txt root at dc1:~# getfattr -d testando.txt # file: testando.txt user.test="test" root at dc1:~# getfattr -n security.test -d testando.txt # file: testando.txt security.test="test2" Anybody have an idea how solve this problem? Regards, Márcio Bacci
Rowland Penny
2017-Jul-02 15:26 UTC
[Samba] Can't create/update Group Policy in Samba 4.6.5
On Sun, 2 Jul 2017 11:30:32 -0300 Marcio Demetrio Bacci via samba <samba at lists.samba.org> wrote:> Hi, > > I'm using Samba 4.6.5 and I have installed as follows: > > wget -c https://download.samba.org/pub/samba/stable/samba-4.6.5.tar.gz > > tar -xzvf samba-4.6.5.tar.gz > > cd samba-4.6.5 > > ./configure --enable-debug --enable-selftestWhy ? you only need './configure' , unless you are going to run the tests.> > make > > make install > > It seems that is working properly, however I can't create or update > GPO with Windows Group Policy Management tool. > > When I try, "Denied Access" message appear. > > I'm using an user that is member of "Domain Admins", "Domain > Computers", "Domain Controllers", "Group Policy Creators Owners" and > "Domain Users". > > When I run "samba-tool ntacl sysvolreset" command, appear the > following errors: > > root at dc1:/usr/local/samba/bin# ./samba-tool ntacl sysvolresetWhy are you running samba-tool like that, haven't you set up your PATH correctly, if you run (in a terminal): echo $PATH it should return your path and that should start like this: /usr/local/samba/bin:/usr/local/samba/sbin: If your PATH is set correctly, you should be able to run samba-tool from anywhere, from /root for instance.> I have verified that permissions on my files in > "/usr/local/samba/var/locks/" are like this: > > ls -l /usr/local/samba/var/locks/ > total 1384 > -rw------- 1 root staff 421888 Mai 15 21:57 account_policy.tdb > -rw------- 1 root staff 528384 Mai 15 21:57 registry.tdb > -rw------- 1 root staff 421888 Mai 15 21:57 share_info.tdb > drwxr-sr-x 3 root 30056 4096 Jul 1 19:40 sysvol > -rw------- 1 root staff 32768 Jul 1 19:45 winbindd_cache.tdb > drwxr-s--- 2 root staff 4096 Jul 1 19:45 winbindd_privilegedWho is '30056' ? Have you given 'Administrator' a uidNumber ? Have you given 'Domain Admins' the 'SeDiskOperatorPrivilege' ?> /usr/local/samba/etc/smb.conf > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > acl_xattr:ignore system acls = yesYou should remove the above line, it isn't required. Rowland
Stefan G. Weichinger
2017-Jul-02 18:40 UTC
[Samba] Can't create/update Group Policy in Samba 4.6.5
Am 2017-07-02 um 17:26 schrieb Rowland Penny via samba:>> [sysvol] >> path = /usr/local/samba/var/locks/sysvol >> read only = No >> acl_xattr:ignore system acls = yes > > You should remove the above line, it isn't required.Louis recommended that one to me a few weeks ago. Could you explain?
Marcio Demetrio Bacci
2017-Jul-02 21:52 UTC
[Samba] Can't create/update Group Policy in Samba 4.6.5
Hi Rowland Now, I set up my PATH adding /usr/local/samba/bin:/usr/local/samba/sbin: echo $PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/samba/bin:/usr/local/samba/sbin ls -l /usr/local/samba/var/locks/> total 1384 > -rw------- 1 root staff 421888 Mai 15 21:57 account_policy.tdb > -rw------- 1 root staff 528384 Mai 15 21:57 registry.tdb > -rw------- 1 root staff 421888 Mai 15 21:57 share_info.tdb > drwxr-sr-x 3 root 30056 4096 Jul 1 19:40 sysvol > -rw------- 1 root staff 32768 Jul 1 19:45 winbindd_cache.tdb > drwxr-s--- 2 root staff 4096 Jul 1 19:45 winbindd_privileged1) Who is '30056' ? 30056 is the Administrator user. 2) Have you given 'Administrator' a uidNumber ? Yes, I set up Unix Attribute to Administrator and "Domain Admins", "Domain Controllers" and others groups. 3) Have you given 'Domain Admins' the 'SeDiskOperatorPrivilege' ? No. Is necessary? Now, I excluded "acl_xattr:ignore system acls = yes" line in the "/usr/local/samba/etc/smb.conf" I have executed "chown root:root -R /usr/local/samba/var/locks" command, and now I can create and update GPOs, but I don't know if is correct? What is the better way to correct files permissions on sysvol? The "samba-tool ntacl sysvolreset" command continues display errors: open: error=2 (No such file or directory) ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error') File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", line 239, in run lp, use_ntvfs=use_ntvfs) File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1609, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb) File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1502, in set_gpos_acl use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=SYSVOL_SERVICE) File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py", line 162, in setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service) I have