Hai,
?
Im having a strange thing with sernet samba 4.2.1 on debian wheezy.
?
I installed 2 dc.s with my scripts.
?
i did setup the sysvol replication and now im seeing the following when i create
new policies.
?
The default GPO's
drwxrwx---+ 4 root????????? BUILTIN\administrators 4096 Apr 24 10:17
{31B2F340-016D-11D2-945F-00C04FB984F9}
drwxrwx---+ 4 root????????? BUILTIN\administrators 4096 Apr 24 10:17
{6AC1786C-016F-11D2-945F-00C04FB984F9}
?
The new policy i created.
drwxrwx---+ 4 domain admins domain admins????????? 4096 Apr 24 10:17
{B9C07E8F-54C3-4FA0-8C39-E357E068D393}
check these strange rights..
Because of the " domain admins domain admins?"? rights, and why is
user root here created as "domain admins"
?
when i now run :
/usr/bin/rsync -XAavz --log-file /var/log/sysvol-sync.log --delete-after
-f"+ */" -f"- *"? /home/samba/sysvol root at
dc2:/home/samba? &&? /usr/bin/unison
?
im getting these errors:?
?
rsync: set_acl:
sys_acl_set_file(sysvol/internal.domain.tld/Policies/{B9C07E8F-54C3-4FA0-8C39-E357E068D393},
ACL_TYPE_ACCESS): Invalid argument (22)
sysvol/internal.domain.tld/Policies/{B9C07E8F-54C3-4FA0-8C39-E357E068D393}/Machine/
rsync: set_acl:
sys_acl_set_file(sysvol/internal.domain.tld/Policies/{B9C07E8F-54C3-4FA0-8C39-E357E068D393}/Machine,
ACL_TYPE_ACCESS): Invalid argument (22)
sysvol/internal.domain.tld/Policies/{B9C07E8F-54C3-4FA0-8C39-E357E068D393}/User/
rsync: set_acl:
sys_acl_set_file(sysvol/internal.domain.tld/Policies/{B9C07E8F-54C3-4FA0-8C39-E357E068D393}/User,
ACL_TYPE_ACCESS): Invalid argument (22)
sysvol/internal.domain.tld/scripts/
I created the new policy with the user "Domain\Administrator" from
within the windows tools from a windows 7 pc as normal..
?
Anyone else seen this behaivor?
?
this is the conf im using atm.:
?
[global]
??????? workgroup =?INTERNAL
??????? realm =?INTERNAL.DOMAIN.TLD
??????? netbios name = DC1
??????? server role = active directory domain controller
??????? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
??????? dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon,
lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey,
dnsserver, remote, winreg, srvsvc
??????? auth methods = sam, winbind, ntdomain, ntdomain:winbind
?
??????? ## KEEP THIS OFF !! Only used for modify-ing the AD Schema
??????? ## ONLY DONE ONES ON THE DC WITH THE FSMO Roles
??????? sdb:schema update allowed = no
?
??????? ## Dont forget to set the idmap_ldb on ALL DC's if you use it
??????? idmap_ldb:use rfc2307 = yes
?
??????? ## map id's outside to domain to tdb files.
??????? idmap config * : backend = tdb
??????? idmap config * : range = 2000-9999
?
??????? ## map ids from the domain and (*) the range may not overlap !
??????? idmap config BAZRTD : backend = ad
??????? idmap config BAZRTD : schema_mode = rfc2307
??????? idmap config BAZRTD : range = 10000-3999999
?
??????? winbind nss info = rfc2307
??????? winbind trusted domains only = no
??????? winbind use default domain = yes
??????? winbind expand groups = 3
?
??????? ## When using idmap backend RID enable these
??????? ## ( or for users without UID/GID for example adminsitrator )
??????? #template shell = /bin/bash
??????? #template homedir = /home/users/%ACCOUNTNAME%
?
??????? interfaces = 127.0.0.1 192.168.249.211
??????? bind interfaces only = yes
??????? time server = yes
??????? wins support = yes
?
??????? ## Disable printing completely
??????? load printers = no
??????? printing = bsd
??????? printcap name = /dev/null
??????? disable spoolss = yes
?
[netlogon]
??????? path = /home/samba/sysvol/rotterdam.bazuin.nl/scripts
??????? read only = No
[sysvol]
??????? path = /home/samba/sysvol
??????? read only = No
[backups]
??????? path = /home/samba/backups
??????? Browsable = No
??????? read only = No
??????? acl_xattr:ignore system acl = yes
?
?
Greetz,
?
Louis
?
