samba - Jan 2017 - Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies

Hi Andrew,

thanks so much for the feedback.

Yes, you're 100% right.  I'm new at this and originally changed the
default GPO, however subsequently reset the default and created a new GPO. (so
this getfacl output is post creation of a new GPO)

The getfacl output is shown here:

# getfacl
/usr/local/samba/var/locks/sysvol/mydomain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
getfacl: Removing leading '/' from absolute path names # file:
usr/local/samba/var/locks/sysvol/mydomain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
# owner: root
# group: 10013
user::rwx
user:root:rwx
user:3000002:rwx
user:3000003:r-x
user:3000006:rwx
user:3000010:r-x
group::rwx
group:10013:rwx
group:10014:r-x
group:3000002:rwx
group:3000003:r-x
group:3000006:rwx
group:3000010:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000002:rwx
default:user:3000003:r-x
default:user:3000006:rwx
default:user:3000010:r-x
default:group::---
default:group:10013:rwx
default:group:10014:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:group:3000006:rwx
default:group:3000010:r-x
default:mask::rwx
default:other::---

-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of lingpanda101
via samba
Sent: 12 January 2017 18:07
To: samba at lists.samba.org
Subject: Re: [Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up
Group Policies

On 1/12/2017 7:07 AM, Richard via samba wrote:
> I have Samba 4.5.3 working fine as an AD DC and DNS provider.
>
> I now need to set up a group policy on the DC but I am having problems 
> with the internal sysvol and netlogon shares.
>
> Via the Windows Group Policy Manager snap-in I successfully created a 
> GPO specifying the DC as the primary time source for all clients, 
> using the Administrator user
>
> ...but my windows domain test client "ignores" the new policy 
> completely and in the event log on the client I see the following:
>
>   
>
> The processing of Group Policy failed. Windows attempted to read the 
> file
> \\mydomain.com\sysvol\mydomain.com\Policies\{31B2F340-016D-11D2-945F-0
> 0C04FB
> 984F9}\gpt.ini
> <file://mydomain.com/sysvol/mydomain.com/Policies/%7b31B2F340-016D-11D
> 2-945F -00C04FB984F9%7d/gpt.ini>  from a domain controller and was not 
> successful.
> Group Policy settings may not be applied until this event is resolved. 
> This issue may be transient and could be caused by one or more of the
following:
>
> a) Name Resolution/Network Connectivity to the current domain controller.
>
> b) File Replication Service Latency (a file created on another domain 
> controller has not replicated to the current domain controller).
>
> c) The Distributed File System (DFS) client has been disabled.
>
>   
>
>   
>
> On further investigation on the domain controller itself:
>
>   
>
> smbclient //localhost/sysvol -UAdministrator -c 'ls'
>
>   
>
> returns a valid directory listing, but running the same command for 
> any other valid domain account returns:
>
>   
>
> Domain=[mydomain] OS=[Windows 6.1] Server=[Samba 4.5.3]
>
> NT_STATUS_ACCESS_DENIED listing \*
>
>   
>
> .so it appears that normal domain accounts are unable to access the 
> sysvol share, which would explain the error returned by the windows 
> client. (the same applies to the netlogon share)
>
>   
>
> Among other things, I have run:
>
>   
>
> samba-tool ntacl sysvolreset
>
>   
>
> but the problem persists.
>
>   
>
> So it appears there is something wrong with the permissions on these 
> shares but I am at my wits end trying to correct the issue.
>
>   
>
> Any help would be greatly appreciated!
>
>   
>
> Thanks in advance
>
>   
>
> Richard
>
>   
>
>   
>
>   
>
It looks as if you are trying to modify the default domain policy GPO? I
normally don't touch that policy but create additional ones. What is the
output of

getfacl
/usr/local/samba/var/locks/sysvol/mydomain.com/Policies/\{31B2F340-016D-11D2-945F-00C04FB984F9\}/

Can you create a new GPO with your settings and check the permissions again?

--
- James


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On 1/12/2017 11:41 AM, Richard via samba wrote:
> Hi Andrew,
>
> thanks so much for the feedback.
>
> Yes, you're 100% right.  I'm new at this and originally changed the
default GPO, however subsequently reset the default and created a new GPO. (so
this getfacl output is post creation of a new GPO)
>
> The getfacl output is shown here:
>
> # getfacl
/usr/local/samba/var/locks/sysvol/mydomain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
> getfacl: Removing leading '/' from absolute path names # file:
usr/local/samba/var/locks/sysvol/mydomain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
> # owner: root
> # group: 10013
> user::rwx
> user:root:rwx
> user:3000002:rwx
> user:3000003:r-x
> user:3000006:rwx
> user:3000010:r-x
> group::rwx
> group:10013:rwx
> group:10014:r-x
> group:3000002:rwx
> group:3000003:r-x
> group:3000006:rwx
> group:3000010:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:3000002:rwx
> default:user:3000003:r-x
> default:user:3000006:rwx
> default:user:3000010:r-x
> default:group::---
> default:group:10013:rwx
> default:group:10014:r-x
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:group:3000006:rwx
> default:group:3000010:r-x
> default:mask::rwx
> default:other::---
>
> -----Original Message-----
> From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of
lingpanda101 via samba
> Sent: 12 January 2017 18:07
> To: samba at lists.samba.org
> Subject: Re: [Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up
Group Policies
>
> On 1/12/2017 7:07 AM, Richard via samba wrote:
>> I have Samba 4.5.3 working fine as an AD DC and DNS provider.
>>
>> I now need to set up a group policy on the DC but I am having problems
>> with the internal sysvol and netlogon shares.
>>
>> Via the Windows Group Policy Manager snap-in I successfully created a
>> GPO specifying the DC as the primary time source for all clients,
>> using the Administrator user
>>
>> ...but my windows domain test client "ignores" the new policy
>> completely and in the event log on the client I see the following:
>>
>>    
>>
>> The processing of Group Policy failed. Windows attempted to read the
>> file
>> \\mydomain.com\sysvol\mydomain.com\Policies\{31B2F340-016D-11D2-945F-0
>> 0C04FB
>> 984F9}\gpt.ini
>>
<file://mydomain.com/sysvol/mydomain.com/Policies/%7b31B2F340-016D-11D
>> 2-945F -00C04FB984F9%7d/gpt.ini>  from a domain controller and was
not
>> successful.
>> Group Policy settings may not be applied until this event is resolved.
>> This issue may be transient and could be caused by one or more of the
following:
>>
>> a) Name Resolution/Network Connectivity to the current domain
controller.
>>
>> b) File Replication Service Latency (a file created on another domain
>> controller has not replicated to the current domain controller).
>>
>> c) The Distributed File System (DFS) client has been disabled.
>>
>>    
>>
>>    
>>
>> On further investigation on the domain controller itself:
>>
>>    
>>
>> smbclient //localhost/sysvol -UAdministrator -c 'ls'
>>
>>    
>>
>> returns a valid directory listing, but running the same command for
>> any other valid domain account returns:
>>
>>    
>>
>> Domain=[mydomain] OS=[Windows 6.1] Server=[Samba 4.5.3]
>>
>> NT_STATUS_ACCESS_DENIED listing \*
>>
>>    
>>
>> .so it appears that normal domain accounts are unable to access the
>> sysvol share, which would explain the error returned by the windows
>> client. (the same applies to the netlogon share)
>>
>>    
>>
>> Among other things, I have run:
>>
>>    
>>
>> samba-tool ntacl sysvolreset
>>
>>    
>>
>> but the problem persists.
>>
>>    
>>
>> So it appears there is something wrong with the permissions on these
>> shares but I am at my wits end trying to correct the issue.
>>
>>    
>>
>> Any help would be greatly appreciated!
>>
>>    
>>
>> Thanks in advance
>>
>>    
>>
>> Richard
>>
>>    
>>
>>    
>>
>>    
>>
> It looks as if you are trying to modify the default domain policy GPO? I
normally don't touch that policy but create additional ones. What is the
output of
>
> getfacl
>
/usr/local/samba/var/locks/sysvol/mydomain.com/Policies/\{31B2F340-016D-11D2-945F-00C04FB984F9\}/
>
> Can you create a new GPO with your settings and check the permissions
again?
>
> --
> - James
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>
It looks as if you are using 'idmap_ldb:use rfc2307 = Yes' in your 
smb.conf? It also looks as if you have given 'Domain Admins' a GID 
number? I have noticed problems in the past if I gave Domain Admins a 
GID. I would remove it.  It also looks as if you may have given 
Administrator a UID? After removing the UID and GID attempt to reset 
your sysvol. What is the output of the following before you do though?

wbinfo --gid-info=10013

wbinfo --gid-info=10014

wbinfo --uid-info=3000000

wbinfo --uid-info=3000008





-- 
- James

Hi James

The output is as follows...

wbinfo --gid-info=10013    =>  CT\domain admins:x:10013:

wbinfo --gid-info=10014   => CT\domain users:x:10014:

wbinfo --uid-info=3000000 =>
BUILTIN\administrators:*:3000000:3000000::/home/BUILTIN/administrators:/bin/false

wbinfo --uid-info=3000008 => CT\domain
admins:*:3000008:3000008::/home/CT/domain admins:/bin/false

Yes I have set "domain admins" to have NIS domain "CT" and
GID "10013"  - I can remove this no problem

Yes I have set "domain users" to have NIS domain "CT" and
GID "10014"  - I can remove this no problem

No I haven't set a UID or GID for Administrator

I do indeed have 'idmap_ldb:use rfc2307 = Yes' - should I remove this
from smb.conf?

Please let me know if I should go ahead and remove the GIDs from "domain
admins" and "domain users"

thanks again! 

Richard

-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of lingpanda101
via samba
Sent: 12 January 2017 19:09
To: samba at lists.samba.org
Subject: Re: [Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up
Group Policies

On 1/12/2017 11:41 AM, Richard via samba wrote:
> Hi Andrew,
>
> thanks so much for the feedback.
>
> Yes, you're 100% right.  I'm new at this and originally changed the
> default GPO, however subsequently reset the default and created a new 
> GPO. (so this getfacl output is post creation of a new GPO)
>
> The getfacl output is shown here:
>
> # getfacl 
> /usr/local/samba/var/locks/sysvol/mydomain.com/Policies/{31B2F340-016D
> -11D2-945F-00C04FB984F9}
> getfacl: Removing leading '/' from absolute path names # file: 
> usr/local/samba/var/locks/sysvol/mydomain.com/Policies/{31B2F340-016D-
> 11D2-945F-00C04FB984F9}
> # owner: root
> # group: 10013
> user::rwx
> user:root:rwx
> user:3000002:rwx
> user:3000003:r-x
> user:3000006:rwx
> user:3000010:r-x
> group::rwx
> group:10013:rwx
> group:10014:r-x
> group:3000002:rwx
> group:3000003:r-x
> group:3000006:rwx
> group:3000010:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:3000002:rwx
> default:user:3000003:r-x
> default:user:3000006:rwx
> default:user:3000010:r-x
> default:group::---
> default:group:10013:rwx
> default:group:10014:r-x
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:group:3000006:rwx
> default:group:3000010:r-x
> default:mask::rwx
> default:other::---
>
> -----Original Message-----
> From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of 
> lingpanda101 via samba
> Sent: 12 January 2017 18:07
> To: samba at lists.samba.org
> Subject: Re: [Samba] Samba 4.5.3 AD DC - issues with sysvol when 
> setting up Group Policies
>
> On 1/12/2017 7:07 AM, Richard via samba wrote:
>> I have Samba 4.5.3 working fine as an AD DC and DNS provider.
>>
>> I now need to set up a group policy on the DC but I am having 
>> problems with the internal sysvol and netlogon shares.
>>
>> Via the Windows Group Policy Manager snap-in I successfully created a 
>> GPO specifying the DC as the primary time source for all clients, 
>> using the Administrator user
>>
>> ...but my windows domain test client "ignores" the new policy
>> completely and in the event log on the client I see the following:
>>
>>    
>>
>> The processing of Group Policy failed. Windows attempted to read the 
>> file
>> \\mydomain.com\sysvol\mydomain.com\Policies\{31B2F340-016D-11D2-945F-
>> 0
>> 0C04FB
>> 984F9}\gpt.ini
>>
<file://mydomain.com/sysvol/mydomain.com/Policies/%7b31B2F340-016D-11
>> D 2-945F -00C04FB984F9%7d/gpt.ini>  from a domain controller and was
>> not successful.
>> Group Policy settings may not be applied until this event is resolved.
>> This issue may be transient and could be caused by one or more of the
following:
>>
>> a) Name Resolution/Network Connectivity to the current domain
controller.
>>
>> b) File Replication Service Latency (a file created on another domain 
>> controller has not replicated to the current domain controller).
>>
>> c) The Distributed File System (DFS) client has been disabled.
>>
>>    
>>
>>    
>>
>> On further investigation on the domain controller itself:
>>
>>    
>>
>> smbclient //localhost/sysvol -UAdministrator -c 'ls'
>>
>>    
>>
>> returns a valid directory listing, but running the same command for 
>> any other valid domain account returns:
>>
>>    
>>
>> Domain=[mydomain] OS=[Windows 6.1] Server=[Samba 4.5.3]
>>
>> NT_STATUS_ACCESS_DENIED listing \*
>>
>>    
>>
>> .so it appears that normal domain accounts are unable to access the 
>> sysvol share, which would explain the error returned by the windows 
>> client. (the same applies to the netlogon share)
>>
>>    
>>
>> Among other things, I have run:
>>
>>    
>>
>> samba-tool ntacl sysvolreset
>>
>>    
>>
>> but the problem persists.
>>
>>    
>>
>> So it appears there is something wrong with the permissions on these 
>> shares but I am at my wits end trying to correct the issue.
>>
>>    
>>
>> Any help would be greatly appreciated!
>>
>>    
>>
>> Thanks in advance
>>
>>    
>>
>> Richard
>>
>>    
>>
>>    
>>
>>    
>>
> It looks as if you are trying to modify the default domain policy GPO? 
> I normally don't touch that policy but create additional ones. What is 
> the output of
>
> getfacl
> /usr/local/samba/var/locks/sysvol/mydomain.com/Policies/\{31B2F340-016
> D-11D2-945F-00C04FB984F9\}/
>
> Can you create a new GPO with your settings and check the permissions
again?
>
> --
> - James
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>
It looks as if you are using 'idmap_ldb:use rfc2307 = Yes' in your
smb.conf? It also looks as if you have given 'Domain Admins' a GID
number? I have noticed problems in the past if I gave Domain Admins a GID. I
would remove it.  It also looks as if you may have given Administrator a UID?
After removing the UID and GID attempt to reset your sysvol. What is the output
of the following before you do though?

wbinfo --gid-info=10013

wbinfo --gid-info=10014

wbinfo --uid-info=3000000

wbinfo --uid-info=3000008





--
- James


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba