See inline comments: On Thu, 3 Nov 2016 19:17:58 -0200 Marcio Demetrio Bacci <marciobacci at gmail.com> wrote:> Hi Rowland > > Following the results to: > > *USER:* > wbinfo --uid-info=10060: > bacci:*:10060:30049:bacci:/home/EMPRESA/bacci:/bin/false >It looks like 'bacci' is a normal user and the owner of the Policies GUID dir should be 'Domain Admins'> *GROUP:* > wbinfo --gid-info=30028: Domain AdminsThis is where one of the problems start, bit of a catch 22 problem, you need to give 'Domain Admins' a gidNumber to be visible to Unix, but if you do, it looses the 'ID_TYPE_BOTH' from idmap.ldb that means it can own dirs & files in sysvol.> > wbinfo --gid-info=30032: Domain Users > > wbinfo --gid-info=30033: Enterprise Admins > > > "I don't see user:3000003" > > root at dc1:~# wbinfo -G 3000003 > S-1-5-11 > > root at dc1:~# wbinfo -s S-1-5-11 > failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND > Could not lookup sid S-1-5-11 >You will need to look inside idmap.ldb to find this.> I have in my network two DC (Samba 4) and one member File Server > (Samba 4). When I execute wbinfo -r <user>, I have different results: > > root at dc1:~# wbinfo -G 3000000 > S-1-5-32-544 > > root at dc1o:~# wbinfo -G 30002 > S-1-5-32-544 > > root at dc1:~# wbinfo -s S-1-5-32-544 > BUILTIN\Administrators 4 > > The SID to Administrators is 3000000 in DC. In File Server the same > group is 30002.Don't give the BUILTIN users & groups uidNumbers & gidNumbers, let samba do this on the DC and set up smb.conf correctly on the domain member. You do this by using 'idmap config * : backend = tdb'> > *Different Groups to the same user* > root@*dc1*:~# wbinfo -r bacci > 30011 > 30025 > 30029 > 30030 > 30035 > 30049 > 30052 > 3000000 > > > root@*server-file*:~# wbinfo -r bacci > 30002 > 30003 > 30025 > 30028 > 30029 > 30030 > 30032 > 30035 > 30049 > 30052 > 30053 > > > Regards, > > Márcio >Rowland
Hi,
bacci user is Domain Admin, because 30049 group is Domain Admin member. I
use this user to create GPO.
Following are my configurations files:
*FILE-SERVER - SMB.CONF*
[global]
netbios name = file-server
workgroup = EMPRESA
security = ads
realm = EMPRESA.COM.BR
encrypt passwords = yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
preferred master = no
idmap config *:backend = tdb
idmap config *:range = 1000-3000
idmap config EMPRESA:backend = ad
idmap config EMPRESA:schema_mode = rfc2307
idmap config EMPRESA:range = 10000-9999999
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
username map = /etc/samba/user.map
*DC1 - SMB.CONF*
[global]
workgroup = EMPRESA
realm = EMPRESA.COM.BR
netbios name = DC1
server role = active directory domain controller
dns forwarder = 192.168.200.10
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /opt/samba/var/locks/sysvol/empresa.com.br/scripts
read only = No
[sysvol]
path = /opt/samba/var/locks/sysvol
read only = No
*DC2 - SMB.CONF*
[global]
workgroup = EMPRESA
realm = EMPRESA.COM.BR
netbios name = dc2
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /opt/samba/var/locks/sysvol/empresa.com.br/scripts
read only = No
[sysvol]
path = /opt/samba/var/locks/sysvol
read only = No
I'm using "samba-tool drs showrepl" command in DC2 and the result
is
SUCCESS.
Do I have need to remove the Unix attributes of all builtin users
(Administrators, Accout Operators, Users, Guest, ...)? Do Domain Users,
Domain Admins, Domain Computers Groups also to need remove Unix Attributes?
Do I have just select the "None" option in the Unix Attributes tab (in
the
RSAT) to remove it?
Have the accounts of the domain computers (joined in domain) must have the
Unix attribute ?
Is there way to remove null objects of Samba 4 ?
*Others Tests*
Result of "*testparm*" command:
Load smb config files from /opt/samba/etc/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC
Result of "*samba-tool gpo list bacci at empresa.com.br <bacci at
empresa.com.br>*
"
ERROR(runtime): uncaught exception - ('Could not find a DC for domain',
RuntimeError('NT_STATUS_NETWORK_UNREACHABLE',))
File
"/opt/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py",
line
349, in run
self.url = dc_url(self.lp, self.creds, H)
File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py",
line
117, in dc_url
raise RuntimeError("Could not find a DC for domain", e)
Result of *samba-tool gpo listall*
ERROR(runtime): uncaught exception - ('Could not find a DC for domain',
RuntimeError('NT_STATUS_NETWORK_UNREACHABLE',))
File
"/opt/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py",
line
311, in run
self.url = dc_url(self.lp, self.creds, H)
File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py",
line
117, in dc_url
raise RuntimeError("Could not find a DC for domain", e
Regards,
Márcio
2016-11-03 20:10 GMT-02:00 Rowland Penny via samba <samba at
lists.samba.org>:
>
> See inline comments:
>
> On Thu, 3 Nov 2016 19:17:58 -0200
> Marcio Demetrio Bacci <marciobacci at gmail.com> wrote:
>
> > Hi Rowland
> >
> > Following the results to:
> >
> > *USER:*
> > wbinfo --uid-info=10060:
> > bacci:*:10060:30049:bacci:/home/EMPRESA/bacci:/bin/false
> >
>
> It looks like 'bacci' is a normal user and the owner of the
> Policies GUID dir should be 'Domain Admins'
>
> > *GROUP:*
> > wbinfo --gid-info=30028: Domain Admins
>
> This is where one of the problems start, bit of a catch 22 problem, you
> need to give 'Domain Admins' a gidNumber to be visible to Unix, but
if
> you do, it looses the 'ID_TYPE_BOTH' from idmap.ldb that means it
can
> own dirs & files in sysvol.
>
> >
> > wbinfo --gid-info=30032: Domain Users
> >
> > wbinfo --gid-info=30033: Enterprise Admins
> >
> >
> > "I don't see user:3000003"
> >
> > root at dc1:~# wbinfo -G 3000003
> > S-1-5-11
> >
> > root at dc1:~# wbinfo -s S-1-5-11
> > failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
> > Could not lookup sid S-1-5-11
> >
>
> You will need to look inside idmap.ldb to find this.
>
> > I have in my network two DC (Samba 4) and one member File Server
> > (Samba 4). When I execute wbinfo -r <user>, I have different
results:
> >
> > root at dc1:~# wbinfo -G 3000000
> > S-1-5-32-544
> >
> > root at dc1o:~# wbinfo -G 30002
> > S-1-5-32-544
> >
> > root at dc1:~# wbinfo -s S-1-5-32-544
> > BUILTIN\Administrators 4
> >
> > The SID to Administrators is 3000000 in DC. In File Server the same
> > group is 30002.
