> It's needed after every GPO addition and edit. There must be a root > cause to hunt down somewhere. Or is it a bug in 4.13.0 ?Yes, and no. Yes, its a bug. No, in my opionion its an old setting thats just needs some updating. Try this. samba-tool ntacl set "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01 ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001301bf;;;PA)" /var/lib/samba/sysvol/$(hostname -d)/Policies/ Now create a new policy. Are the rights ok, yes. Then fix/verify the share and security rights on sysvol again. No,.. Uhh... Thats not what im expecting.. ;-) After you have corrected the share and security rights. DONT use sysvolreset anymore. These are my outputs. samba-tool ntacl get --as-sddl /var/lib/samba/sysvol/ O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01f f;;;SY)(A;OICI;0x001200a9;;;AU) samba-tool ntacl get --as-sddl /var/lib/samba/sysvol/$(hostname -d)/ O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01f f;;;SY)(A;OICI;0x001200a9;;;AU) samba-tool ntacl get --as-sddl /var/lib/samba/sysvol/$(hostname -d)/Policies/ O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01f f;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001301bf;;;PA) getfacl /var/lib/samba/sysvol/$(hostname -d)/Policies/ getfacl: Removing leading '/' from absolute path names # file: var/lib/samba/sysvol/my.domain.tld/Policies/ # owner: root # group: BUILTIN\\administrators user::rwx user:root:rwx user:BUILTIN\\administrators:rwx user:BUILTIN\\server\040operators:r-x user:NT\040AUTHORITY\\system:rwx user:NT\040AUTHORITY\\authenticated\040users:r-x user:ADDOM\\group\040policy\040creator\040owners:rwx group::rwx group:BUILTIN\\administrators:rwx group:BUILTIN\\server\040operators:r-x group:NT\040AUTHORITY\\system:rwx group:NT\040AUTHORITY\\authenticated\040users:r-x group:ADDOM\\group\040policy\040creator\040owners:rwx mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:BUILTIN\\administrators:rwx default:user:BUILTIN\\server\040operators:r-x default:user:NT\040AUTHORITY\\system:rwx default:user:NT\040AUTHORITY\\authenticated\040users:r-x default:user:ADDOM\\group\040policy\040creator\040owners:rwx default:group::--- default:group:BUILTIN\\administrators:rwx default:group:BUILTIN\\server\040operators:r-x default:group:NT\040AUTHORITY\\system:rwx default:group:NT\040AUTHORITY\\authenticated\040users:r-x default:group:ADDOM\\group\040policy\040creator\040owners:rwx default:mask::rwx default:other::--- Do you also have/see: default:group:ADDOM\\group\040policy\040creator\040owners:rwx And are the needed users in there? Now my tip here is, 1) before you reset any rights, run : mkdir ~/before && cd ~/before samba-tool ntacl get --as-sddl /var/lib/samba/sysvol/ > sysvol.sddl samba-tool ntacl get --as-sddl /var/lib/samba/sysvol/$(hostname -d)/Policies/ > sysvol.dom.Policies.sddl getfacl /var/lib/samba/sysvol/ > sysvol.facl getfacl /var/lib/samba/sysvol/$(hostname -d)/Policies/ > sysvol.dom.Policies.facl How does it look in windows, under Advanced right settings. 2) after you reset the rigth, rerun above mkdir ~/after && cd ~/after samba-tool ntacl get --as-sddl /var/lib/samba/sysvol/ > sysvol.sddl samba-tool ntacl get --as-sddl /var/lib/samba/sysvol/$(hostname -d)/Policies/ > sysvol.dom.Policies.sddl getfacl /var/lib/samba/sysvol/ > sysvol.facl getfacl /var/lib/samba/sysvol/$(hostname -d)/Policies/ > sysvol.dom.Policies.facl And how does it look in windows, under Advanced right settings now. So few things to get passed you problems. Small sight note, you might need to remove all acl's en extended attributs first and reapply it all. I saying this because, after my fileservers move, and restored some files from backups. The old UID/GID where restored also. A part of