Richard
2017-Jan-12 18:46 UTC
[Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies
Hi James The output is as follows... wbinfo --gid-info=10013 => CT\domain admins:x:10013: wbinfo --gid-info=10014 => CT\domain users:x:10014: wbinfo --uid-info=3000000 => BUILTIN\administrators:*:3000000:3000000::/home/BUILTIN/administrators:/bin/false wbinfo --uid-info=3000008 => CT\domain admins:*:3000008:3000008::/home/CT/domain admins:/bin/false Yes I have set "domain admins" to have NIS domain "CT" and GID "10013" - I can remove this no problem Yes I have set "domain users" to have NIS domain "CT" and GID "10014" - I can remove this no problem No I haven't set a UID or GID for Administrator I do indeed have 'idmap_ldb:use rfc2307 = Yes' - should I remove this from smb.conf? Please let me know if I should go ahead and remove the GIDs from "domain admins" and "domain users" thanks again! Richard -----Original Message----- From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of lingpanda101 via samba Sent: 12 January 2017 19:09 To: samba at lists.samba.org Subject: Re: [Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies On 1/12/2017 11:41 AM, Richard via samba wrote:> Hi Andrew, > > thanks so much for the feedback. > > Yes, you're 100% right. I'm new at this and originally changed the > default GPO, however subsequently reset the default and created a new > GPO. (so this getfacl output is post creation of a new GPO) > > The getfacl output is shown here: > > # getfacl > /usr/local/samba/var/locks/sysvol/mydomain.com/Policies/{31B2F340-016D > -11D2-945F-00C04FB984F9} > getfacl: Removing leading '/' from absolute path names # file: > usr/local/samba/var/locks/sysvol/mydomain.com/Policies/{31B2F340-016D- > 11D2-945F-00C04FB984F9} > # owner: root > # group: 10013 > user::rwx > user:root:rwx > user:3000002:rwx > user:3000003:r-x > user:3000006:rwx > user:3000010:r-x > group::rwx > group:10013:rwx > group:10014:r-x > group:3000002:rwx > group:3000003:r-x > group:3000006:rwx > group:3000010:r-x > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:user:3000002:rwx > default:user:3000003:r-x > default:user:3000006:rwx > default:user:3000010:r-x > default:group::--- > default:group:10013:rwx > default:group:10014:r-x > default:group:3000002:rwx > default:group:3000003:r-x > default:group:3000006:rwx > default:group:3000010:r-x > default:mask::rwx > default:other::--- > > -----Original Message----- > From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of > lingpanda101 via samba > Sent: 12 January 2017 18:07 > To: samba at lists.samba.org > Subject: Re: [Samba] Samba 4.5.3 AD DC - issues with sysvol when > setting up Group Policies > > On 1/12/2017 7:07 AM, Richard via samba wrote: >> I have Samba 4.5.3 working fine as an AD DC and DNS provider. >> >> I now need to set up a group policy on the DC but I am having >> problems with the internal sysvol and netlogon shares. >> >> Via the Windows Group Policy Manager snap-in I successfully created a >> GPO specifying the DC as the primary time source for all clients, >> using the Administrator user >> >> ...but my windows domain test client "ignores" the new policy >> completely and in the event log on the client I see the following: >> >> >> >> The processing of Group Policy failed. Windows attempted to read the >> file >> \\mydomain.com\sysvol\mydomain.com\Policies\{31B2F340-016D-11D2-945F- >> 0 >> 0C04FB >> 984F9}\gpt.ini >> <file://mydomain.com/sysvol/mydomain.com/Policies/%7b31B2F340-016D-11 >> D 2-945F -00C04FB984F9%7d/gpt.ini> from a domain controller and was >> not successful. >> Group Policy settings may not be applied until this event is resolved. >> This issue may be transient and could be caused by one or more of the following: >> >> a) Name Resolution/Network Connectivity to the current domain controller. >> >> b) File Replication Service Latency (a file created on another domain >> controller has not replicated to the current domain controller). >> >> c) The Distributed File System (DFS) client has been disabled. >> >> >> >> >> >> On further investigation on the domain controller itself: >> >> >> >> smbclient //localhost/sysvol -UAdministrator -c 'ls' >> >> >> >> returns a valid directory listing, but running the same command for >> any other valid domain account returns: >> >> >> >> Domain=[mydomain] OS=[Windows 6.1] Server=[Samba 4.5.3] >> >> NT_STATUS_ACCESS_DENIED listing \* >> >> >> >> .so it appears that normal domain accounts