HI! Good morning Louis :-D In Samba ADDC I did not configure (I understood that I didn?t need) the nsswitch part, but I did it now in DC 1 and DC2, it seems to me that it solved, even before the ids being the same in DC1 and DC2, now it remains the same with names, but gpupdate no longer gave an error and successfully loaded the police \ o / But the samba-tool ntacl sysvolreset gave a different error, it was in a loop with this message "idmap range not specified for domain '*'", but im smb.conf of an ADDC if the idmap is not configured as I remember, at least I I never did it and I didn't even see it in the documentation. Is something else wrong now? Regards; Em 25/05/2021 04:14, L.P.H. van Belle via samba escreveu:> Good morning Carlos, ( at last morning for me. ) > > Im wondering why you only see UID's and not at least few groups in the output. > Did you configure nssswitch.conf ? > > > Did you verify this : > > Please check your share rights for sysvol from within windows. > If these are incorrect, correct them and run this script again. > Set your sysvol SHARE permissions as followed. > EVERYONE: READ > Authenticated Users: FULL CONTROL > (BUILTIN or NTDOM)\Administrators: FULL CONTROL > (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL > User/Group system is added compaired to a win2008R2 sysvol, you need > this for some GPO settings. > > Set your sysvol FOLDER permissions as followed. > Authenticated Users: Read & Exec, Show folder content, Read > (BUILTIN or NTDOM)\Administrators: FULL CONTROL > (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL > > > Greetz, > > Louis > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Carlos via samba >> Verzonden: vrijdag 21 mei 2021 20:29 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] NT_STATUS_OBJECT_NAME_NOT_FOUND >> >> Yes, in DC1 and DC2, sysvol is equal(i think) >> >> DC1 : >> >> getfacl >> /usr/local/samba/var/locks/sysvol/xxx.xxxx.com.br/Policies/\{D >> 79B199C-B2CC-4A0C-A0AB-DBF6C8C9FBAC\}/GPT.INI >> >> getfacl: Removing leading '/' from absolute path names >> # file: >> usr/local/samba/var/locks/sysvol/xxx.xxx.com.br/Policies/{D79B >> 199C-B2CC-4A0C-A0AB-DBF6C8C9FBAC}/GPT.INI >> # owner: 3000008 >> # group: 3000008 >> user::rwx >> user:3000002:rwx >> user:3000006:rwx >> user:3000010:r-x >> user:3000018:r-x >> user:3000776:r-x >> group::rwx >> group:3000002:rwx >> group:3000006:rwx >> group:3000008:rwx >> group:3000010:r-x >> group:3000018:r-x >> group:3000776:r-x >> mask::rwx >> other::--- >> >> samba-tool? gpo show {D79B199C-B2CC-4A0C-A0AB-DBF6C8C9FBAC} >> GPO????????? : {D79B199C-B2CC-4A0C-A0AB-DBF6C8C9FBAC} >> display name : GPO_XXX_XXX_128 >> path???????? : >> \\xxx.xxx.com.br\SysVol\xxxx.xxxx.com.br\Policies\{D79B199C-B2 >> CC-4A0C-A0AB-DBF6C8C9FBAC} >> dn?????????? : >> CN={D79B199C-B2CC-4A0C-A0AB-DBF6C8C9FBAC},CN=Policies,CN=Syste >> m,DC=xxxx,DC=xxxx,DC=com,DC=br >> version????? : 2359302 >> flags??????? : NONE >> ACL????????? : <hidden> >> >> ------------------------- >> >> DC2 >> >> getfacl >> /usr/local/samba/var/locks/sysvol/xxx.xxx.com.br/Policies/\{D7 >> 9B199C-B2CC-4A0C-A0AB-DBF6C8C9FBAC\}/GPT.INI >> getfacl: Removing leading '/' from absolute path names >> # file: >> usr/local/samba/var/locks/sysvol/xxx.xxxx.com.br/Policies/{D79 >> B199C-B2CC-4A0C-A0AB-DBF6C8C9FBAC}/GPT.INI >> # owner: 3000008 >> # group: 3000008 >> user::rwx >> user:3000002:rwx >> user:3000006:rwx >> user:3000010:r-x >> user:3000018:r-x >> user:3000776:r-x >> group::rwx >> group:3000002:rwx >> group:3000006:rwx >> group:3000008:rwx >> group:3000010:r-x >> group:3000018:r-x >> group:3000776:r-x >> mask::rwx >> other::--- >> >> >> samba-tool? gpo show {D79B199C-B2CC-4A0C-A0AB-DBF6C8C9FBAC} >> GPO????????? : {D79B199C-B2CC-4A0C-A0AB-DBF6C8C9FBAC} >> display name : XXXX_XXXX_UNIDADE_128 >> path???????? : >> \\xxxx.xxxx.com.br\SysVol\xxx.xxxx.com.br\Policies\{D79B199C-B >> 2CC-4A0C-A0AB-DBF6C8C9FBAC} >> dn?????????? : >> CN={D79B199C-B2CC-4A0C-A0AB-DBF6C8C9FBAC},CN=Policies,CN=Syste >> m,DC=grupo,DC=xxxx,DC=com,DC=br >> version????? : 2359302 >> flags??????? : NONE >> ACL????????? : <hidden> >> >> >> ========================>> >> >> regards >> >> >> Em 21/05/2021 14:58, Rowland penny via samba escreveu: >>> On 21/05/2021 18:44, Carlos via samba wrote: >>>> Hi, >>>> >>>> I tried sync idmap.ldb yesterday (but with command tdb >> backups .bak >>>> /usr/local/samba/private/idmap.ldb) ante copy dc1 to dc2, >> but error >>>> continued. >>>> >>>> I runed script: >>> >>> GPO's are stored in two places, on disk in the sysvol >> directory and in >>> AD. The error 'NT_STATUS_OBJECT_NAME_NOT_FOUND' usually occurs when >>> the GPO is in AD, but not in sysvol. Have you checked the GPO is >>> visible in sysvol ? >>> >>> Rowland >>> >>> >>> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >
Hi I rebooted machine, and erro again? for load gpo.... :-( I think is problema is sysvolreset.... regrads; Em 25/05/2021 09:16, Carlos escreveu:> HI! > > Good morning Louis :-D > > In Samba ADDC I did not configure (I understood that I didn?t need) > the nsswitch part, but I did it now in DC 1 and DC2, it seems to me > that it solved, even before the ids being the same in DC1 and DC2, now > it remains the same with names, but gpupdate no longer gave an error > and successfully loaded the police \ o / > > But the samba-tool ntacl sysvolreset gave a different error, it was in > a loop with this message "idmap range not specified for domain '*'", > but im smb.conf of an ADDC if the idmap is not configured as I > remember, at least I I never did it and I didn't even see it in the > documentation. > > Is something else wrong now? > > Regards; > > > > Em 25/05/2021 04:14, L.P.H. van Belle via samba escreveu: >> Good morning Carlos, ( at last morning for me. ) >> >> Im wondering why you only see UID's and not at least few groups in >> the output. >> Did you configure nssswitch.conf ? >> >> >> Did you verify this : >> >> Please check your share rights for sysvol from within windows. >> If these are incorrect, correct them and run this script again. >> Set your sysvol SHARE permissions as followed. >> EVERYONE: READ >> Authenticated Users: FULL CONTROL >> (BUILTIN or NTDOM)\Administrators: FULL CONTROL >> (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL >> User/Group system is added compaired to a win2008R2 sysvol, you need >> this for some GPO settings. >> >> Set your sysvol FOLDER permissions as followed. >> Authenticated Users: Read & Exec, Show folder content, Read >> (BUILTIN or NTDOM)\Administrators: FULL CONTROL >> (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL >> >> >> Greetz, >> >> Louis >> >> >>> -----Oorspronkelijk bericht----- >>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >>> Carlos via samba >>> Verzonden: vrijdag 21 mei 2021 20:29 >>> Aan: samba at lists.samba.org >>> Onderwerp: Re: [Samba] NT_STATUS_OBJECT_NAME_NOT_FOUND >>> >>> Yes, in DC1 and DC2, sysvol is equal(i think) >>> >>> DC1 : >>> >>> getfacl >>> /usr/local/samba/var/locks/sysvol/xxx.xxxx.com.br/Policies/\{D >>> 79B199C-B2CC-4A0C-A0AB-DBF6C8C9FBAC\}/GPT.INI >>> >>> getfacl: Removing leading '/' from absolute path names >>> # file: >>> usr/local/samba/var/locks/sysvol/xxx.xxx.com.br/Policies/{D79B >>> 199C-B2CC-4A0C-A0AB-DBF6C8C9FBAC}/GPT.INI >>> # owner: 3000008 >>> # group: 3000008 >>> user::rwx >>> user:3000002:rwx >>> user:3000006:rwx >>> user:3000010:r-x >>> user:3000018:r-x >>> user:3000776:r-x >>> group::rwx >>> group:3000002:rwx >>> group:3000006:rwx >>> group:3000008:rwx >>> group:3000010:r-x >>> group:3000018:r-x >>> group:3000776:r-x >>> mask::rwx >>> other::--- >>> >>> samba-tool? gpo show {D79B199C-B2CC-4A0C-A0AB-DBF6C8C9FBAC} >>> GPO????????? : {D79B199C-B2CC-4A0C-A0AB-DBF6C8C9FBAC} >>> display name : GPO_XXX_XXX_128 >>> path???????? : >>> \\xxx.xxx.com.br\SysVol\xxxx.xxxx.com.br\Policies\{D79B199C-B2 >>> CC-4A0C-A0AB-DBF6C8C9FBAC} >>> dn?????????? : >>> CN={D79B199C-B2CC-4A0C-A0AB-DBF6C8C9FBAC},CN=Policies,CN=Syste >>> m,DC=xxxx,DC=xxxx,DC=com,DC=br >>> version????? : 2359302 >>> flags??????? : NONE >>> ACL????????? : <hidden> >>> >>> ------------------------- >>> >>> DC2 >>> >>> getfacl >>> /usr/local/samba/var/locks/sysvol/xxx.xxx.com.br/Policies/\{D7 >>> 9B199C-B2CC-4A0C-A0AB-DBF6C8C9FBAC\}/GPT.INI >>> getfacl: Removing leading '/' from absolute path names >>> # file: >>> usr/local/samba/var/locks/sysvol/xxx.xxxx.com.br/Policies/{D79 >>> B199C-B2CC-4A0C-A0AB-DBF6C8C9FBAC}/GPT.INI >>> # owner: 3000008 >>> # group: 3000008 >>> user::rwx >>> user:3000002:rwx >>> user:3000006:rwx >>> user:3000010:r-x >>> user:3000018:r-x >>> user:3000776:r-x >>> group::rwx >>> group:3000002:rwx >>> group:3000006:rwx >>> group:3000008:rwx >>> group:3000010:r-x >>> group:3000018:r-x >>> group:3000776:r-x >>> mask::rwx >>> other::--- >>> >>> >>> samba-tool? gpo show {D79B199C-B2CC-4A0C-A0AB-DBF6C8C9FBAC} >>> GPO????????? : {D79B199C-B2CC-4A0C-A0AB-DBF6C8C9FBAC} >>> display name : XXXX_XXXX_UNIDADE_128 >>> path???????? : >>> \\xxxx.xxxx.com.br\SysVol\xxx.xxxx.com.br\Policies\{D79B199C-B >>> 2CC-4A0C-A0AB-DBF6C8C9FBAC} >>> dn?????????? : >>> CN={D79B199C-B2CC-4A0C-A0AB-DBF6C8C9FBAC},CN=Policies,CN=Syste >>> m,DC=grupo,DC=xxxx,DC=com,DC=br >>> version????? : 2359302 >>> flags??????? : NONE >>> ACL????????? : <hidden> >>> >>> >>> ========================>>> >>> >>> regards >>> >>> >>> Em 21/05/2021 14:58, Rowland penny via samba escreveu: >>>> On 21/05/2021 18:44, Carlos via samba wrote: >>>>> Hi, >>>>> >>>>> I tried sync idmap.ldb yesterday (but with command tdb >>> backups .bak >>>>> /usr/local/samba/private/idmap.ldb) ante copy dc1 to dc2, >>> but error >>>>> continued. >>>>> >>>>> I runed script: >>>> >>>> GPO's are stored in two places, on disk in the sysvol >>> directory and in >>>> AD. The error 'NT_STATUS_OBJECT_NAME_NOT_FOUND' usually occurs when >>>> the GPO is in AD, but not in sysvol. Have you checked the GPO is >>>> visible in sysvol ? >>>> >>>> Rowland >>>> >>>> >>>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions:? https://lists.samba.org/mailman/options/samba >>> >>> >>
> > it seems to me > > that it solved, even before the ids being the same in DC1 > and DC2,:-/ Seems not,.. So.. Did you do exactly as asked? Imagine id 300002 on DC1 is Administrators and on DC2 its GUESTS.. What do you think will happen.. ;-) Read my mail and instructions again please. Because you MUST have idmap in sync. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Carlos via samba > Verzonden: dinsdag 25 mei 2021 14:24 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] NT_STATUS_OBJECT_NAME_NOT_FOUND > > Hi > > I rebooted machine, and erro again? for load gpo.... :-( > > I think is problema is sysvolreset.... > > > regrads; > > > > Em 25/05/2021 09:16, Carlos escreveu: > > HI! > > > > Good morning Louis :-D > > > > In Samba ADDC I did not configure (I understood that I didn?t need) > > the nsswitch part, but I did it now in DC 1 and DC2, it seems to me > > that it solved, even before the ids being the same in DC1 > and DC2, now > > it remains the same with names, but gpupdate no longer gave > an error > > and successfully loaded the police \ o / > > > > But the samba-tool ntacl sysvolreset gave a different > error, it was in > > a loop with this message "idmap range not specified for > domain '*'", > > but im smb.conf of an ADDC if the idmap is not configured as I > > remember, at least I I never did it and I didn't even see it in the > > documentation. > > > > Is something else wrong now? > > > > Regards; > > > > > > > > Em 25/05/2021 04:14, L.P.H. van Belle via samba escreveu: > >> Good morning Carlos, ( at last morning for me. ) > >> > >> Im wondering why you only see UID's and not at least few groups in > >> the output. > >> Did you configure nssswitch.conf ? > >> > >> > >> Did you verify this : > >> > >> Please check your share rights for sysvol from within windows. > >> If these are incorrect, correct them and run this script again. > >> Set your sysvol SHARE permissions as followed. > >> EVERYONE: READ > >> Authenticated Users: FULL CONTROL > >> (BUILTIN or NTDOM)\Administrators: FULL CONTROL > >> (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL > >> User/Group system is added compaired to a win2008R2 > sysvol, you need > >> this for some GPO settings. > >> > >> Set your sysvol FOLDER permissions as followed. > >> Authenticated Users: Read & Exec, Show folder content, Read > >> (BUILTIN or NTDOM)\Administrators: FULL CONTROL > >> (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL > >> > >> > >> Greetz, > >> > >> Louis > >> > >> > >>> -----Oorspronkelijk bericht----- > >>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens > >>> Carlos via samba > >>> Verzonden: vrijdag 21 mei 2021 20:29 > >>> Aan: samba at lists.samba.org > >>> Onderwerp: Re: [Samba] NT_STATUS_OBJECT_NAME_NOT_FOUND > >>> > >>> Yes, in DC1 and DC2, sysvol is equal(i think) > >>> > >>> DC1 : > >>> > >>> getfacl > >>> /usr/local/samba/var/locks/sysvol/xxx.xxxx.com.br/Policies/\{D > >>> 79B199C-B2CC-4A0C-A0AB-DBF6C8C9FBAC\}/GPT.INI > >>> > >>> getfacl: Removing leading '/' from absolute path names > >>> # file: > >>> usr/local/samba/var/locks/sysvol/xxx.xxx.com.br/Policies/{D79B > >>> 199C-B2CC-4A0C-A0AB-DBF6C8C9FBAC}/GPT.INI > >>> # owner: 3000008 > >>> # group: 3000008 > >>> user::rwx > >>> user:3000002:rwx > >>> user:3000006:rwx > >>> user:3000010:r-x > >>> user:3000018:r-x > >>> user:3000776:r-x > >>> group::rwx > >>> group:3000002:rwx > >>> group:3000006:rwx > >>> group:3000008:rwx > >>> group:3000010:r-x > >>> group:3000018:r-x > >>> group:3000776:r-x > >>> mask::rwx > >>> other::--- > >>> > >>> samba-tool? gpo show {D79B199C-B2CC-4A0C-A0AB-DBF6C8C9FBAC} > >>> GPO????????? : {D79B199C-B2CC-4A0C-A0AB-DBF6C8C9FBAC} > >>> display name : GPO_XXX_XXX_128 > >>> path???????? : > >>> \\xxx.xxx.com.br\SysVol\xxxx.xxxx.com.br\Policies\{D79B199C-B2 > >>> CC-4A0C-A0AB-DBF6C8C9FBAC} > >>> dn?????????? : > >>> CN={D79B199C-B2CC-4A0C-A0AB-DBF6C8C9FBAC},CN=Policies,CN=Syste > >>> m,DC=xxxx,DC=xxxx,DC=com,DC=br > >>> version????? : 2359302 > >>> flags??????? : NONE > >>> ACL????????? : <hidden> > >>> > >>> ------------------------- > >>> > >>> DC2 > >>> > >>> getfacl > >>> /usr/local/samba/var/locks/sysvol/xxx.xxx.com.br/Policies/\{D7 > >>> 9B199C-B2CC-4A0C-A0AB-DBF6C8C9FBAC\}/GPT.INI > >>> getfacl: Removing leading '/' from absolute path names > >>> # file: > >>> usr/local/samba/var/locks/sysvol/xxx.xxxx.com.br/Policies/{D79 > >>> B199C-B2CC-4A0C-A0AB-DBF6C8C9FBAC}/GPT.INI > >>> # owner: 3000008 > >>> # group: 3000008 > >>> user::rwx > >>> user:3000002:rwx > >>> user:3000006:rwx > >>> user:3000010:r-x > >>> user:3000018:r-x > >>> user:3000776:r-x > >>> group::rwx > >>> group:3000002:rwx > >>> group:3000006:rwx > >>> group:3000008:rwx > >>> group:3000010:r-x > >>> group:3000018:r-x > >>> group:3000776:r-x > >>> mask::rwx > >>> other::--- > >>> > >>> > >>> samba-tool? gpo show {D79B199C-B2CC-4A0C-A0AB-DBF6C8C9FBAC} > >>> GPO????????? : {D79B199C-B2CC-4A0C-A0AB-DBF6C8C9FBAC} > >>> display name : XXXX_XXXX_UNIDADE_128 > >>> path???????? : > >>> \\xxxx.xxxx.com.br\SysVol\xxx.xxxx.com.br\Policies\{D79B199C-B > >>> 2CC-4A0C-A0AB-DBF6C8C9FBAC} > >>> dn?????????? : > >>> CN={D79B199C-B2CC-4A0C-A0AB-DBF6C8C9FBAC},CN=Policies,CN=Syste > >>> m,DC=grupo,DC=xxxx,DC=com,DC=br > >>> version????? : 2359302 > >>> flags??????? : NONE > >>> ACL????????? : <hidden> > >>> > >>> > >>> ========================> >>> > >>> > >>> regards > >>> > >>> > >>> Em 21/05/2021 14:58, Rowland penny via samba escreveu: > >>>> On 21/05/2021 18:44, Carlos via samba wrote: > >>>>> Hi, > >>>>> > >>>>> I tried sync idmap.ldb yesterday (but with command tdb > >>> backups .bak > >>>>> /usr/local/samba/private/idmap.ldb) ante copy dc1 to dc2, > >>> but error > >>>>> continued. > >>>>> > >>>>> I runed script: > >>>> > >>>> GPO's are stored in two places, on disk in the sysvol > >>> directory and in > >>>> AD. The error 'NT_STATUS_OBJECT_NAME_NOT_FOUND' usually > occurs when > >>>> the GPO is in AD, but not in sysvol. Have you checked the GPO is > >>>> visible in sysvol ? > >>>> > >>>> Rowland > >>>> > >>>> > >>>> > >>> -- > >>> To unsubscribe from this list go to the following URL and read the > >>> instructions:? https://lists.samba.org/mailman/options/samba > >>> > >>> > >> > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
On 25/05/2021 13:16, Carlos via samba wrote:> HI! > > Good morning Louis :-D > > In Samba ADDC I did not configure (I understood that I didn?t need) > the nsswitch part, but I did it now in DC 1 and DC2, it seems to me > that it solved, even before the ids being the same in DC1 and DC2, now > it remains the same with names, but gpupdate no longer gave an error > and successfully loaded the police \ o / > > But the samba-tool ntacl sysvolreset gave a different error, it was in > a loop with this message "idmap range not specified for domain '*'", > but im smb.conf of an ADDC if the idmap is not configured as I > remember, at least I I never did it and I didn't even see it in the > documentation. > > Is something else wrong now?Yes and no ? You are getting that message because of a bug, you cannot use 'idmap config' lines in a DC smb.conf, but there is a default line and that is being picked up. You could normally ignore the error, but why sysvolreset is looping around the error, I am unsure, have you given all the AD groups a gidNumber ? Rowland