a new script i have, how i reset all folder and files. It focues on a userhomedir here but it shows what i did. The might be a faster/better way for it, but this worked for me. You might want/need to transform that to the sysvol folders. FindUser is the username found by the script. SAMBA_SHARE_USERS is the path the the users share (in this case its /srv/samba/users) # Remove old ACL's. echo "Removing old ACL's for: ${FindUser}" setfacl --recursive --remove-all "${SAMBA_SHARE_USERS}/${FindUser}" # Make sure we removed Other (everyone) from all files and folders. echo "Recursively removing access for other (everyone) for: ${FindUser}" chmod -R o-rwx "${SAMBA_SHARE_USERS}/${FindUser}/" # Set basic POSIX Rights # set all owner rights to root:root (= Administrator:Domain Admins ) # without it, migrated files might still have there old UID/GIDs on them. echo "Re-apply root:root on the user homedir (recursivly) for: ${FindUser}" chown -R root:root "${SAMBA_SHARE_USERS}/${FindUser}" # We set the user files and subfolders like how that SDDL is setup. echo "Re-apply ${FindUser}:domain users on CONTENT IN the user homedir for: ${FindUser}" chown -R "${FindUser}":"domain users" "${SAMBA_SHARE_USERS}/${FindUser}/" # restore owner:group defaults echo "Recursively re-apply-ing rights 770 access for: ${FindUser}" chmod -R 770 "${SAMBA_SHARE_USERS}/${FindUser}/" # Set the correct right on the folder. echo "Re-apply SDDL with samba-tool for user: ${FindUser}" samba-tool ntacl set "O:S-1-22-1-0G:S-1-22-2-0D:AI(A;OICI;0x001301bf;;;${NAME2SID})(A;ID;0x001200 a9;;;S-1-22-2-0)(A;OICIIOID;0x001200a9;;;CG)(A;OICIID;0x001f01ff;;;LA)(A;OIC IID;0x001f01ff;;;DA)" "${SAMBA_SHARE_USERS}/${FindUser}" # but we can not set recursive with samba-tool. (as far i found), so we use setfacl. echo "Recursivly re-apply with setfacl enforceing user defaults for user: ${FindUser}" setfacl --recursive --modify user:"${FindUser}":rwX,default:user:"${FindUser}":rwX "${SAMBA_SHARE_USERS}/${FindUser}/" Small sidenote on above part. ls -al /srv/samba/users/* will show for all users. drwxrwx---+ 14 root root 4096 Oct 9 10:03 anyuser Which is : getfacl /home/users/anyuser getfacl: Removing leading '/' from absolute path names # file: home/users/anyuser # owner: root # group: root user::rwx user:root:rwx user:anyuser:rwx group::r-x group:root:r-x group:domain\040admins:rwx mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:anyuser:rwx default:group::r-x default:group:root:r-x default:group:domain\040admins:rwx default:mask::rwx default:other::--- Resulting in, users see and can only access there own folder. Any new file/folder created IN the users folder gets rights : username:"domain users" You need the users as owner on new folders if you use GPO's and folder redirecting to the user homedir. Enjoy, you have something todo today. ;-) Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Sonic via samba > Verzonden: zondag 25 oktober 2020 21:59 > Aan: Rowland penny > CC: sambalist > Onderwerp: Re: [Samba] GPO fail and sysvol perm errors > > On Sun, Oct 25, 2020 at 4:41 PM Rowland penny via samba > <samba at lists.samba.org> wrote: > > its a bit like 'wack a mole', just keep running sysvolreset :-D > > It's needed after every GPO addition and edit. There must be a root > cause to hunt down somewhere. Or is it a bug in 4.13.0 ? > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
On Mon, Oct 26, 2020 at 6:46 AM L. van Belle via samba <samba at lists.samba.org> wrote: <snip>> > Enjoy, you have something todo today. ;-)Thanks! Looks like a project for next weekend :-) Chris
Just to clarify...
due to the contents I see it seems safe to play with the sysvol
perms while Samba is up and running. Is there any concern over this?
Thanks!