>
> Don't give the BUILTIN users & groups uidNumbers & gidNumbers,
let
> samba do this on the DC and set up smb.conf correctly on the domain
> member. You do this by using 'idmap config * : backend = tdb'
>
>
> >
> > *Different Groups to the same user*
> > root@*dc1*:~# wbinfo -r bacci
> > 30011
> > 30025
> > 30029
> > 30030
> > 30035
> > 30049
> > 30052
> > 3000000
> >
> >
> > root@*server-file*:~# wbinfo -r bacci
> > 30002
> > 30003
> > 30025
> > 30028
> > 30029
> > 30030
> > 30032
> > 30035
> > 30049
> > 30052
> > 30053
> >
> >
> > Regards,
> >
> > Márcio
> >
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
On Fri, 4 Nov 2016 01:32:44 -0200 Marcio Demetrio Bacci <marciobacci at gmail.com> wrote:> Hi, > > bacci user is Domain Admin, because 30049 group is Domain Admin > member. I use this user to create GPO. > > Following are my configurations files: > > *FILE-SERVER - SMB.CONF* > [global] > netbios name = file-server > workgroup = EMPRESA > security = ads > realm = EMPRESA.COM.BR > encrypt passwords = yes > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > preferred master = no > idmap config *:backend = tdb > idmap config *:range = 1000-3000 > idmap config EMPRESA:backend = ad > idmap config EMPRESA:schema_mode = rfc2307 > idmap config EMPRESA:range = 10000-9999999 > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = yes > > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > username map = /etc/samba/user.map > > > *DC1 - SMB.CONF* > [global] > workgroup = EMPRESA > realm = EMPRESA.COM.BR > netbios name = DC1 > server role = active directory domain controller > dns forwarder = 192.168.200.10 > idmap_ldb:use rfc2307 = yes > > [netlogon] > path = /opt/samba/var/locks/sysvol/empresa.com.br/scripts > read only = No > > [sysvol] > path = /opt/samba/var/locks/sysvol > read only = No > > > *DC2 - SMB.CONF* > [global] > workgroup = EMPRESA > realm = EMPRESA.COM.BR > netbios name = dc2 > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > > [netlogon] > path = /opt/samba/var/locks/sysvol/empresa.com.br/scripts > read only = No > > [sysvol] > path = /opt/samba/var/locks/sysvol > read only = No > >The only possible problem with your smb.conf files (and it doesn't have anything to do with your problem) is the second DC doesn't have a forwarder.> I'm using "samba-tool drs showrepl" command in DC2 and the result is > SUCCESS. > > Do I have need to remove the Unix attributes of all builtin users > (Administrators, Accout Operators, Users, Guest, ...)? Do Domain > Users, Domain Admins, Domain Computers Groups also to need remove > Unix Attributes?The only Group that may need a gidNumber is Domain Admins, the only only group that must have a gidNumber is Domain Users and then only if you use the winbind 'ad' backend on a domain member.> > Do I have just select the "None" option in the Unix Attributes tab > (in the RSAT) to remove it?Yes, this should remove them> > Have the accounts of the domain computers (joined in domain) must > have the Unix attribute ?No, I have never added them> > Is there way to remove null objects of Samba 4 ?Sorry, I don't understand what you mean by 'null objects'> > *Others Tests* > > Result of "*testparm*" command: > > Load smb config files from /opt/samba/etc/smb.conf > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit > (16384) Processing section "[netlogon]" > Processing section "[sysvol]" > Loaded services file OK. > Server role: ROLE_ACTIVE_DIRECTORY_DC > > Result of "*samba-tool gpo list bacci at empresa.com.br > <bacci at empresa.com.br>* " > > ERROR(runtime): uncaught exception - ('Could not find a DC for > domain', RuntimeError('NT_STATUS_NETWORK_UNREACHABLE',)) > File > "/opt/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", > line 175, in _run return self.run(*args, **kwargs) > File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py", > line 349, in run > self.url = dc_url(self.lp, self.creds, H) > File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py", > line 117, in dc_url > raise RuntimeError("Could not find a DC for domain", e)This looks like a dns problem, plus the command should be: samba-tool gpo list bacci> > Result of *samba-tool gpo listall* > ERROR(runtime): uncaught exception - ('Could not find a DC for > domain', RuntimeError('NT_STATUS_NETWORK_UNREACHABLE',)) > File > "/opt/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", > line 175, in _run return self.run(*args, **kwargs) > File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py", > line 311, in run > self.url = dc_url(self.lp, self.creds, H) > File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py", > line 117, in dc_url > raise RuntimeError("Could not find a DC for domain", e > >This is definitely a dns problem Rowland
Just make it yourself a bit more easy.
Setup sysvol like this.
[sysvol]
path = /home/samba/sysvol
read only = No
acl_xattr:ignore system acls = yes
Restart samba, and set the SHARE RIGHTS and File/Folder rights again.
Or atleast check them, the defaults should be ok.
When thats done.
Go here. :
http://trekker.net/archives/group-policy-downloads/
get the ADMX templates you need.
Win 10 build 1607 is not on that site, found here :
https://www.microsoft.com/en-us/download/details.aspx?id=53430
and for otheres, install this in win 7 and copy the templates to the sysvol.
( located somewhere in programfiles )
Extra usable templates here:
http://winintro.com/
now, when thats done, and this if more for you.
Does the user bacci need Domain Admin.
Like is it you replacement for user Administrator? Then thats ok.
If its a normal user which needs todo GPO stuff. Then i suggest adding this user
to "Group Policy Creator Owners" and dont abuse the domain admin
group.
So this is the basic stuff go a GPO setup.
Now, about the error :
ERROR(runtime): uncaught exception ...
You can ignore it IF you use the parameter : acl_xattr:ignore system acls = yes
Or, move all folder from sysvol, do the sysvol reset, and place the folders
back, that can help.
I do advice to setup GID for "Domain -" Users/Admins/Guest and most
important. "Domain Computers" .. now we are getting to you problem.
Due to all MS changes, how policies are applies has changes.
The user setting is not applied anymore by the user, but by the computer.
This is key to remember.
So for every policy you set you need one the these groups.
1) authenticated users ( users and computer accounts ) ( preffered )
2) Domain users + any group this is a group for applying the GPO.
3) Domain computers/ any computer group
In option 1, nothing special is needed.
In option 2, you must set read GPO polices for domain users, and read+apply for
the custom group.
In option 3, same as option 2. but this is only for a computer policie.
If you have problem like, GPO applies from one server, but the other dc.
Run : net cache flush
Stop samba on both DC's and copy the idmap.tdb from DC1 to DC2.
About you setup and config, looks all fine to me, exept.
