Jakob Curdes
2024-Apr-25 19:11 UTC
[Samba] GPO Editor says "Access denied" for Group Policy Objects
Am 25.04.2024 um 19:59 schrieb Rowland Penny via samba:> I suspect that I forgot to set the idmap config on the DC(s) > accordingly? > Do not set idmap config lines on a Samba DC, they do not work, you must > use the 3000000 numbers or use rfc2307 attributes (uidNumber, > gidNumber, etc) > > Have you read this: > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Granting_the_SeDiskOperatorPrivilege_Privilege >Yes, but rereading it and the mail thread I think I will try to sanitize my configs and then go through that page again. But I would like to do this with hands-on to the domain as it is in production, so this will have to wait until next week. I will try to heed your hints and get back with a result. Thank you and best regards, Jakob
Jakob Curdes
2024-May-02 10:07 UTC
[Samba] GPO Editor says "Access denied" for Group Policy Objects
Hello all, to return to the original topic: My original problem was that I could not edit GP objects with the GP Editor, even as Domain admin. I always got "access denied". A sysvolcheck returned no errors and the Windows "Security" tab for the object in question on the sysvol share looked correct. I now found out that the group id of the sysvol folder (and everything below) was 3000000, while the "Administrators" group has the group ID 3000002. I corrected the group ID assigned to the sysvol folder on both DCs and now I can edit the GP objects with the GPO editor. I still do not understand why on my DCs "getent group" and "getent user" do not return the Windows groups and users, but that is probably a cosmetic thing as you can get all info via wbinfo and samba-tool. Just for this case here it would then also display the group ownership of the sysvol folder. I have "winbind" in nsswitch .conf and no other special settings, on other similar DCs getent group returns the groups, not sure why it is not working here, but perhaps not important enough to invest more time. I will correct the smb.conf of the member server to omit unneccessary bits with the next maintenance slot. Hope this helps others, Jakob Am 25.04.2024 um 21:11 schrieb Jakob Curdes via samba:> > Am 25.04.2024 um 19:59 schrieb Rowland Penny via samba: >> I suspect that I forgot to set the idmap config on the DC(s) >> accordingly? >> Do not set idmap config lines on a Samba DC, they do not work, you must >> use the 3000000 numbers or use rfc2307 attributes (uidNumber, >> gidNumber, etc) >> >> Have you read this: >> >> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Granting_the_SeDiskOperatorPrivilege_Privilege >> >> > Yes, but rereading it and the mail thread I think I will try to > sanitize my configs and then go through that page again. But I would > like to do this with hands-on to the domain as it is in production, so > this will have to wait until next week. > > I will try to heed your hints and get back with a result. > > Thank you and best regards, Jakob
Reasonably Related Threads
- GPO Editor says "Access denied" for Group Policy Objects
- Security descriptors options of Group Policies
- GPO Editor says "Access denied" for Group Policy Objects
- GPO Editor says "Access denied" for Group Policy Objects
- GPO Editor says "Access denied" for Group Policy Objects