Chris
As far i can tell, based on, thats exactly what i doing. No, but if you are unsure, just make a copy of sysvol to sysvol2 (and the subfolders) Make a share sysvol2, test on that one. Also, compairing like that, you have the "before" and "after" checks at the same time. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Sonic via samba > Verzonden: maandag 26 oktober 2020 15:48 > Aan: belle at samba.org > CC: Samba Mailing List > Onderwerp: Re: [Samba] GPO fail and sysvol perm errors > > Just to clarify... > due to the contents I see it seems safe to play with the sysvol > perms while Samba is up and running. Is there any concern over this? > > Thanks! > Chris > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
On Mon, Oct 26, 2020 at 6:46 AM L. van Belle via samba <samba at lists.samba.org> wrote:> getfacl /var/lib/samba/sysvol/$(hostname -d)/Policies/ > getfacl: Removing leading '/' from absolute path names > # file: var/lib/samba/sysvol/my.domain.tld/Policies/ > # owner: root > # group: BUILTIN\\administrators > user::rwx > user:root:rwx > user:BUILTIN\\administrators:rwx > user:BUILTIN\\server\040operators:r-x > user:NT\040AUTHORITY\\system:rwx > user:NT\040AUTHORITY\\authenticated\040users:r-x > user:ADDOM\\group\040policy\040creator\040owners:rwx > group::rwx > group:BUILTIN\\administrators:rwx > group:BUILTIN\\server\040operators:r-x > group:NT\040AUTHORITY\\system:rwx > group:NT\040AUTHORITY\\authenticated\040users:r-x > group:ADDOM\\group\040policy\040creator\040owners:rwx > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:user:BUILTIN\\administrators:rwx > default:user:BUILTIN\\server\040operators:r-x > default:user:NT\040AUTHORITY\\system:rwx > default:user:NT\040AUTHORITY\\authenticated\040users:r-x > default:user:ADDOM\\group\040policy\040creator\040owners:rwx > default:group::--- > default:group:BUILTIN\\administrators:rwx > default:group:BUILTIN\\server\040operators:r-x > default:group:NT\040AUTHORITY\\system:rwx > default:group:NT\040AUTHORITY\\authenticated\040users:r-x > default:group:ADDOM\\group\040policy\040creator\040owners:rwx > default:mask::rwx > default:other::---The above is also what I get after applying those rights.> Do you also have/see: > default:group:ADDOM\\group\040policy\040creator\040owners:rwx > And are the needed users in there?I see it, yes, not sure who the needed users are.> How does it look in windows, under Advanced right settings.Administrators Full Control Server Operators Read & Execute SYSTEM Full Control Authenticated Users Read & Execute Should there be something else? However the sysvolcheck still fails and so does gpupdate, same errors in the log as well. Chris
Hai Good morning people around the world. More below.> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Sonic via samba > Verzonden: maandag 26 oktober 2020 18:00 > Aan: belle at samba.org > CC: Samba Mailing List > Onderwerp: Re: [Samba] GPO fail and sysvol perm errors > > On Mon, Oct 26, 2020 at 6:46 AM L. van Belle via samba > <samba at lists.samba.org> wrote: > > getfacl /var/lib/samba/sysvol/$(hostname -d)/Policies/ > > getfacl: Removing leading '/' from absolute path names > > # file: var/lib/samba/sysvol/my.domain.tld/Policies/ > > # owner: root > > # group: BUILTIN\\administrators > > user::rwx > > user:root:rwx > > user:BUILTIN\\administrators:rwx > > user:BUILTIN\\server\040operators:r-x > > user:NT\040AUTHORITY\\system:rwx > > user:NT\040AUTHORITY\\authenticated\040users:r-x > > user:ADDOM\\group\040policy\040creator\040owners:rwx > > group::rwx > > group:BUILTIN\\administrators:rwx > > group:BUILTIN\\server\040operators:r-x > > group:NT\040AUTHORITY\\system:rwx > > group:NT\040AUTHORITY\\authenticated\040users:r-x > > group:ADDOM\\group\040policy\040creator\040owners:rwx > > mask::rwx > > other::--- > > default:user::rwx > > default:user:root:rwx > > default:user:BUILTIN\\administrators:rwx > > default:user:BUILTIN\\server\040operators:r-x > > default:user:NT\040AUTHORITY\\system:rwx > > default:user:NT\040AUTHORITY\\authenticated\040users:r-x > > default:user:ADDOM\\group\040policy\040creator\040owners:rwx > > default:group::--- > > default:group:BUILTIN\\administrators:rwx > > default:group:BUILTIN\\server\040operators:r-x > > default:group:NT\040AUTHORITY\\system:rwx > > default:group:NT\040AUTHORITY\\authenticated\040users:r-x > > default:group:ADDOM\\group\040policy\040creator\040owners:rwx > > default:mask::rwx > > default:other::--- > > The above is also what I get after applying those rights.Ok, so thats correct.> > > Do you also have/see: > > default:group:ADDOM\\group\040policy\040creator\040owners:rwx > > And are the needed users in there? > > I see it, yes, not sure who the needed users are.Administrator Any other extra admin or adminGroup.> > > How does it look in windows, under Advanced right settings. > > Administrators Full Control > Server Operators Read & Execute > SYSTEM Full Control > Authenticated Users Read & Execute > > Should there be something else?No this looks good to me, that is sufficient.> However the sysvolcheck still fails and so does gpupdate, same errors > in the log as well.Can you tell the windows event id and description? And which group is set on sysvol in general on the share tab. And run CMD: gpresult /H gpreport.html gpreport.html ( browser will open ) At Computer details, check the applied GroupPolicyObjects. There you can see the security filters, which groups are use in/for the gpo objects. Repeat for User details. I dont need the computer/user details, but i do need the event id and description of the fails. Greetz, Louis
