samba2024 at imagmbh.de
2024-Jan-11 10:33 UTC
[Samba] can't add user to security filter in a GPO
Hello, we have an Ubuntu 20.04 that was upgraded a while ago from a 16.04, samba Version is 4.13.17. The Server is a fileserver and a samba domain controller. Everything looked fine and we barely use GPOs, it was required to add a a group to a GPO security filter and it does not work, it worked when it was Ubuntu 16.04 I don't know of the Version in the past. There is no error message, the user is not added, it was done via RSAT Tools. I can create a new GPO but there I could not add a user to security filter there as well. I see no error message in any log on the Samba side and I see no errors on Windows side, the group is just not added. I looked arround and I found a thread saying I should use samba-tool dbcheck --cross-ncs there where errors I used the --fix parameter and the result was Please use --fix to fix these errors Checked 3629 objects (3483 errors) but it did not change anything about the previous problem As there were no messages in the logs neither the Samba-side nor on the Windows-Side any idea to solve the problem or to dive into would be greatly appreciated.? Of course I can update to the newest version on Ubuntu 22.04 but I don't know if I would breake more and destroy the domain.
On Thu, 11 Jan 2024 11:33:52 +0100 samba2024--- via samba <samba at lists.samba.org> wrote:> Hello, > > we have an Ubuntu 20.04 that was upgraded a while ago from a 16.04, > samba Version is 4.13.17. The Server is a fileserver and a samba > domain controller.It is not recommended to use a Samba AD DC as a fileserver, I would suggest you move the fileserver role to a separate Unix domain member.> Everything looked fine and we barely use GPOs, it > was required to add a a group to a GPO security filter and it does > not work, it worked when it was Ubuntu 16.04 I don't know of the > Version in the past. There is no error message, the user is not > added, it was done via RSAT Tools. I can create a new GPO but there I > could not add a user to security filter there as well. > I see no error message in any log on the Samba side and I see no > errors on Windows side, the group is just not added. > I looked arround and I found a thread saying I should use > samba-tool dbcheck --cross-ncs > there where errors I used the --fix parameter and the result was > Please use --fix to fix these errors > Checked 3629 objects (3483 errors) > > but it did not change anything about the previous problem > > As there were no messages in the logs neither the Samba-side nor on > the Windows-Side any idea to solve the problem or to dive into would > be greatly appreciated.? Of course I can update to the newest version > on Ubuntu 22.04 but I don't know if I would breake more and destroy > the domain. >There has been a lot of changes in the way Samba uses GPO's since 4.13.x , but upgrading to 22.04 will not get you to the latest version. I suggest you set up another DC on Debian bookworm with Samba from backports (which will get you 4.19.3) and join this to your domain. Rowland