On 24/04/15 09:52, L.P.H. van Belle wrote:> Hai, > > Im having a strange thing with sernet samba 4.2.1 on debian wheezy. > > I installed 2 dc.s with my scripts. > > i did setup the sysvol replication and now im seeing the following when i create new policies. > > The default GPO's > drwxrwx---+ 4 root BUILTIN\administrators 4096 Apr 24 10:17 {31B2F340-016D-11D2-945F-00C04FB984F9} > drwxrwx---+ 4 root BUILTIN\administrators 4096 Apr 24 10:17 {6AC1786C-016F-11D2-945F-00C04FB984F9} > > The new policy i created. > drwxrwx---+ 4 domain admins domain admins 4096 Apr 24 10:17 {B9C07E8F-54C3-4FA0-8C39-E357E068D393} > > check these strange rights.. > Because of the " domain admins domain admins " rights, and why is user root here created as "domain admins" > > when i now run : > /usr/bin/rsync -XAavz --log-file /var/log/sysvol-sync.log --delete-after -f"+ */" -f"- *" /home/samba/sysvol root at dc2:/home/samba && /usr/bin/unison > > im getting these errors: > > rsync: set_acl: sys_acl_set_file(sysvol/internal.domain.tld/Policies/{B9C07E8F-54C3-4FA0-8C39-E357E068D393}, ACL_TYPE_ACCESS): Invalid argument (22) > sysvol/internal.domain.tld/Policies/{B9C07E8F-54C3-4FA0-8C39-E357E068D393}/Machine/ > rsync: set_acl: sys_acl_set_file(sysvol/internal.domain.tld/Policies/{B9C07E8F-54C3-4FA0-8C39-E357E068D393}/Machine, ACL_TYPE_ACCESS): Invalid argument (22) > sysvol/internal.domain.tld/Policies/{B9C07E8F-54C3-4FA0-8C39-E357E068D393}/User/ > rsync: set_acl: sys_acl_set_file(sysvol/internal.domain.tld/Policies/{B9C07E8F-54C3-4FA0-8C39-E357E068D393}/User, ACL_TYPE_ACCESS): Invalid argument (22) > sysvol/internal.domain.tld/scripts/ > > > I created the new policy with the user "Domain\Administrator" from within the windows tools from a windows 7 pc as normal.. > > Anyone else seen this behaivor? > > this is the conf im using atm.: > > [global] > workgroup = INTERNAL > realm = INTERNAL.DOMAIN.TLD > netbios name = DC1 > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate > dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver, remote, winreg, srvsvc > auth methods = sam, winbind, ntdomain, ntdomain:winbind > > ## KEEP THIS OFF !! Only used for modify-ing the AD Schema > ## ONLY DONE ONES ON THE DC WITH THE FSMO Roles > sdb:schema update allowed = no > > ## Dont forget to set the idmap_ldb on ALL DC's if you use it > idmap_ldb:use rfc2307 = yes > > ## map id's outside to domain to tdb files. > idmap config * : backend = tdb > idmap config * : range = 2000-9999 > > ## map ids from the domain and (*) the range may not overlap ! > idmap config BAZRTD : backend = ad > idmap config BAZRTD : schema_mode = rfc2307 > idmap config BAZRTD : range = 10000-3999999 > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind expand groups = 3 > > ## When using idmap backend RID enable these > ## ( or for users without UID/GID for example adminsitrator ) > #template shell = /bin/bash > #template homedir = /home/users/%ACCOUNTNAME% > > interfaces = 127.0.0.1 192.168.249.211 > bind interfaces only = yes > time server = yes > wins support = yes > > ## Disable printing completely > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > > [netlogon] > path = /home/samba/sysvol/rotterdam.bazuin.nl/scripts > read only = No > > [sysvol] > path = /home/samba/sysvol > read only = No > > [backups] > path = /home/samba/backups > Browsable = No > read only = No > acl_xattr:ignore system acl = yes > > > > Greetz, > > Louis >Hi Louis, I wonder if this is down to the use of 'winbindd' , there have been a couple of problems reported that seem to be caused by the use of it. Do you want to try using the old 'winbind' instead and see if this cures the problem ? Rowland