On Tue, Oct 27, 2020 at 4:01 AM L.P.H. van Belle via samba <samba at lists.samba.org> wrote:> Ok, so thats correct.However gpupdate fails. And I know you said not to run sysvolreset, but after running it gpupdate works.> > Can you tell the windows event id and description?I get different errors depending upon the system, whether it's a local system or a remote one connected via vpn. The remote system is Event ID 1058: The processing of Group Policy failed. Windows attempted to read the file \\my.example.com\sysvol\my.example.com\Policies\{31B2F340-016D-11D2-945F -00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved The local system is Event ID 1096: The processing of Group Policy failed. Windows could not apply the registry-based policy settings for the Group Policy object LDAP://CN=Machine,cn={E2BC0255-64C8-42CF-A27A-59A7D3DCD2DC},cn=policies,cnsystem,DC=my,DC=example,DC=com. Group Policy settings will not be resolved until this event is resolved. After running sysvolreset the systems update fine. Problem is once I add or edit a GPO (from Windows 10 20H2) everything fails until I run sysvolreset again.> And which group is set on sysvol in general on the share tab.This is the current info (I did run sysvolreset to get the GPO's working again, so this is not with your settings, I can look into this again later) Owner is ADDOM\Administrator Allow Everyone Full Control Chris
Good morning Chris> -----Oorspronkelijk bericht----- > Van: Sonic [mailto:sonicsmith at gmail.com] > Verzonden: dinsdag 27 oktober 2020 21:07 > Aan: L.P.H. van Belle > CC: samba at lists.samba.org > Onderwerp: Re: [Samba] GPO fail and sysvol perm errors > > On Tue, Oct 27, 2020 at 4:01 AM L.P.H. van Belle via samba > <samba at lists.samba.org> wrote: > > Ok, so thats correct. > However gpupdate fails. And I know you said not to run sysvolreset, > but after running it gpupdate works. > > > > Can you tell the windows event id and description? > I get different errors depending upon the system, whether it's a local > system or a remote one connected via vpn. > The remote system is Event ID 1058: > The processing of Group Policy failed. Windows attempted to > read the file > \\my.example.com\sysvol\my.example.com\Policies\{31B2F340-016D > -11D2-945F > -00C04FB984F9}\gpt.ini from a domain controller and was not > successful. Group > Policy settings may not be applied until this event is resolvedOk, im guessing you can open the gpt.ini file fine, if you click that link, correct? Have you enable the "Always wait for network" GPO setting. Enable this one. https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsLogon::SyncForegroundPolicy> > The local system is Event ID 1096: > The processing of Group Policy failed. Windows could not apply the > registry-based policy settings for the Group Policy object > LDAP://CN=Machine,cn={E2BC0255-64C8-42CF-A27A-59A7D3DCD2DC},cn > =policies,cn> system,DC=my,DC=example,DC=com. Group Policy settings will > not be resolved until this event is resolved.https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc727302(v=ws.10)?redirectedfrom=MSDN So here they say, delete and recreate, i dont think thats needed.. I think your solution is in this link. https://docs.microsoft.com/nl-nl/troubleshoot/windows-server/group-policy/permissions-this-gpo-inconsistent> > After running sysvolreset the systems update fine. Problem is once I > add or edit a GPO (from Windows 10 20H2) everything fails until I run > sysvolreset again.Thats because there is something off in the rights or,.. due to, its trying to read it but the networks isnt ready yet.> > > And which group is set on sysvol in general on the share tab.> This is the current info (I did run sysvolreset to get the GPO's > working again, so this is not with your settings, I can look into this > again later) > Owner is ADDOM\Administrator > Allow Everyone Full Control >That should be sufficient. And.. its not "my" settings.. ;-) al can be found in : https://docs.microsoft.com/ I also recommend you to read, since you also having remote location: https://docs.microsoft.com/en-us/windows-server/storage/folder-redirection/folder-redirection-rup-overview First, lets see how far above gets you. Greetz, Louis