> 117, in dc_url
> raise RuntimeError("Could not find a DC for domain", e
Please post you resolv.conf /etc/hosts /etc/nsswitch.conf
And are you using bind_DLZ or internal samba DNS
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Marcio Demetrio
> Bacci via samba
> Verzonden: vrijdag 4 november 2016 4:33
> Aan: Rowland Penny; samba at lists.samba.org
> Onderwerp: Re: [Samba] Problems with GPO
>
> Hi,
>
> bacci user is Domain Admin, because 30049 group is Domain Admin member. I
> use this user to create GPO.
>
> Following are my configurations files:
>
> *FILE-SERVER - SMB.CONF*
> [global]
> netbios name = file-server
> workgroup = EMPRESA
> security = ads
> realm = EMPRESA.COM.BR
> encrypt passwords = yes
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> preferred master = no
> idmap config *:backend = tdb
> idmap config *:range = 1000-3000
> idmap config EMPRESA:backend = ad
> idmap config EMPRESA:schema_mode = rfc2307
> idmap config EMPRESA:range = 10000-9999999
>
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind refresh tickets = yes
>
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
> username map = /etc/samba/user.map
>
>
> *DC1 - SMB.CONF*
> [global]
> workgroup = EMPRESA
> realm = EMPRESA.COM.BR
> netbios name = DC1
> server role = active directory domain controller
> dns forwarder = 192.168.200.10
> idmap_ldb:use rfc2307 = yes
>
> [netlogon]
> path = /opt/samba/var/locks/sysvol/empresa.com.br/scripts
> read only = No
>
> [sysvol]
> path = /opt/samba/var/locks/sysvol
> read only = No
>
>
> *DC2 - SMB.CONF*
> [global]
> workgroup = EMPRESA
> realm = EMPRESA.COM.BR
> netbios name = dc2
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
>
> [netlogon]
> path = /opt/samba/var/locks/sysvol/empresa.com.br/scripts
> read only = No
>
> [sysvol]
> path = /opt/samba/var/locks/sysvol
> read only = No
>
>
> I'm using "samba-tool drs showrepl" command in DC2 and the
result is
> SUCCESS.
>
> Do I have need to remove the Unix attributes of all builtin users
> (Administrators, Accout Operators, Users, Guest, ...)? Do Domain Users,
> Domain Admins, Domain Computers Groups also to need remove Unix
> Attributes?
>
> Do I have just select the "None" option in the Unix Attributes
tab (in the
> RSAT) to remove it?
>
> Have the accounts of the domain computers (joined in domain) must have the
> Unix attribute ?
>
> Is there way to remove null objects of Samba 4 ?
>
> *Others Tests*
>
> Result of "*testparm*" command:
>
> Load smb config files from /opt/samba/etc/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> Loaded services file OK.
> Server role: ROLE_ACTIVE_DIRECTORY_DC
>
> Result of "*samba-tool gpo list bacci at empresa.com.br
> <bacci at empresa.com.br>*
> "
>
> ERROR(runtime): uncaught exception - ('Could not find a DC for
domain',
> RuntimeError('NT_STATUS_NETWORK_UNREACHABLE',))
> File
"/opt/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
> return self.run(*args, **kwargs)
> File
"/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py", line
> 349, in run
> self.url = dc_url(self.lp, self.creds, H)
> File
"/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py", line
> 117, in dc_url
> raise RuntimeError("Could not find a DC for domain", e)
>
> Result of *samba-tool gpo listall*
> ERROR(runtime): uncaught exception - ('Could not find a DC for
domain',
> RuntimeError('NT_STATUS_NETWORK_UNREACHABLE',))
> File
"/opt/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
> return self.run(*args, **kwargs)
> File
"/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py", line
> 311, in run
> self.url = dc_url(self.lp, self.creds, H)
> File
"/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py", line
> 117, in dc_url
> raise RuntimeError("Could not find a DC for domain", e
>
>
> Regards,
>
> Márcio
>
> 2016-11-03 20:10 GMT-02:00 Rowland Penny via samba
> <samba at lists.samba.org>:
>
> >
> > See inline comments:
> >
> > On Thu, 3 Nov 2016 19:17:58 -0200
> > Marcio Demetrio Bacci <marciobacci at gmail.com> wrote:
> >
> > > Hi Rowland
> > >
> > > Following the results to:
> > >
> > > *USER:*
> > > wbinfo --uid-info=10060:
> > > bacci:*:10060:30049:bacci:/home/EMPRESA/bacci:/bin/false
> > >
> >
> > It looks like 'bacci' is a normal user and the owner of the
> > Policies GUID dir should be 'Domain Admins'
> >
> > > *GROUP:*
> > > wbinfo --gid-info=30028: Domain Admins
> >
> > This is where one of the problems start, bit of a catch 22 problem,
you
> > need to give 'Domain Admins' a gidNumber to be visible to
Unix, but if
> > you do, it looses the 'ID_TYPE_BOTH' from idmap.ldb that means
it can
> > own dirs & files in sysvol.
> >
> > >
> > > wbinfo --gid-info=30032: Domain Users
> > >
> > > wbinfo --gid-info=30033: Enterprise Admins
> > >
> > >
> > > "I don't see user:3000003"
> > >
> > > root at dc1:~# wbinfo -G 3000003
> > > S-1-5-11
> > >
> > > root at dc1:~# wbinfo -s S-1-5-11
> > > failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
> > > Could not lookup sid S-1-5-11
> > >
> >
> > You will need to look inside idmap.ldb to find this.
> >
> > > I have in my network two DC (Samba 4) and one member File Server
> > > (Samba 4). When I execute wbinfo -r <user>, I have
different results:
> > >
> > > root at dc1:~# wbinfo -G 3000000
> > > S-1-5-32-544
> > >
> > > root at dc1o:~# wbinfo -G 30002
> > > S-1-5-32-544
> > >
> > > root at dc1:~# wbinfo -s S-1-5-32-544
> > > BUILTIN\Administrators 4
> > >
> > > The SID to Administrators is 3000000 in DC. In File Server the
same
> > > group is 30002.
> >
> > Don't give the BUILTIN users & groups uidNumbers &
gidNumbers, let
> > samba do this on the DC and set up smb.conf correctly on the domain
> > member. You do this by using 'idmap config * : backend = tdb'
> >
> >
> > >
> > > *Different Groups to the same user*
> > > root@*dc1*:~# wbinfo -r bacci
> > > 30011
> > > 30025
> > > 30029
> > > 30030
> > > 30035
> > > 30049
> > > 30052
> > > 3000000
> > >
> > >
> > > root@*server-file*:~# wbinfo -r bacci
> > > 30002
> > > 30003
> > > 30025
> > > 30028
> > > 30029
> > > 30030
> > > 30032
> > > 30035
> > > 30049
> > > 30052
> > > 30053
> > >
> > >
> > > Regards,
> > >
> > > Márcio
> > >
> >
> > Rowland
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny via > samba > Verzonden: vrijdag 4 november 2016 9:54 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Problems with GPO > > On Fri, 4 Nov 2016 01:32:44 -0200 > Marcio Demetrio Bacci <marciobacci at gmail.com> wrote: > ...................................> > > > > Have the accounts of the domain computers (joined in domain) must > > have the Unix attribute ? > > No, I have never added themIf you dont add them and the idmap is out of sync somehow, you get GPO errors. So i suggest, untill the BUILDIN\groups are all correct mapped in samba, give domain computers a GID. This can really help with GPO problems. Greetz, Louis
Hi,
Here is my configurations files (DC1, DC2 and FILE-SERVER)
*DC1*
/etc/nsswitch.conf
passwd: compat
group: compat
shadow: compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
/etc/resolv.conf
domain empresa.com.br
search empresa.com.br
nameserver 192.168.200.25
nameserver 192.168.200.10
/etc/hosts
/etc/hosts
127.0.0.1 localhost.localadmin localhost
192.168.200.25 dc1.empresa.com.br dc1
/opt/samba/etc/smb.conf
[global]
workgroup = EMPRESA
realm = EMPRESA.COM.BR
netbios name = DC1
server role = active directory domain controller
dns forwarder = 192.168.200.10
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /opt/samba/var/locks/sysvol/empresa.com.br/scripts
read only = No
[sysvol]
path = /opt/samba/var/locks/sysvol
read only = No
acl_xattr:ignore system acls = yes
##################################################
*DC2*
/etc/nsswitch.conf
passwd: compat
group: compat
shadow: compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
~
/etc/resolv.conf
domain empresa.com.br
search empresa.com.br
nameserver 192.168.200.4
nameserver 192.168.200.10
/etc/hosts
127.0.0.1 localhost.localadmin localhost
192.168.200.4 dc2.empresa.com.br dc2
/opt/samba/etc/smb.conf
[global]
workgroup = EMPRESA
realm = EMPRESA.COM.BR
netbios name = DC1
server role = active directory domain controller
dns forwarder = 192.168.200.10
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /opt/samba/var/locks/sysvol/empresa.com.br/scripts
read only = No
[sysvol]
path = /opt/samba/var/locks/sysvol
read only = No
acl_xattr:ignore system acls = yes
######################################################
*FILE-SERVER (DOMAIN MEMBER)*
/etc/nsswitch.conf
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
/etc/resolv.conf
domain empresa.com.br
search empresa.com.br
nameserver 192.168.200.25
nameserver 192.168.200.10
/etc/hosts
127.0.0.1 localhost
192.168.200.3 file-server.empresa.com.br file-server
192.168.200.25 dc1.empresa.com.br dc1
192.168.200.4 dc2.empresa.com.br dc2
/etc/samba/smb.conf (only a piece)
...
idmap config *:backend = tdb
idmap config *:range = 1000-3000
idmap config EMPRESA:backend = ad
idmap config EMPRESA:schema_mode = rfc2307
idmap config EMPRESA:range = 10000-9999999
winbind nss info = rfc2307
...
I copied idmap.ldb from DC1 to DC2, now uidNumber and gidNumber are the
same. But in File Server is still different of the DC.
I would like to remove without reference objects in my Domain. (Ex: SID:
S-1-22-33-55 "unknown"). Is Possible ?
*GPO List has still problems*
root at DC1:/opt/samba/private# samba-tool gpo list ferreira
ERROR(runtime): uncaught exception - ('Could not find a DC for domain',
RuntimeError('NT_STATUS_NETWORK_UNREACHABLE',))
File
"/opt/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py",
line
349, in run
self.url = dc_url(self.lp, self.creds, H)
File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py",
line
117, in dc_url
raise RuntimeError("Could not find a DC for domain", e)
In DC1 has 2 pastes in Sysvol\empresa.com.br: Policies and Scripts. But in
DC2, the Policies paste there isn't. Is this normal?
I'm using *INTERNAL Samba DNS*. Following my DNS tests:
root at dc1:~# host -t SRV _ldap._tcp.empresa.com.br.
_ldap._tcp.empresa.com.br has SRV record 0 100 389 dc1.empresa.com.br.
_ldap._tcp.empresa.com.br has SRV record 0 100 389 dc2.empresa.com.br.
root at dc1:~# host -t SRV _kerberos._udp.empresa.com.br.
_kerberos._udp.empresa.com.br has SRV record 0 100 88 dc1.empresa.com.br.
_kerberos._udp.empresa.com.br has SRV record 0 100 88 dc2.empresa.com.br.
root at dc1:~# host -t A dc1.empresa.com.br.
dc1.empresa.com.br has address 192.168.200.25
root at dc1:~# host -t A dc2.empresa.com.br.
dc2.empresa.com.br has address 192.168.200.4
Here is the result of command "samba-tool dns zonelist dc1.empresa.com.br
--primary -U administrator"
3 zone(s) found
pszZoneName : 200.168.192.in-addr.arpa
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.empresa.com.br
pszZoneName : empresa.com.br
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.empresa.com.br
pszZoneName : _msdcs.empresa.com.br
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : ForestDnsZones.empresa.com.br
samba-tool dns zoneinfo dc1.empresa.com.br empresa.com.br -U administrator
pszZoneName : empresa.com.br
dwZoneType : DNS_ZONE_TYPE_PRIMARY
fReverse : FALSE
fAllowUpdate : DNS_ZONE_UPDATE_SECURE
fPaused : FALSE
fShutdown : FALSE
fAutoCreated : FALSE
fUseDatabase : TRUE
pszDataFile : None
aipMasters : []
fSecureSecondaries : DNS_ZONE_SECSECURE_NO_XFER
fNotifyLevel : DNS_ZONE_NOTIFY_LIST_ONLY
aipSecondaries : []
aipNotify : []
fUseWins : FALSE
fUseNbstat : FALSE
fAging : FALSE
dwNoRefreshInterval : 168
dwRefreshInterval : 168
dwAvailForScavengeTime : 0
aipScavengeServers : []
dwRpcStructureVersion : 0x2
dwForwarderTimeout : 0
fForwarderSlave : 0
aipLocalMasters : []
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.empresa.com.br
pwszZoneDn : DC=empresa.com.br
,CN=MicrosoftDNS,DC=DomainDnsZones,DC=empresa,DC=com,DC=br
dwLastSuccessfulSoaCheck : 0
dwLastSuccessfulXfr : 0
fQueuedForBackgroundLoad : FALSE
fBackgroundLoadInProgress : FALSE
fReadOnlyZone : FALSE
dwLastXfrAttempt : 0
dwLastXfrResult : 0
PS: Now, in some users/computers, my GPO is working. I'm test only windows
7 professional workstations.
Regards,
Márcio
2016-11-04 7:10 GMT-02:00 L.P.H. van Belle <belle at bazuin.nl>:
> Just make it yourself a bit more easy.
>
> Setup sysvol like this.
>
> [sysvol]
> path = /home/samba/sysvol
> read only = No
> acl_xattr:ignore system acls = yes
>
> Restart samba, and set the SHARE RIGHTS and File/Folder rights again.
> Or atleast check them, the defaults should be ok.
>
> When thats done.
> Go here. :
> http://trekker.net/archives/group-policy-downloads/
> get the ADMX templates you need.
>
> Win 10 build 1607 is not on that site, found here :
> https://www.microsoft.com/en-us/download/details.aspx?id=53430
>
> and for otheres, install this in win 7 and copy the templates to the
> sysvol.
> ( located somewhere in programfiles )
>
> Extra usable templates here:
> http://winintro.com/
>
> now, when thats done, and this if more for you.
>
> Does the user bacci need Domain Admin.
> Like is it you replacement for user Administrator? Then thats ok.
> If its a normal user which needs todo GPO stuff. Then i suggest adding
> this user to "Group Policy Creator Owners" and dont abuse the
domain admin
> group.
>
> So this is the basic stuff go a GPO setup.
>
>
> Now, about the error :
> ERROR(runtime): uncaught exception ...
> You can ignore it IF you use the parameter : acl_xattr:ignore system acls
> = yes
> Or, move all folder from sysvol, do the sysvol reset, and place the
> folders back, that can help.
>
> I do advice to setup GID for "Domain -" Users/Admins/Guest and
most
> important. "Domain Computers" .. now we are getting to you
problem.
>
> Due to all MS changes, how policies are applies has changes.
>
> The user setting is not applied anymore by the user, but by the computer.
> This is key to remember.
>
> So for every policy you set you need one the these groups.
>
> 1) authenticated users ( users and computer accounts ) ( preffered )
> 2) Domain users + any group this is a group for applying the GPO.
> 3) Domain computers/ any computer group
>
> In option 1, nothing special is needed.
> In option 2, you must set read GPO polices for domain users, and
> read+apply for the custom group.
> In option 3, same as option 2. but this is only for a computer policie.
>
> If you have problem like, GPO applies from one server, but the other dc.
> Run : net cache flush
> Stop samba on both DC's and copy the idmap.tdb from DC1 to DC2.
>
>
> About you setup and config, looks all fine to me, exept.
> > 117, in dc_url
> > raise RuntimeError("Could not find a DC for domain", e
>
> Please post you resolv.conf /etc/hosts /etc/nsswitch.conf
> And are you using bind_DLZ or internal samba DNS
>
> Greetz,
>
> Louis
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Marcio
Demetrio
> > Bacci via samba
> > Verzonden: vrijdag 4 november 2016 4:33
> > Aan: Rowland Penny; samba at lists.samba.org
> > Onderwerp: Re: [Samba] Problems with GPO
> >
> > Hi,
> >
> > bacci user is Domain Admin, because 30049 group is Domain Admin
member. I
> > use this user to create GPO.
> >
> > Following are my configurations files:
> >
> > *FILE-SERVER - SMB.CONF*
> > [global]
> > netbios name = file-server
> > workgroup = EMPRESA
> > security = ads
> > realm = EMPRESA.COM.BR
> > encrypt passwords = yes
> > dedicated keytab file = /etc/krb5.keytab
> > kerberos method = secrets and keytab
> > preferred master = no
> > idmap config *:backend = tdb
> > idmap config *:range = 1000-3000
> > idmap config EMPRESA:backend = ad
> > idmap config EMPRESA:schema_mode = rfc2307
> > idmap config EMPRESA:range = 10000-9999999
> >
> > winbind nss info = rfc2307
> > winbind trusted domains only = no
> > winbind use default domain = yes
> > winbind enum users = yes
> > winbind enum groups = yes
> > winbind refresh tickets = yes
> >
> > vfs objects = acl_xattr
> > map acl inherit = Yes
> > store dos attributes = Yes
> > username map = /etc/samba/user.map
> >
> >
> > *DC1 - SMB.CONF*
> > [global]
> > workgroup = EMPRESA
> > realm = EMPRESA.COM.BR
> > netbios name = DC1
> > server role = active directory domain controller
> > dns forwarder = 192.168.200.10
> > idmap_ldb:use rfc2307 = yes
> >
> > [netlogon]
> > path = /opt/samba/var/locks/sysvol/empresa.com.br/scripts
> > read only = No
> >
> > [sysvol]
> > path = /opt/samba/var/locks/sysvol
> > read only = No
> >
> >
> > *DC2 - SMB.CONF*
> > [global]
> > workgroup = EMPRESA
> > realm = EMPRESA.COM.BR
> > netbios name = dc2
> > server role = active directory domain controller
> > idmap_ldb:use rfc2307 = yes
> >
> > [netlogon]
> > path = /opt/samba/var/locks/sysvol/empresa.com.br/scripts
> > read only = No
> >
> > [sysvol]
> > path = /opt/samba/var/locks/sysvol
> > read only = No
> >
> >
> > I'm using "samba-tool drs showrepl" command in DC2 and
the result is
> > SUCCESS.
> >
> > Do I have need to remove the Unix attributes of all builtin users
> > (Administrators, Accout Operators, Users, Guest, ...)? Do Domain
Users,
> > Domain Admins, Domain Computers Groups also to need remove Unix
> > Attributes?
> >
> > Do I have just select the "None" option in the Unix
Attributes tab (in
> the
> > RSAT) to remove it?
> >
> > Have the accounts of the domain computers (joined in domain) must have
> the
> > Unix attribute ?
> >
> > Is there way to remove null objects of Samba 4 ?
> >
> > *Others Tests*
> >
> > Result of "*testparm*" command:
> >
> > Load smb config files from /opt/samba/etc/smb.conf
> > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
(16384)
> > Processing section "[netlogon]"
> > Processing section "[sysvol]"
> > Loaded services file OK.
> > Server role: ROLE_ACTIVE_DIRECTORY_DC
> >
> > Result of "*samba-tool gpo list bacci at empresa.com.br
> > <bacci at empresa.com.br>*
> > "
> >
> > ERROR(runtime): uncaught exception - ('Could not find a DC for
domain',
> > RuntimeError('NT_STATUS_NETWORK_UNREACHABLE',))
> > File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/__
> init__.py",
> > line 175, in _run
> > return self.run(*args, **kwargs)
> > File
"/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py",
> line
> > 349, in run
> > self.url = dc_url(self.lp, self.creds, H)
> > File
"/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py",
> line
> > 117, in dc_url
> > raise RuntimeError("Could not find a DC for domain", e)
> >
> > Result of *samba-tool gpo listall*
> > ERROR(runtime): uncaught exception - ('Could not find a DC for
domain',
> > RuntimeError('NT_STATUS_NETWORK_UNREACHABLE',))
> > File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/__
> init__.py",
> > line 175, in _run
> > return self.run(*args, **kwargs)
> > File
"/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py",
> line
> > 311, in run
> > self.url = dc_url(self.lp, self.creds, H)
> > File
"/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py",
> line
> > 117, in dc_url
> > raise RuntimeError("Could not find a DC for domain", e
> >
> >
> > Regards,
> >
> > Márcio
> >
> > 2016-11-03 20:10 GMT-02:00 Rowland Penny via samba
> > <samba at lists.samba.org>:
> >
> > >
> > > See inline comments:
> > >
> > > On Thu, 3 Nov 2016 19:17:58 -0200
> > > Marcio Demetrio Bacci <marciobacci at gmail.com> wrote:
> > >
> > > > Hi Rowland
> > > >
> > > > Following the results to:
> > > >
> > > > *USER:*
> > > > wbinfo --uid-info=10060:
> > > > bacci:*:10060:30049:bacci:/home/EMPRESA/bacci:/bin/false
> > > >
> > >
> > > It looks like 'bacci' is a normal user and the owner of
the
> > > Policies GUID dir should be 'Domain Admins'
> > >
> > > > *GROUP:*
> > > > wbinfo --gid-info=30028: Domain Admins
> > >
> > > This is where one of the problems start, bit of a catch 22
problem, you
> > > need to give 'Domain Admins' a gidNumber to be visible to
Unix, but if
> > > you do, it looses the 'ID_TYPE_BOTH' from idmap.ldb that
means it can
> > > own dirs & files in sysvol.
> > >
> > > >
> > > > wbinfo --gid-info=30032: Domain Users
> > > >
> > > > wbinfo --gid-info=30033: Enterprise Admins
> > > >
> > > >
> > > > "I don't see user:3000003"
> > > >
> > > > root at dc1:~# wbinfo -G 3000003
> > > > S-1-5-11
> > > >
> > > > root at dc1:~# wbinfo -s S-1-5-11
> > > > failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
> > > > Could not lookup sid S-1-5-11
> > > >
> > >
> > > You will need to look inside idmap.ldb to find this.
> > >
> > > > I have in my network two DC (Samba 4) and one member File
Server
> > > > (Samba 4). When I execute wbinfo -r <user>, I have
different results:
> > > >
> > > > root at dc1:~# wbinfo -G 3000000
> > > > S-1-5-32-544
> > > >
> > > > root at dc1o:~# wbinfo -G 30002
> > > > S-1-5-32-544
> > > >
> > > > root at dc1:~# wbinfo -s S-1-5-32-544
> > > > BUILTIN\Administrators 4
> > > >
> > > > The SID to Administrators is 3000000 in DC. In File Server
the same
> > > > group is 30002.
> > >
> > > Don't give the BUILTIN users & groups uidNumbers &
gidNumbers, let
> > > samba do this on the DC and set up smb.conf correctly on the
domain
> > > member. You do this by using 'idmap config * : backend =
tdb'
> > >
> > >
> > > >
> > > > *Different Groups to the same user*
> > > > root@*dc1*:~# wbinfo -r bacci
> > > > 30011
> > > > 30025
> > > > 30029
> > > > 30030
> > > > 30035
> > > > 30049
> > > > 30052
> > > > 3000000
> > > >
> > > >
> > > > root@*server-file*:~# wbinfo -r bacci
> > > > 30002
> > > > 30003
> > > > 30025
> > > > 30028
> > > > 30029
> > > > 30030
> > > > 30032
> > > > 30035
> > > > 30049
> > > > 30052
> > > > 30053
> > > >
> > > >
> > > > Regards,
> > > >
> > > > Márcio
> > > >
> > >
> > > Rowland
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read
the
> > > instructions: https://lists.samba.org/mailman/options/samba
> > >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
>
>
Looking at you config setup, i noticed a few things.
DC1.
/etc/resolv.conf
domain empresa.com.br
search empresa.com.br
nameserver 192.168.200.25 (=dc1)
nameserver 192.168.200.10
/etc/resolv.conf
domain empresa.com.br
search empresa.com.br
nameserver 192.168.200.4 (dc=2)
nameserver 192.168.200.10
/etc/resolv.conf
domain empresa.com.br
search empresa.com.br
nameserver 192.168.200.25
nameserver 192.168.200.10
I suggest you change you DC resolv.conf setup first and change the following.
DC1.
nameserver 192.168.200.4
nameserver 192.168.200.25
DC2
nameserver 192.168.200.25
nameserver 192.168.200.4
Fileserver
nameserver 192.168.200.4
nameserver 192.168.200.25
and to make sure run this script, to check on database replication errors.
http://downloads.van-belle.nl/samba4/samba-check-db-repl.sh
This compaires the samba AD DC databases. ( up to 10 DC.s )
Its no need to configure anything in the script.
And based on you config below i guessing you AD DC servers are runing backend
RID and the file server backend AD.
A mixed setup is, as far as I know not supported.
Please reread :
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Setting_up_the_AD_DNS_back_end
start and the second blue part after ?Provisioning a Samba Active Directory?
.....
However, to enable them in an existing domain requires to manually extend the AD
schema. For further details about Unix attributes in AD, see::
* Setting up RFC2307 in AD
* idmap config = ad
Greetz,
Louis
Van: Marcio Demetrio Bacci [mailto:marciobacci at gmail.com]
Verzonden: zaterdag 5 november 2016 4:55
Aan: L.P.H. van Belle; samba at lists.samba.org
Onderwerp: Re: [Samba] Problems with GPO
Hi,
Here is my configurations files (DC1, DC2 and FILE-SERVER)
DC1
/etc/nsswitch.conf
passwd: compat
group: compat
shadow: compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
/etc/resolv.conf
domain empresa.com.br
search empresa.com.br
nameserver 192.168.200.25
nameserver 192.168.200.10
/etc/hosts
/etc/hosts
127.0.0.1 localhost.localadmin localhost
192.168.200.25 dc1.empresa.com.br dc1
/opt/samba/etc/smb.conf
[global]
workgroup = EMPRESA
realm = EMPRESA.COM.BR
netbios name = DC1
server role = active directory domain controller
dns forwarder = 192.168.200.10
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /opt/samba/var/locks/sysvol/empresa.com.br/scripts
read only = No
[sysvol]
path = /opt/samba/var/locks/sysvol
read only = No
acl_xattr:ignore system acls = yes
##################################################
DC2
/etc/nsswitch.conf
passwd: compat
group: compat
shadow: compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
~
/etc/resolv.conf
domain empresa.com.br
search empresa.com.br
nameserver 192.168.200.4
nameserver 192.168.200.10
/etc/hosts
127.0.0.1 localhost.localadmin localhost
192.168.200.4 dc2.empresa.com.br dc2
/opt/samba/etc/smb.conf
[global]
workgroup = EMPRESA
realm = EMPRESA.COM.BR
netbios name = DC1
server role = active directory domain controller
dns forwarder = 192.168.200.10
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /opt/samba/var/locks/sysvol/empresa.com.br/scripts
read only = No
[sysvol]
path = /opt/samba/var/locks/sysvol
read only = No
acl_xattr:ignore system acls = yes
######################################################
FILE-SERVER (DOMAIN MEMBER)
/etc/nsswitch.conf
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
/etc/resolv.conf
domain empresa.com.br
search empresa.com.br
nameserver 192.168.200.25
nameserver 192.168.200.10
/etc/hosts
127.0.0.1 localhost
192.168.200.3 file-server.empresa.com.br file-server
192.168.200.25 dc1.empresa.com.br dc1
192.168.200.4 dc2.empresa.com.br dc2
/etc/samba/smb.conf (only a piece)
...
idmap config *:backend = tdb
idmap config *:range = 1000-3000
idmap config EMPRESA:backend = ad
idmap config EMPRESA:schema_mode = rfc2307
idmap config EMPRESA:range = 10000-9999999
winbind nss info = rfc2307
...
I copied idmap.ldb from DC1 to DC2, now uidNumber and gidNumber are the same.
But in File Server is still different of the DC.
I would like to remove without reference objects in my Domain. (Ex: SID:
S-1-22-33-55 "unknown"). Is Possible ?
GPO List has still problems
root at DC1:/opt/samba/private# samba-tool gpo list ferreira
ERROR(runtime): uncaught exception - ('Could not find a DC for domain',
RuntimeError('NT_STATUS_NETWORK_UNREACHABLE',))
File
"/opt/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py",
line 349, in run
self.url = dc_url(self.lp, self.creds, H)
File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py",
line 117, in dc_url
raise RuntimeError("Could not find a DC for domain", e)
In DC1 has 2 pastes in Sysvol\empresa.com.br: Policies and Scripts. But in DC2,
the Policies paste there isn't. Is this normal?
I'm using INTERNAL Samba DNS. Following my DNS tests:
root at dc1:~# host -t SRV _ldap._tcp.empresa.com.br.
_ldap._tcp.empresa.com.br has SRV record 0 100 389 dc1.empresa.com.br.
_ldap._tcp.empresa.com.br has SRV record 0 100 389 dc2.empresa.com.br.
root at dc1:~# host -t SRV _kerberos._udp.empresa.com.br.
_kerberos._udp.empresa.com.br has SRV record 0 100 88 dc1.empresa.com.br.
_kerberos._udp.empresa.com.br has SRV record 0 100 88 dc2.empresa.com.br.
root at dc1:~# host -t A dc1.empresa.com.br.
dc1.empresa.com.br has address 192.168.200.25
root at dc1:~# host -t A dc2.empresa.com.br.
dc2.empresa.com.br has address 192.168.200.4
Here is the result of command "samba-tool dns zonelist dc1.empresa.com.br
--primary -U administrator"
3 zone(s) found
pszZoneName : 200.168.192.in-addr.arpa
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.empresa.com.br
pszZoneName : empresa.com.br
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.empresa.com.br
pszZoneName : _msdcs.empresa.com.br
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : ForestDnsZones.empresa.com.br
samba-tool dns zoneinfo dc1.empresa.com.br empresa.com.br -U administrator
pszZoneName : empresa.com.br
dwZoneType : DNS_ZONE_TYPE_PRIMARY
fReverse : FALSE
fAllowUpdate : DNS_ZONE_UPDATE_SECURE
fPaused : FALSE
fShutdown : FALSE
fAutoCreated : FALSE
fUseDatabase : TRUE
pszDataFile : None
aipMasters : []
fSecureSecondaries : DNS_ZONE_SECSECURE_NO_XFER
fNotifyLevel : DNS_ZONE_NOTIFY_LIST_ONLY
aipSecondaries : []
aipNotify : []
fUseWins : FALSE
fUseNbstat : FALSE
fAging : FALSE
dwNoRefreshInterval : 168
dwRefreshInterval : 168
dwAvailForScavengeTime : 0
aipScavengeServers : []
dwRpcStructureVersion : 0x2
dwForwarderTimeout : 0
fForwarderSlave : 0
aipLocalMasters : []
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.empresa.com.br
pwszZoneDn :
DC=empresa.com.br,CN=MicrosoftDNS,DC=DomainDnsZones,DC=empresa,DC=com,DC=br
dwLastSuccessfulSoaCheck : 0
dwLastSuccessfulXfr : 0
fQueuedForBackgroundLoad : FALSE
fBackgroundLoadInProgress : FALSE
fReadOnlyZone : FALSE
dwLastXfrAttempt : 0
dwLastXfrResult : 0
PS: Now, in some users/computers, my GPO is working. I'm test only windows 7
professional workstations.
Regards,
Márcio
2016-11-04 7:10 GMT-02:00 L.P.H. van Belle <belle at bazuin.nl>:
Just make it yourself a bit more easy.
Setup sysvol like this.
[sysvol]
path = /home/samba/sysvol
read only = No
acl_xattr:ignore system acls = yes
Restart samba, and set the SHARE RIGHTS and File/Folder rights again.
Or atleast check them, the defaults should be ok.
When thats done.
Go here. :
http://trekker.net/archives/group-policy-downloads/
get the ADMX templates you need.
Win 10 build 1607 is not on that site, found here :
https://www.microsoft.com/en-us/download/details.aspx?id=53430
and for otheres, install this in win 7 and copy the templates to the sysvol.
( located somewhere in programfiles )
Extra usable templates here:
http://winintro.com/
now, when thats done, and this if more for you.
Does the user bacci need Domain Admin.
Like is it you replacement for user Administrator? Then thats ok.
If its a normal user which needs todo GPO stuff. Then i suggest adding this user
to "Group Policy Creator Owners" and dont abuse the domain admin
group.
So this is the basic stuff go a GPO setup.
Now, about the error :
ERROR(runtime): uncaught exception ...
You can ignore it IF you use the parameter : acl_xattr:ignore system acls = yes
Or, move all folder from sysvol, do the sysvol reset, and place the folders
back, that can help.
I do advice to setup GID for "Domain -" Users/Admins/Guest and most
important. "Domain Computers" .. now we are getting to you problem.
Due to all MS changes, how policies are applies has changes.
The user setting is not applied anymore by the user, but by the computer.
This is key to remember.
So for every policy you set you need one the these groups.
1) authenticated users ( users and computer accounts ) ( preffered )
2) Domain users + any group this is a group for applying the GPO.
3) Domain computers/ any computer group
In option 1, nothing special is needed.
In option 2, you must set read GPO polices for domain users, and read+apply for
the custom group.
In option 3, same as option 2. but this is only for a computer policie.
If you have problem like, GPO applies from one server, but the other dc.
Run : net cache flush
Stop samba on both DC's and copy the idmap.tdb from DC1 to DC2.
About you setup and config, looks all fine to me, exept.> 117, in dc_url
> raise RuntimeError("Could not find a DC for domain", e
Please post you resolv.conf /etc/hosts /etc/nsswitch.conf
And are you using bind_DLZ or internal samba DNS
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Marcio Demetrio
> Bacci via samba
> Verzonden: vrijdag 4 november 2016 4:33
> Aan: Rowland Penny; samba at lists.samba.org
> Onderwerp: Re: [Samba] Problems with GPO
>
> Hi,
>
> bacci user is Domain Admin, because 30049 group is Domain Admin member. I
> use this user to create GPO.
>
> Following are my configurations files:
>
> *FILE-SERVER - SMB.CONF*
> [global]
> netbios name = file-server
> workgroup = EMPRESA
> security = ads
> realm = EMPRESA.COM.BR
> encrypt passwords = yes
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> preferred master = no
> idmap config *:backend = tdb
> idmap config *:range = 1000-3000
> idmap config EMPRESA:backend = ad
> idmap config EMPRESA:schema_mode = rfc2307
> idmap config EMPRESA:range = 10000-9999999
>
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind refresh tickets = yes
>
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
> username map = /etc/samba/user.map
>
>
> *DC1 - SMB.CONF*
> [global]
> workgroup = EMPRESA
> realm = EMPRESA.COM.BR
> netbios name = DC1
> server role = active directory domain controller
> dns forwarder = 192.168.200.10
> idmap_ldb:use rfc2307 = yes
>
> [netlogon]
> path = /opt/samba/var/locks/sysvol/empresa.com.br/scripts
> read only = No
>
> [sysvol]
> path = /opt/samba/var/locks/sysvol
> read only = No
>
>
> *DC2 - SMB.CONF*
> [global]
> workgroup = EMPRESA
> realm = EMPRESA.COM.BR
> netbios name = dc2
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
>
> [netlogon]
> path = /opt/samba/var/locks/sysvol/empresa.com.br/scripts
> read only = No
>
> [sysvol]
> path = /opt/samba/var/locks/sysvol
> read only = No
>
>
> I'm using "samba-tool drs showrepl" command in DC2 and the
result is
> SUCCESS.
>
> Do I have need to remove the Unix attributes of all builtin users
> (Administrators, Accout Operators, Users, Guest, ...)? Do Domain Users,
> Domain Admins, Domain Computers Groups also to need remove Unix
> Attributes?
>
> Do I have just select the "None" option in the Unix Attributes
tab (in the
> RSAT) to remove it?
>
> Have the accounts of the domain computers (joined in domain) must have the
> Unix attribute ?
>
> Is there way to remove null objects of Samba 4 ?
>
> *Others Tests*
>
> Result of "*testparm*" command:
>
> Load smb config files from /opt/samba/etc/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> Loaded services file OK.
> Server role: ROLE_ACTIVE_DIRECTORY_DC
>
> Result of "*samba-tool gpo list bacci at empresa.com.br
> <bacci at empresa.com.br>*
> "
>
> ERROR(runtime): uncaught exception - ('Could not find a DC for
domain',
> RuntimeError('NT_STATUS_NETWORK_UNREACHABLE',))
> File
"/opt/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
> return self.run(*args, **kwargs)
> File
"/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py", line
> 349, in run
> self.url = dc_url(self.lp, self.creds, H)
> File
"/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py", line
> 117, in dc_url
> raise RuntimeError("Could not find a DC for domain", e)
>
> Result of *samba-tool gpo listall*
> ERROR(runtime): uncaught exception - ('Could not find a DC for
domain',
> RuntimeError('NT_STATUS_NETWORK_UNREACHABLE',))
> File
"/opt/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
> return self.run(*args, **kwargs)
> File
"/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py", line
> 311, in run
> self.url = dc_url(self.lp, self.creds, H)
> File
"/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py", line
> 117, in dc_url
> raise RuntimeError("Could not find a DC for domain", e
>
>
> Regards,
>
> Márcio
>
> 2016-11-03 20:10 GMT-02:00 Rowland Penny via samba
> <samba at lists.samba.org>:
>
> >
> > See inline comments:
> >
> > On Thu, 3 Nov 2016 19:17:58 -0200
> > Marcio Demetrio Bacci <marciobacci at gmail.com> wrote:
> >
> > > Hi Rowland
> > >
> > > Following the results to:
> > >
> > > *USER:*
> > > wbinfo --uid-info=10060:
> > > bacci:*:10060:30049:bacci:/home/EMPRESA/bacci:/bin/false
> > >
> >
> > It looks like 'bacci' is a normal user and the owner of the
> > Policies GUID dir should be 'Domain Admins'
> >
> > > *GROUP:*
> > > wbinfo --gid-info=30028: Domain Admins
> >
> > This is where one of the problems start, bit of a catch 22 problem,
you
> > need to give 'Domain Admins' a gidNumber to be visible to
Unix, but if
> > you do, it looses the 'ID_TYPE_BOTH' from idmap.ldb that means
it can
> > own dirs & files in sysvol.
> >
> > >
> > > wbinfo --gid-info=30032: Domain Users
> > >
> > > wbinfo --gid-info=30033: Enterprise Admins
> > >
> > >
> > > "I don't see user:3000003"
> > >
> > > root at dc1:~# wbinfo -G 3000003
> > > S-1-5-11
> > >
> > > root at dc1:~# wbinfo -s S-1-5-11
> > > failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
> > > Could not lookup sid S-1-5-11
> > >
> >
> > You will need to look inside idmap.ldb to find this.
> >
> > > I have in my network two DC (Samba 4) and one member File Server
> > > (Samba 4). When I execute wbinfo -r <user>, I have
different results:
> > >
> > > root at dc1:~# wbinfo -G 3000000
> > > S-1-5-32-544
> > >
> > > root at dc1o:~# wbinfo -G 30002
> > > S-1-5-32-544
> > >
> > > root at dc1:~# wbinfo -s S-1-5-32-544
> > > BUILTIN\Administrators 4
> > >
> > > The SID to Administrators is 3000000 in DC. In File Server the
same
> > > group is 30002.
> >
> > Don't give the BUILTIN users & groups uidNumbers &
gidNumbers, let
> > samba do this on the DC and set up smb.conf correctly on the domain
> > member. You do this by using 'idmap config * : backend = tdb'
> >
> >
> > >
> > > *Different Groups to the same user*
> > > root@*dc1*:~# wbinfo -r bacci
> > > 30011
> > > 30025
> > > 30029
> > > 30030
> > > 30035
> > > 30049
> > > 30052
> > > 3000000
> > >
> > >
> > > root@*server-file*:~# wbinfo -r bacci
> > > 30002
> > > 30003
> > > 30025
> > > 30028
> > > 30029
> > > 30030
> > > 30032
> > > 30035
> > > 30049
> > > 30052
> > > 30053
> > >
> > >
> > > Regards,
> > >
> > > Márcio
> > >
> >
> > Rowland
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
Am 2016-11-04 um 10:10 schrieb L.P.H. van Belle via samba:> Just make it yourself a bit more easy. > > Setup sysvol like this. > > [sysvol] > path = /home/samba/sysvol > read only = No > acl_xattr:ignore system acls = yes > > Restart samba, and set the SHARE RIGHTS and File/Folder rights again. > Or atleast check them, the defaults should be ok.I get errors around inconsistent permissions for SYSVOL. Share is set up as mentioned above. Whom should I chown that dir to on linux level? Should I run or avoid that sysvolreset thingy? thx getting there slowly ;-)