>-----Oorspronkelijk bericht----- >Van: rowlandpenny at googlemail.com >[mailto:samba-bounces at lists.samba.org] Namens Rowland Penny >Verzonden: vrijdag 24 april 2015 11:06 >Aan: samba at lists.samba.org >Onderwerp: Re: [Samba] Strange GPO rights samba 4.2.1 > >On 24/04/15 09:52, L.P.H. van Belle wrote: >> Hai, >> >> Im having a strange thing with sernet samba 4.2.1 on debian wheezy. >> >> I installed 2 dc.s with my scripts. >> >> i did setup the sysvol replication and now im seeing the >following when i create new policies. >> >> The default GPO's >> drwxrwx---+ 4 root BUILTIN\administrators 4096 Apr >24 10:17 {31B2F340-016D-11D2-945F-00C04FB984F9} >> drwxrwx---+ 4 root BUILTIN\administrators 4096 Apr >24 10:17 {6AC1786C-016F-11D2-945F-00C04FB984F9} >> >> The new policy i created. >> drwxrwx---+ 4 domain admins domain admins 4096 Apr >24 10:17 {B9C07E8F-54C3-4FA0-8C39-E357E068D393} >> >> check these strange rights.. >> Because of the " domain admins domain admins " rights, and >why is user root here created as "domain admins" >> >> when i now run : >> /usr/bin/rsync -XAavz --log-file /var/log/sysvol-sync.log >--delete-after -f"+ */" -f"- *" /home/samba/sysvol >root at dc2:/home/samba && /usr/bin/unison >> >> im getting these errors: >> >> rsync: set_acl: >sys_acl_set_file(sysvol/internal.domain.tld/Policies/{B9C07E8F- >54C3-4FA0-8C39-E357E068D393}, ACL_TYPE_ACCESS): Invalid argument (22) >> >sysvol/internal.domain.tld/Policies/{B9C07E8F-54C3-4FA0-8C39-E3 >57E068D393}/Machine/ >> rsync: set_acl: >sys_acl_set_file(sysvol/internal.domain.tld/Policies/{B9C07E8F- >54C3-4FA0-8C39-E357E068D393}/Machine, ACL_TYPE_ACCESS): >Invalid argument (22) >> >sysvol/internal.domain.tld/Policies/{B9C07E8F-54C3-4FA0-8C39-E3 >57E068D393}/User/ >> rsync: set_acl: >sys_acl_set_file(sysvol/internal.domain.tld/Policies/{B9C07E8F- >54C3-4FA0-8C39-E357E068D393}/User, ACL_TYPE_ACCESS): Invalid >argument (22) >> sysvol/internal.domain.tld/scripts/ >> >> >> I created the new policy with the user >"Domain\Administrator" from within the windows tools from a >windows 7 pc as normal.. >> >> Anyone else seen this behaivor? >> >> this is the conf im using atm.: >> >> [global] >> workgroup = INTERNAL >> realm = INTERNAL.DOMAIN.TLD >> netbios name = DC1 >> server role = active directory domain controller >> server services = s3fs, rpc, nbt, wrepl, ldap, >cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate >> dcerpc endpoint servers = epmapper, wkssvc, >rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, >unixinfo, browser, eventlog6, backupkey, dnsserver, remote, >winreg, srvsvc >> auth methods = sam, winbind, ntdomain, ntdomain:winbind >> >> ## KEEP THIS OFF !! Only used for modify-ing the AD Schema >> ## ONLY DONE ONES ON THE DC WITH THE FSMO Roles >> sdb:schema update allowed = no >> >> ## Dont forget to set the idmap_ldb on ALL DC's if >you use it >> idmap_ldb:use rfc2307 = yes >> >> ## map id's outside to domain to tdb files. >> idmap config * : backend = tdb >> idmap config * : range = 2000-9999 >> >> ## map ids from the domain and (*) the range may >not overlap ! >> idmap config BAZRTD : backend = ad >> idmap config BAZRTD : schema_mode = rfc2307 >> idmap config BAZRTD : range = 10000-3999999 >> >> winbind nss info = rfc2307 >> winbind trusted domains only = no >> winbind use default domain = yes >> winbind expand groups = 3 >> >> ## When using idmap backend RID enable these >> ## ( or for users without UID/GID for example >adminsitrator ) >> #template shell = /bin/bash >> #template homedir = /home/users/%ACCOUNTNAME% >> >> interfaces = 127.0.0.1 192.168.249.211 >> bind interfaces only = yes >> time server = yes >> wins support = yes >> >> ## Disable printing completely >> load printers = no >> printing = bsd >> printcap name = /dev/null >> disable spoolss = yes >> >> [netlogon] >> path = /home/samba/sysvol/rotterdam.bazuin.nl/scripts >> read only = No >> >> [sysvol] >> path = /home/samba/sysvol >> read only = No >> >> [backups] >> path = /home/samba/backups >> Browsable = No >> read only = No >> acl_xattr:ignore system acl = yes >> >> >> >> Greetz, >> >> Louis >> > >Hi Louis, I wonder if this is down to the use of 'winbindd' , >there have >been a couple of problems reported that seem to be caused by >the use of >it. Do you want to try using the old 'winbind' instead and see if this >cures the problem ? > >Rowland > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >ok