created Wsus GPO and I typed "gpupdate /force" in prompt of the Winsows Stations a error appears. "Group Policy was not processed. Windows can not apply the registry-based policy settings to the Group Policy object LDAP://CN=User, CN={31B2F340-016D-11D2-945F-00C04FB984F9}, CN=policies, CN=System,DC=empresa,DC=com,DC=br. The Group Policy settings will not be resolved until this event is resolved." How could I solve this problem? Regards, Márcio Bacci 2017-07-02 12:26 GMT-03:00 Rowland Penny via samba <samba at lists.samba.org>:> On Sun, 2 Jul 2017 11:30:32 -0300 > Marcio Demetrio Bacci via samba <samba at lists.samba.org> wrote: > > > Hi, > > > > I'm using Samba 4.6.5 and I have installed as follows: > > > > wget -c https://download.samba.org/pub/samba/stable/samba-4.6.5.tar.gz > > > > tar -xzvf samba-4.6.5.tar.gz > > > > cd samba-4.6.5 > > > > ./configure --enable-debug --enable-selftest > > Why ? you only need './configure' , unless you are going to run the > tests. > > > > > make > > > > make install > > > > It seems that is working properly, however I can't create or update > > GPO with Windows Group Policy Management tool. > > > > When I try, "Denied Access" message appear. > > > > I'm using an user that is member of "Domain Admins", "Domain > > Computers", "Domain Controllers", "Group Policy Creators Owners" and > > "Domain Users". > > > > When I run "samba-tool ntacl sysvolreset" command, appear the > > following errors: > > > > root at dc1:/usr/local/samba/bin# ./samba-tool ntacl sysvolreset > > Why are you running samba-tool like that, haven't you set up your PATH > correctly, if you run (in a terminal): > > echo $PATH > > it should return your path and that should start like this: > > /usr/local/samba/bin:/usr/local/samba/sbin: > > If your PATH is set correctly, you should be able to run samba-tool > from anywhere, from /root for instance. > > > I have verified that permissions on my files in > > "/usr/local/samba/var/locks/" are like this: > > > > ls -l /usr/local/samba/var/locks/ > > total 1384 > > -rw------- 1 root staff 421888 Mai 15 21:57 account_policy.tdb > > -rw------- 1 root staff 528384 Mai 15 21:57 registry.tdb > > -rw------- 1 root staff 421888 Mai 15 21:57 share_info.tdb > > drwxr-sr-x 3 root 30056 4096 Jul 1 19:40 sysvol > > -rw------- 1 root staff 32768 Jul 1 19:45 winbindd_cache.tdb > > drwxr-s--- 2 root staff 4096 Jul 1 19:45 winbindd_privileged > > Who is '30056' ? > Have you given 'Administrator' a uidNumber ? > Have you given 'Domain Admins' the 'SeDiskOperatorPrivilege' ? > > > /usr/local/samba/etc/smb.conf > > > > [sysvol] > > path = /usr/local/samba/var/locks/sysvol > > read only = No > > acl_xattr:ignore system acls = yes > > You should remove the above line, it isn't required. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2017-Jul-03 07:29 UTC
[Samba] Can't create/update Group Policy in Samba 4.6.5
Hai, In reponse to the why i recommend that. Since this is a "windows" only share, i recomment to set it up for that usage, with results in better matching for windows rights. Resulting in better working policies. The current POSIX rights did not match to my needs and resulted in inconsistant policies. This is why i use these for profiles and sysvol. And this is my setup order: setup the sysvol share with : acl_xattr:ignore system acls = yes Setup SeDiskOperatorPrivilege. For sysvol, setup 2 ! Groups. net rpc rights grant "SAMDOM\Domain Admins" SeDiskOperatorPrivilege -U "SAMDOM\administrator" net rpc rights grant "SAMDOM\Group Policy Creator Owners" SeDiskOperatorPrivilege -U "SAMDOM\administrator" And use the default windows group for extra users: "Group Policy Creator Owners" Setup Share rights, (you must re-apply them if you use "ignore system acls" ) Setup Security rights, but since your using, "ignore system acls" the default sysvol rights are now ok. But check if creator group also on the security rights. Check from with GPO manament tools, you wil get some messages about rights to fix, do that. And dont run samba-tools sysvolreset, if you do, then you wil have to repeat above again. Now you GPO should work as normal. Try it out and report your result. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Stefan G. Weichinger via samba > Verzonden: zondag 2 juli 2017 20:41 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Can't create/update Group Policy in Samba 4.6.5 > > Am 2017-07-02 um 17:26 schrieb Rowland Penny via samba: > > >> [sysvol] > >> path = /usr/local/samba/var/locks/sysvol > >> read only = No > >> acl_xattr:ignore system acls = yes > > > > You should remove the above line, it isn't required. > > Louis recommended that one to me a few weeks ago. > Could you explain? > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >