Hi everybody!
I have two samba AD server ( 4.2.7-SerNet-Debian-8.wheezy ). I try to
make gpo working but I'm facing some problems...
My Samba4 comes from an old windows AD so I have launch these command :
samba-tool dbcheck --cross-ncs --reset-well-known-acls --fix
samba-tool ntacl sysvolreset ( that take about 10 minutes to complete )
samba-tool dbcheck --cross-ncs --fix
But the following errors still stay on both servers...
root at S4bis:~# samba-tool dbcheck --cross-ncs --reset-well-known-acls
Checking 7747 objects
ERROR: missing GUID component for ipsecOwnersReference in object
CN=ipsecISAKMPPolicy{7238523D-70FA-11D1-864C-14A300000000},CN=IP
Security,CN=System,DC=ariane,DC=intra -
CN=ipsecPolicy{7238523C-70FA-11D1-864C-14A300000000},CN=IP
Security,CN=System,CN=System,DC=ariane,DC=intra
unable to find object for DN
CN=ipsecPolicy{7238523C-70FA-11D1-864C-14A300000000},CN=IP
Security,CN=System,CN=System,DC=ariane,DC=intra - (No such Base DN:
CN=ipsecPolicy{7238523C-70FA-11D1-864C-14A300000000},CN=IP
Security,CN=System,CN=System,DC=ariane,DC=intra)
Not removing dangling forward link
Please use --fix to fix these errors
Checked 7747 objects (1 errors)
root at S4bis:~# samba-tool dbcheck --cross-ncs
Checking 7747 objects
ERROR: missing GUID component for ipsecOwnersReference in object
CN=ipsecISAKMPPolicy{7238523D-70FA-11D1-864C-14A300000000},CN=IP
Security,CN=System,DC=ariane,DC=intra -
CN=ipsecPolicy{7238523C-70FA-11D1-864C-14A300000000},CN=IP
Security,CN=System,CN=System,DC=ariane,DC=intra
unable to find object for DN
CN=ipsecPolicy{7238523C-70FA-11D1-864C-14A300000000},CN=IP
Security,CN=System,CN=System,DC=ariane,DC=intra - (No such Base DN:
CN=ipsecPolicy{7238523C-70FA-11D1-864C-14A300000000},CN=IP
Security,CN=System,CN=System,DC=ariane,DC=intra)
Not removing dangling forward link
Please use --fix to fix these errors
Checked 7747 objects (1 errors)
At the beginning a "samba-tool ntacl sysvolreset" command did it works
but not for a long time, the only thing I do after was playing with the
RSAT policy tool... then I thinked that was an rsync issue, but now my
sysvol replication work well...
Maybe a stupid question but is there a way to recreate sysvol folders
and files?
Thanks for your help!
Sam
also, I'm using a Windows 10 client PC with RSAT tools... Le 17/02/2016 13:42, Sam a écrit :> Hi everybody! > > I have two samba AD server ( 4.2.7-SerNet-Debian-8.wheezy ). I try to > make gpo working but I'm facing some problems... > > My Samba4 comes from an old windows AD so I have launch these command : > > samba-tool dbcheck --cross-ncs --reset-well-known-acls --fix > samba-tool ntacl sysvolreset ( that take about 10 minutes to complete ) > samba-tool dbcheck --cross-ncs --fix > > But the following errors still stay on both servers... > > root at S4bis:~# samba-tool dbcheck --cross-ncs --reset-well-known-acls > Checking 7747 objects > ERROR: missing GUID component for ipsecOwnersReference in object > CN=ipsecISAKMPPolicy{7238523D-70FA-11D1-864C-14A300000000},CN=IP > Security,CN=System,DC=ariane,DC=intra - > CN=ipsecPolicy{7238523C-70FA-11D1-864C-14A300000000},CN=IP > Security,CN=System,CN=System,DC=ariane,DC=intra > unable to find object for DN > CN=ipsecPolicy{7238523C-70FA-11D1-864C-14A300000000},CN=IP > Security,CN=System,CN=System,DC=ariane,DC=intra - (No such Base DN: > CN=ipsecPolicy{7238523C-70FA-11D1-864C-14A300000000},CN=IP > Security,CN=System,CN=System,DC=ariane,DC=intra) > Not removing dangling forward link > Please use --fix to fix these errors > Checked 7747 objects (1 errors) > > root at S4bis:~# samba-tool dbcheck --cross-ncs > Checking 7747 objects > ERROR: missing GUID component for ipsecOwnersReference in object > CN=ipsecISAKMPPolicy{7238523D-70FA-11D1-864C-14A300000000},CN=IP > Security,CN=System,DC=ariane,DC=intra - > CN=ipsecPolicy{7238523C-70FA-11D1-864C-14A300000000},CN=IP > Security,CN=System,CN=System,DC=ariane,DC=intra > unable to find object for DN > CN=ipsecPolicy{7238523C-70FA-11D1-864C-14A300000000},CN=IP > Security,CN=System,CN=System,DC=ariane,DC=intra - (No such Base DN: > CN=ipsecPolicy{7238523C-70FA-11D1-864C-14A300000000},CN=IP > Security,CN=System,CN=System,DC=ariane,DC=intra) > Not removing dangling forward link > Please use --fix to fix these errors > Checked 7747 objects (1 errors) > > At the beginning a "samba-tool ntacl sysvolreset" command did it works > but not for a long time, the only thing I do after was playing with > the RSAT policy tool... then I thinked that was an rsync issue, but > now my sysvol replication work well... > Maybe a stupid question but is there a way to recreate sysvol folders > and files? > > Thanks for your help! > > Sam >
Hello,
this error is corrected :
unable to find object for DN
CN=ipsecPolicy{7238523C-70FA-11D1-864C-14A300000000},CN=IP
Security,*CN=System,CN=System*,DC=ariane,DC=intra - (No such Base DN:
CN=ipsecPolicy{7238523C-70FA-11D1-864C-14A300000000},CN=IP
Security,CN=System,CN=System,DC=ariane,DC=intra)
By deleting one*CN=System* in the path in this AD entry with ADExplorer.exe.
( It seems to appers when doing a Win 2003 DC Demotion ->
https://lists.samba.org/archive/samba/2013-July/174585.html )
Now, this commands reports 0 errors ( great! )
root at S4:~# samba-tool dbcheck --cross-ncs --reset-well-known-acls
Checking 7758 objects
Checked 7758 objects (0 errors)
root at S4:~# samba-tool dbcheck --cross-ncs
Checking 7758 objects
Checked 7758 objects (0 errors)
If I create a new GPO The "samba-tool ntacl sysvolcheck" command
return
this error :
root at S4:~# samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception -
ProvisioningError: DB ACL on GPO directory
/var/lib/samba/sysvol/ariane.intra/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/USER/Scripts/Logoff
O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)
does not match expected value
O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICI;0x001f01ff;;;DA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;ED)
from GPO object
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
249, in run
lp)
File
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1730, in checksysvolacl
direct_db_access)
File
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1681, in check_gpos_acl
domainsid, direct_db_access)
File
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1647, in check_dir_acl
raise ProvisioningError('%s ACL on GPO directory %s %s does not
match expected value %s from GPO object' % (acl_type(direct_db_access),
os.path.join(root, name), fsacl_sddl, acl))
But it can be fix by "samba-tool ntacl sysvolreset" command
...But my gpo doesn't work again... :/
( even with a "samba-ad restart" or a "gpupdate /force" on
client pc )
Does someone have a Samba4 DC that comes from a windows 2003 with
working gpo?
Thanks for helping.
See you.
Sam
Le 17/02/2016 13:52, Sam a écrit :> also, I'm using a Windows 10 client PC with RSAT tools...
>
> Le 17/02/2016 13:42, Sam a écrit :
>> Hi everybody!
>>
>> I have two samba AD server ( 4.2.7-SerNet-Debian-8.wheezy ). I try
>> to make gpo working but I'm facing some problems...
>>
>> My Samba4 comes from an old windows AD so I have launch these command :
>>
>> samba-tool dbcheck --cross-ncs --reset-well-known-acls --fix
>> samba-tool ntacl sysvolreset ( that take about 10 minutes to complete )
>> samba-tool dbcheck --cross-ncs --fix
>>
>> But the following errors still stay on both servers...
>>
>> root at S4bis:~# samba-tool dbcheck --cross-ncs --reset-well-known-acls
>> Checking 7747 objects
>> ERROR: missing GUID component for ipsecOwnersReference in object
>> CN=ipsecISAKMPPolicy{7238523D-70FA-11D1-864C-14A300000000},CN=IP
>> Security,CN=System,DC=ariane,DC=intra -
>> CN=ipsecPolicy{7238523C-70FA-11D1-864C-14A300000000},CN=IP
>> Security,CN=System,CN=System,DC=ariane,DC=intra
>> unable to find object for DN
>> CN=ipsecPolicy{7238523C-70FA-11D1-864C-14A300000000},CN=IP
>> Security,CN=System,CN=System,DC=ariane,DC=intra - (No such Base DN:
>> CN=ipsecPolicy{7238523C-70FA-11D1-864C-14A300000000},CN=IP
>> Security,CN=System,CN=System,DC=ariane,DC=intra)
>> Not removing dangling forward link
>> Please use --fix to fix these errors
>> Checked 7747 objects (1 errors)
>>
>> root at S4bis:~# samba-tool dbcheck --cross-ncs
>> Checking 7747 objects
>> ERROR: missing GUID component for ipsecOwnersReference in object
>> CN=ipsecISAKMPPolicy{7238523D-70FA-11D1-864C-14A300000000},CN=IP
>> Security,CN=System,DC=ariane,DC=intra -
>> CN=ipsecPolicy{7238523C-70FA-11D1-864C-14A300000000},CN=IP
>> Security,CN=System,CN=System,DC=ariane,DC=intra
>> unable to find object for DN
>> CN=ipsecPolicy{7238523C-70FA-11D1-864C-14A300000000},CN=IP
>> Security,CN=System,CN=System,DC=ariane,DC=intra - (No such Base DN:
>> CN=ipsecPolicy{7238523C-70FA-11D1-864C-14A300000000},CN=IP
>> Security,CN=System,CN=System,DC=ariane,DC=intra)
>> Not removing dangling forward link
>> Please use --fix to fix these errors
>> Checked 7747 objects (1 errors)
>>
>> At the beginning a "samba-tool ntacl sysvolreset" command did
it
>> works but not for a long time, the only thing I do after was playing
>> with the RSAT policy tool... then I thinked that was an rsync issue,
>> but now my sysvol replication work well...
>> Maybe a stupid question but is there a way to recreate sysvol folders
>> and files?
>>
>> Thanks for your help!
>>
>> Sam
>>
>
Hai Sam, Try the following, 1 ) ignore these messages :> If I create a new GPO The "samba-tool ntacl sysvolcheck" command return > this error :>root at S4:~# samba-tool ntacl sysvolcheck > ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - > .....2) add this line to you sysvol share acl_xattr:ignore system acls = yes No other os then windows uses this share normaly so its safe to Ignore the systems rights. 3) and check from within windows the sysvol share rights and the sysvol folder rights. DO NOT CHANGE ANYTHING. Now it works.. ;-) If not 4) give group "Domain Users" a GID Test again, Now it works. If not... Pff, mail us again. ;-) something else is wrong. Greetz, Louis