the following in seen. only changed winbindd to winbind in the smb.conf ## samba 4.2.1 : winbindd id administrator uid=0(root) gid=100(users) groups=0(root),100(users),3000004(group policy creator owners),3000006(enterprise admins),3000008(domain admins),3000007(schema admins),3000005(denied rodc password replication group),3000009(BUILTIN\users),3000000(BUILTIN\administrators) ## samba 4.2.1 : winbind id administrator uid=0(root) gid=100(users) groups=0(root),100(users),3000004(INTERNAL\Group Policy Creator Owners),3000006(INTERNAL\Enterprise Admins),3000008(INTERNAL\Domain Admins),3000007(INTERNAL\Schema Admins) ls -al in the policies folder now gives.. (## samba 4.2.1 : winbind) drwxrwx---+ 4 3000008 BAZRTD\Domain Admins 4096 Apr 24 11:18 {1AA13E10-F89C-44FA-82B1-8FBCF5E4099C} drwxrwx---+ 4 root 3000000 4096 Apr 24 10:17 {31B2F340-016D-11D2-945F-00C04FB984F9} drwxrwx---+ 4 root 3000000 4096 Apr 24 10:17 {6AC1786C-016F-11D2-945F-00C04FB984F9} drwxrwx---+ 4 3000008 BAZRTD\Domain Admins 4096 Apr 24 10:17 {B9C07E8F-54C3-4FA0-8C39-E357E068D393} This does not look right to me.. :-/
On 24/04/15 10:22, L.P.H. van Belle wrote:>> -----Oorspronkelijk bericht----- >> Van: rowlandpenny at googlemail.com >> [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny >> Verzonden: vrijdag 24 april 2015 11:06 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] Strange GPO rights samba 4.2.1 >> >> On 24/04/15 09:52, L.P.H. van Belle wrote: >>> Hai, >>> >>> Im having a strange thing with sernet samba 4.2.1 on debian wheezy. >>> >>> I installed 2 dc.s with my scripts. >>> >>> i did setup the sysvol replication and now im seeing the >> following when i create new policies. >>> >>> The default GPO's >>> drwxrwx---+ 4 root BUILTIN\administrators 4096 Apr >> 24 10:17 {31B2F340-016D-11D2-945F-00C04FB984F9} >>> drwxrwx---+ 4 root BUILTIN\administrators 4096 Apr >> 24 10:17 {6AC1786C-016F-11D2-945F-00C04FB984F9} >>> >>> The new policy i created. >>> drwxrwx---+ 4 domain admins domain admins 4096 Apr >> 24 10:17 {B9C07E8F-54C3-4FA0-8C39-E357E068D393} >>> check these strange rights.. >>> Because of the " domain admins domain admins " rights, and >> why is user root here created as "domain admins" >>> >>> when i now run : >>> /usr/bin/rsync -XAavz --log-file /var/log/sysvol-sync.log >> --delete-after -f"+ */" -f"- *" /home/samba/sysvol >> root at dc2:/home/samba && /usr/bin/unison >>> >>> im getting these errors: >>> >>> rsync: set_acl: >> sys_acl_set_file(sysvol/internal.domain.tld/Policies/{B9C07E8F- >> 54C3-4FA0-8C39-E357E068D393}, ACL_TYPE_ACCESS): Invalid argument (22) >> sysvol/internal.domain.tld/Policies/{B9C07E8F-54C3-4FA0-8C39-E3 >> 57E068D393}/Machine/ >>> rsync: set_acl: >> sys_acl_set_file(sysvol/internal.domain.tld/Policies/{B9C07E8F- >> 54C3-4FA0-8C39-E357E068D393}/Machine, ACL_TYPE_ACCESS): >> Invalid argument (22) >> sysvol/internal.domain.tld/Policies/{B9C07E8F-54C3-4FA0-8C39-E3 >> 57E068D393}/User/ >>> rsync: set_acl: >> sys_acl_set_file(sysvol/internal.domain.tld/Policies/{B9C07E8F- >> 54C3-4FA0-8C39-E357E068D393}/User, ACL_TYPE_ACCESS): Invalid >> argument (22) >>> sysvol/internal.domain.tld/scripts/ >>> >>> >>> I created the new policy with the user >> "Domain\Administrator" from within the windows tools from a >> windows 7 pc as normal.. >>> >>> Anyone else seen this behaivor? >>> >>> this is the conf im using atm.: >>> >>> [global] >>> workgroup = INTERNAL >>> realm = INTERNAL.DOMAIN.TLD >>> netbios name = DC1 >>> server role = active directory domain controller >>> server services = s3fs, rpc, nbt, wrepl, ldap, >> cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate >>> dcerpc endpoint servers = epmapper, wkssvc, >> rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, >> unixinfo, browser, eventlog6, backupkey, dnsserver, remote, >> winreg, srvsvc >>> auth methods = sam, winbind, ntdomain, ntdomain:winbind >>> >>> ## KEEP THIS OFF !! Only used for modify-ing the AD Schema >>> ## ONLY DONE ONES ON THE DC WITH THE FSMO Roles >>> sdb:schema update allowed = no >>> >>> ## Dont forget to set the idmap_ldb on ALL DC's if >> you use it >>> idmap_ldb:use rfc2307 = yes >>> >>> ## map id's outside to domain to tdb files. >>> idmap config * : backend = tdb >>> idmap config * : range = 2000-9999 >>> >>> ## map ids from the domain and (*) the range may >> not overlap ! >>> idmap config BAZRTD : backend = ad >>> idmap config BAZRTD : schema_mode = rfc2307 >>> idmap config BAZRTD : range = 10000-3999999 >>> >>> winbind nss info = rfc2307 >>> winbind trusted domains only = no >>> winbind use default domain = yes >>> winbind expand groups = 3 >>> >>> ## When using idmap backend RID enable these >>> ## ( or for users without UID/GID for example >> adminsitrator ) >>> #template shell = /bin/bash >>> #template homedir = /home/users/%ACCOUNTNAME% >>> >>> interfaces = 127.0.0.1 192.168.249.211 >>> bind interfaces only = yes >>> time server = yes >>> wins support = yes >>> >>> ## Disable printing completely >>> load printers = no >>> printing = bsd >>> printcap name = /dev/null >>> disable spoolss = yes >>> >>> [netlogon] >>> path = /home/samba/sysvol/rotterdam.bazuin.nl/scripts >>> read only = No >>> >>> [sysvol] >>> path = /home/samba/sysvol >>> read only = No >>> >>> [backups] >>> path = /home/samba/backups >>> Browsable = No >>> read only = No >>> acl_xattr:ignore system acl = yes >>> >>> >>> >>> Greetz, >>> >>> Louis >>> >> Hi Louis, I wonder if this is down to the use of 'winbindd' , >> there have >> been a couple of problems reported that seem to be caused by >> the use of >> it. Do you want to try using the old 'winbind' instead and see if this >> cures the problem ? >> >> Rowland >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> > ok the following in seen. > only changed winbindd to winbind in the smb.conf > > > ## samba 4.2.1 : winbindd > id administrator > uid=0(root) gid=100(users) groups=0(root),100(users),3000004(group policy creator owners),3000006(enterprise admins),3000008(domain admins),3000007(schema admins),3000005(denied rodc password replication group),3000009(BUILTIN\users),3000000(BUILTIN\administrators) > > > ## samba 4.2.1 : winbind > id administrator > uid=0(root) gid=100(users) groups=0(root),100(users),3000004(INTERNAL\Group Policy Creator Owners),3000006(INTERNAL\Enterprise Admins),3000008(INTERNAL\Domain Admins),3000007(INTERNAL\Schema Admins) > > > ls -al in the policies folder now gives.. (## samba 4.2.1 : winbind) > > drwxrwx---+ 4 3000008 BAZRTD\Domain Admins 4096 Apr 24 11:18 {1AA13E10-F89C-44FA-82B1-8FBCF5E4099C} > drwxrwx---+ 4 root 3000000 4096 Apr 24 10:17 {31B2F340-016D-11D2-945F-00C04FB984F9} > drwxrwx---+ 4 root 3000000 4096 Apr 24 10:17 {6AC1786C-016F-11D2-945F-00C04FB984F9} > drwxrwx---+ 4 3000008 BAZRTD\Domain Admins 4096 Apr 24 10:17 {B9C07E8F-54C3-4FA0-8C39-E357E068D393} > > > This does not look right to me.. :-/ > > > >Strange, do want to try creating another GPO whilst still using 'winbind' ? Rowland
>-----Oorspronkelijk bericht----- >Van: rowlandpenny at googlemail.com >[mailto:samba-bounces at lists.samba.org] Namens Rowland Penny >Verzonden: vrijdag 24 april 2015 12:30 >Aan: samba at lists.samba.org >Onderwerp: Re: [Samba] Strange GPO rights samba 4.2.1 > >On 24/04/15 10:22, L.P.H. van Belle wrote: >>> -----Oorspronkelijk bericht----- >>> Van: rowlandpenny at googlemail.com >>> [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny >>> Verzonden: vrijdag 24 april 2015 11:06 >>> Aan: samba at lists.samba.org >>> Onderwerp: Re: [Samba] Strange GPO rights samba 4.2.1 >>> >>> On 24/04/15 09:52, L.P.H. van Belle wrote: >>>> Hai, >>>> >>>> Im having a strange thing with sernet samba 4.2.1 on debian wheezy. >>>> >>>> I installed 2 dc.s with my scripts. >>>> >>>> i did setup the sysvol replication and now im seeing the >>> following when i create new policies. >>>> >>>> The default GPO's >>>> drwxrwx---+ 4 root BUILTIN\administrators 4096 Apr >>> 24 10:17 {31B2F340-016D-11D2-945F-00C04FB984F9} >>>> drwxrwx---+ 4 root BUILTIN\administrators 4096 Apr >>> 24 10:17 {6AC1786C-016F-11D2-945F-00C04FB984F9} >>>> >>>> The new policy i created. >>>> drwxrwx---+ 4 domain admins domain admins 4096 Apr >>> 24 10:17 {B9C07E8F-54C3-4FA0-8C39-E357E068D393} >>>> check these strange rights.. >>>> Because of the " domain admins domain admins " rights, and >>> why is user root here created as "domain admins" >>>> >>>> when i now run : >>>> /usr/bin/rsync -XAavz --log-file /var/log/sysvol-sync.log >>> --delete-after -f"+ */" -f"- *" /home/samba/sysvol >>> root at dc2:/home/samba && /usr/bin/unison >>>> >>>> im getting these errors: >>>> >>>> rsync: set_acl: >>> sys_acl_set_file(sysvol/internal.domain.tld/Policies/{B9C07E8F- >>> 54C3-4FA0-8C39-E357E068D393}, ACL_TYPE_ACCESS): Invalid >argument (22) >>> sysvol/internal.domain.tld/Policies/{B9C07E8F-54C3-4FA0-8C39-E3 >>> 57E068D393}/Machine/ >>>> rsync: set_acl: >>> sys_acl_set_file(sysvol/internal.domain.tld/Policies/{B9C07E8F- >>> 54C3-4FA0-8C39-E357E068D393}/Machine, ACL_TYPE_ACCESS): >>> Invalid argument (22) >>> sysvol/internal.domain.tld/Policies/{B9C07E8F-54C3-4FA0-8C39-E3 >>> 57E068D393}/User/ >>>> rsync: set_acl: >>> sys_acl_set_file(sysvol/internal.domain.tld/Policies/{B9C07E8F- >>> 54C3-4FA0-8C39-E357E068D393}/User, ACL_TYPE_ACCESS): Invalid >>> argument (22) >>>> sysvol/internal.domain.tld/scripts/ >>>> >>>> >>>> I created the new policy with the user >>> "Domain\Administrator" from within the windows tools from a >>> windows 7 pc as normal.. >>>> >>>> Anyone else seen this behaivor? >>>> >>>> this is the conf im using atm.: >>>> >>>> [global] >>>> workgroup = INTERNAL >>>> realm = INTERNAL.DOMAIN.TLD >>>> netbios name = DC1 >>>> server role = active directory domain controller >>>> server services = s3fs, rpc, nbt, wrepl, ldap, >>> cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate >>>> dcerpc endpoint servers = epmapper, wkssvc, >>> rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, >>> unixinfo, browser, eventlog6, backupkey, dnsserver, remote, >>> winreg, srvsvc >>>> auth methods = sam, winbind, ntdomain, ntdomain:winbind >>>> >>>> ## KEEP THIS OFF !! Only used for modify-ing the >AD Schema >>>> ## ONLY DONE ONES ON THE DC WITH THE FSMO Roles >>>> sdb:schema update allowed = no >>>> >>>> ## Dont forget to set the idmap_ldb on ALL DC's if >>> you use it >>>> idmap_ldb:use rfc2307 = yes >>>> >>>> ## map id's outside to domain to tdb files. >>>> idmap config * : backend = tdb >>>> idmap config * : range = 2000-9999 >>>> >>>> ## map ids from the domain and (*) the range may >>> not overlap ! >>>> idmap config BAZRTD : backend = ad >>>> idmap config BAZRTD : schema_mode = rfc2307 >>>> idmap config BAZRTD : range = 10000-3999999 >>>> >>>> winbind nss info = rfc2307 >>>> winbind trusted domains only = no >>>> winbind use default domain = yes >>>> winbind expand groups = 3 >>>> >>>> ## When using idmap backend RID enable these >>>> ## ( or for users without UID/GID for example >>> adminsitrator ) >>>> #template shell = /bin/bash >>>> #template homedir = /home/users/%ACCOUNTNAME% >>>> >>>> interfaces = 127.0.0.1 192.168.249.211 >>>> bind interfaces only = yes >>>> time server = yes >>>> wins support = yes >>>> >>>> ## Disable printing completely >>>> load printers = no >>>> printing = bsd >>>> printcap name = /dev/null >>>> disable spoolss = yes >>>> >>>> [netlogon] >>>> path = /home/samba/sysvol/rotterdam.bazuin.nl/scripts >>>> read only = No >>>> >>>> [sysvol] >>>> path = /home/samba/sysvol >>>> read only = No >>>> >>>> [backups] >>>> path = /home/samba/backups >>>> Browsable = No >>>> read only = No >>>> acl_xattr:ignore system acl = yes >>>> >>>> >>>> >>>> Greetz, >>>> >>>> Louis >>>> >>> Hi Louis, I wonder if this is down to the use of 'winbindd' , >>> there have >>> been a couple of problems reported that seem to be caused by >>> the use of >>> it. Do you want to try using the old 'winbind' instead and >see if this >>> cures the problem ? >>> >>> Rowland >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> >> ok the following in seen. >> only changed winbindd to winbind in the smb.conf >> >> >> ## samba 4.2.1 : winbindd >> id administrator >> uid=0(root) gid=100(users) >groups=0(root),100(users),3000004(group policy creator >owners),3000006(enterprise admins),3000008(domain >admins),3000007(schema admins),3000005(denied rodc password >replication >group),3000009(BUILTIN\users),3000000(BUILTIN\administrators) >> >> >> ## samba 4.2.1 : winbind >> id administrator >> uid=0(root) gid=100(users) >groups=0(root),100(users),3000004(INTERNAL\Group Policy >Creator Owners),3000006(INTERNAL\Enterprise >Admins),3000008(INTERNAL\Domain Admins),3000007(INTERNAL\Schema Admins) >> >> >> ls -al in the policies folder now gives.. (## samba 4.2.1 >: winbind) >> >> drwxrwx---+ 4 3000008 BAZRTD\Domain Admins 4096 Apr 24 11:18 >{1AA13E10-F89C-44FA-82B1-8FBCF5E4099C} >> drwxrwx---+ 4 root 3000000 4096 Apr 24 10:17 >{31B2F340-016D-11D2-945F-00C04FB984F9} >> drwxrwx---+ 4 root 3000000 4096 Apr 24 10:17 >{6AC1786C-016F-11D2-945F-00C04FB984F9} >> drwxrwx---+ 4 3000008 BAZRTD\Domain Admins 4096 Apr 24 10:17 >{B9C07E8F-54C3-4FA0-8C39-E357E068D393} >> >> >> This does not look right to me.. :-/ >> >> >> >> > >Strange, do want to try creating another GPO whilst still >using 'winbind' ? > >Rowland >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >this one was created with winbind drwxrwx---+ 4 3000008 BAZRTD\Domain Admins 4096 Apr 24 10:17 {B9C07E8F-54C3-4FA0-8C39-E357E068D393}
On 12:41:23 wrote L.P.H. van Belle:> >-----Oorspronkelijk bericht----- > >Van: rowlandpenny at googlemail.com > >[mailto:samba-bounces at lists.samba.org] Namens Rowland Penny > >Verzonden: vrijdag 24 april 2015 11:06 > >Aan: samba at lists.samba.org > >Onderwerp: Re: [Samba] Strange GPO rights samba 4.2.1 > > > >On 24/04/15 09:52, L.P.H. van Belle wrote: > >> Hai, > >> > >> Im having a strange thing with sernet samba 4.2.1 on debian > >> wheezy. > >> > >> I installed 2 dc.s with my scripts. > >> > >> i did setup the sysvol replication and now im seeing the > > > >following when i create new policies. > > > >> The default GPO's > >> drwxrwx---+ 4 root BUILTIN\administrators 4096 Apr > > > >24 10:17 {31B2F340-016D-11D2-945F-00C04FB984F9} > > > >> drwxrwx---+ 4 root BUILTIN\administrators 4096 Apr > > > >24 10:17 {6AC1786C-016F-11D2-945F-00C04FB984F9} > > > >> The new policy i created. > >> drwxrwx---+ 4 domain admins domain admins 4096 Apr > > > >24 10:17 {B9C07E8F-54C3-4FA0-8C39-E357E068D393} > > > >> check these strange rights.. > >> Because of the " domain admins domain admins " rights, and > > > >why is user root here created as "domain admins" > > > >> when i now run : > >> /usr/bin/rsync -XAavz --log-file /var/log/sysvol-sync.log > > > >--delete-after -f"+ */" -f"- *" /home/samba/sysvol > >root at dc2:/home/samba && /usr/bin/unison > > > >> im getting these errors: > > > >> rsync: set_acl: > >sys_acl_set_file(sysvol/internal.domain.tld/Policies/{B9C07E8F- > >54C3-4FA0-8C39-E357E068D393}, ACL_TYPE_ACCESS): Invalid argument > >(22) > > > >sysvol/internal.domain.tld/Policies/{B9C07E8F-54C3-4FA0-8C39-E3 > >57E068D393}/Machine/ > > > >> rsync: set_acl: > >sys_acl_set_file(sysvol/internal.domain.tld/Policies/{B9C07E8F- > >54C3-4FA0-8C39-E357E068D393}/Machine, ACL_TYPE_ACCESS): > >Invalid argument (22) > > > >sysvol/internal.domain.tld/Policies/{B9C07E8F-54C3-4FA0-8C39-E3 > >57E068D393}/User/ > > > >> rsync: set_acl: > >sys_acl_set_file(sysvol/internal.domain.tld/Policies/{B9C07E8F- > >54C3-4FA0-8C39-E357E068D393}/User, ACL_TYPE_ACCESS): Invalid > >argument (22) > > > >> sysvol/internal.domain.tld/scripts/ > >> > >> > >> I created the new policy with the user > > > >"Domain\Administrator" from within the windows tools from a > >windows 7 pc as normal.. > > > >> Anyone else seen this behaivor? > >> > >> this is the conf im using atm.: > >> > >> [global] > >> > >> workgroup = INTERNAL > >> realm = INTERNAL.DOMAIN.TLD > >> netbios name = DC1 > >> server role = active directory domain controller > >> server services = s3fs, rpc, nbt, wrepl, ldap, > > > >cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate > > > >> dcerpc endpoint servers = epmapper, wkssvc, > > > >rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, > >unixinfo, browser, eventlog6, backupkey, dnsserver, remote, > >winreg, srvsvc > > > >> auth methods = sam, winbind, ntdomain, ntdomain:winbind > >> > >> ## KEEP THIS OFF !! Only used for modify-ing the AD > >> Schema ## ONLY DONE ONES ON THE DC WITH THE FSMO Roles > >> sdb:schema update allowed = no > >> > >> ## Dont forget to set the idmap_ldb on ALL DC's if > > > >you use it > > > >> idmap_ldb:use rfc2307 = yes > >> > >> ## map id's outside to domain to tdb files. > >> idmap config * : backend = tdb > >> idmap config * : range = 2000-9999 > >> > >> ## map ids from the domain and (*) the range may > > > >not overlap ! > > > >> idmap config BAZRTD : backend = ad > >> idmap config BAZRTD : schema_mode = rfc2307 > >> idmap config BAZRTD : range = 10000-3999999 > >> > >> winbind nss info = rfc2307 > >> winbind trusted domains only = no > >> winbind use default domain = yes > >> winbind expand groups = 3 > >> > >> ## When using idmap backend RID enable these > >> ## ( or for users without UID/GID for example > > > >adminsitrator ) > > > >> #template shell = /bin/bash > >> #template homedir = /home/users/%ACCOUNTNAME% > >> > >> interfaces = 127.0.0.1 192.168.249.211 > >> bind interfaces only = yes > >> time server = yes > >> wins support = yes > >> > >> ## Disable printing completely > >> load printers = no > >> printing = bsd > >> printcap name = /dev/null > >> disable spoolss = yes > >> > >> [netlogon] > >> > >> path = /home/samba/sysvol/rotterdam.bazuin.nl/scripts > >> read only = No > >> > >> [sysvol] > >> > >> path = /home/samba/sysvol > >> read only = No > >> > >> [backups] > >> > >> path = /home/samba/backups > >> Browsable = No > >> read only = No > >> acl_xattr:ignore system acl = yes > >> > >> Greetz, > >> > >> Louis > > > >Hi Louis, I wonder if this is down to the use of 'winbindd' , > >there have > >been a couple of problems reported that seem to be caused by > >the use of > >it. Do you want to try using the old 'winbind' instead and see if > >this cures the problem ? > > > >Rowland > > ok the following in seen. > only changed winbindd to winbind in the smb.confI've reformated and ordered the output from your "id administrator" command. One may see, that a lot of things are broken now.> ## samba 4.2.1 : winbinddid administrator uid=0(root) gid=100(users) groups0(root), 100(users), 3000000(BUILTIN\administrators) 3000004(group policy creator owners), 3000005(denied rodc password replication group), 3000006(enterprise admins), 3000007(schema admins), 3000008(domain admins), 3000009(BUILTIN\users),> ## samba 4.2.1 : winbindid administrator uid=0(root) gid=100(users) groups0(root), 100(users), 3000004(INTERNAL\Group Policy Creator Owners), 3000006(INTERNAL\Enterprise Admins), 3000007(INTERNAL\Schema Admins) 3000008(INTERNAL\Domain Admins), "winbind" shows less groups then "winbindd". "winbind" has changed the name from BUILTIN to INTERNAL. "winbindd" uses lower case names, probably unix names instead of windows names. "winbindd" dropes sometimes BUILTIN.> ls -al in the policies folder now gives.. (## samba 4.2.1 : winbind)drwxrwx---+ 4 3000008 BAZRTD\Domain Admins 4096 Apr 24 11:18 {1AA13E10-F89C-44FA-82B1-8FBCF5E4099C} drwxrwx---+ 4 root 3000000 4096 Apr 24 10:17 {31B2F340-016D-11D2-945F-00C04FB984F9} drwxrwx---+ 4 root 3000000 4096 Apr 24 10:17 {6AC1786C-016F-11D2-945F-00C04FB984F9} drwxrwx---+ 4 3000008 BAZRTD\Domain Admins 4096 Apr 24 10:17 {B9C07E8F-54C3-4FA0-8C39-E357E068D393} According to the above outputs from id: 3000008 is a group, not a person! Administrator should be the owner here, not root.> This does not look right to me.. :-/-- Regards Harry Jede
Maybe Matching Threads
- Strange GPO rights samba 4.2.1
- rsync: [generator] set_acl: sys_acl_set_file(dev/kvm, ACL_TYPE_ACCESS): Operation not supported (95)
- sysvol replcation rsync error
- DO NOT REPLY [Bug 7865] New: files or dirs with more than 16 ACLs are not rsynced correctly
- sysvol replcation rsync error