are unable to access the >> sysvol share, which would explain the error returned by the windows >> client. (the same applies to the netlogon share) >> >> >> >> Among other things, I have run: >> >> >> >> samba-tool ntacl sysvolreset >> >> >> >> but the problem persists. >> >> >> >> So it appears there is something wrong with the permissions on these >> shares but I am at my wits end trying to correct the issue. >> >> >> >> Any help would be greatly appreciated! >> >> >> >> Thanks in advance >> >> >> >> Richard >> >> >> >> >> >> >> > It looks as if you are trying to modify the default domain policy GPO? > I normally don't touch that policy but create additional ones. What is > the output of > > getfacl > /usr/local/samba/var/locks/sysvol/mydomain.com/Policies/\{31B2F340-016 > D-11D2-945F-00C04FB984F9\}/ > > Can you create a new GPO with your settings and check the permissions again? > > -- > - James > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >It looks as if you are using 'idmap_ldb:use rfc2307 = Yes' in your smb.conf? It also looks as if you have given 'Domain Admins' a GID number? I have noticed problems in the past if I gave Domain Admins a GID. I would remove it. It also looks as if you may have given Administrator a UID? After removing the UID and GID attempt to reset your sysvol. What is the output of the following before you do though? wbinfo --gid-info=10013 wbinfo --gid-info=10014 wbinfo --uid-info=3000000 wbinfo --uid-info=3000008 -- - James -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
lingpanda101
2017-Jan-12 19:07 UTC
[Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies
On 1/12/2017 1:46 PM, Richard via samba wrote:> Hi James > > The output is as follows... > > wbinfo --gid-info=10013 => CT\domain admins:x:10013: > > wbinfo --gid-info=10014 => CT\domain users:x:10014: > > wbinfo --uid-info=3000000 => BUILTIN\administrators:*:3000000:3000000::/home/BUILTIN/administrators:/bin/false > > wbinfo --uid-info=3000008 => CT\domain admins:*:3000008:3000008::/home/CT/domain admins:/bin/false > > Yes I have set "domain admins" to have NIS domain "CT" and GID "10013" - I can remove this no problem > > Yes I have set "domain users" to have NIS domain "CT" and GID "10014" - I can remove this no problem > > No I haven't set a UID or GID for Administrator > > I do indeed have 'idmap_ldb:use rfc2307 = Yes' - should I remove this from smb.conf? > > Please let me know if I should go ahead and remove the GIDs from "domain admins" and "domain users" > > thanks again! > > Richard > > -----Original Message----- > From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of lingpanda101 via samba > Sent: 12 January 2017 19:09 > To: samba at lists.samba.org > Subject: Re: [Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies > > On 1/12/2017 11:41 AM, Richard via samba wrote: >> Hi Andrew, >> >> thanks so much for the feedback. >> >> Yes, you're 100% right. I'm new at this and originally changed the >> default GPO, however subsequently reset the default and created a new >> GPO. (so this getfacl output is post creation of a new GPO) >> >> The getfacl output is shown here: >> >> # getfacl >> /usr/local/samba/var/locks/sysvol/mydomain.com/Policies/{31B2F340-016D >> -11D2-945F-00C04FB984F9} >> getfacl: Removing leading '/' from absolute path names # file: >> usr/local/samba/var/locks/sysvol/mydomain.com/Policies/{31B2F340-016D- >> 11D2-945F-00C04FB984F9} >> # owner: root >> # group: 10013 >> user::rwx >> user:root:rwx >> user:3000002:rwx >> user:3000003:r-x >> user:3000006:rwx >> user:3000010:r-x >> group::rwx >> group:10013:rwx >> group:10014:r-x >> group:3000002:rwx >> group:3000003:r-x >> group:3000006:rwx >> group:3000010:r-x >> mask::rwx >> other::--- >> default:user::rwx >> default:user:root:rwx >> default:user:3000002:rwx >> default:user:3000003:r-x >> default:user:3000006:rwx >> default:user:3000010:r-x >> default:group::--- >> default:group:10013:rwx >> default:group:10014:r-x >> default:group:3000002:rwx >> default:group:3000003:r-x >> default:group:3000006:rwx >> default:group:3000010:r-x >> default:mask::rwx >> default:other::--- >> >> -----Original Message----- >> From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of >> lingpanda101 via samba >> Sent: 12 January 2017 18:07 >> To: samba at lists.samba.org >> Subject: Re: [Samba] Samba 4.5.3 AD DC - issues with sysvol when >> setting up Group Policies >> >> On 1/12/2017 7:07 AM, Richard via samba wrote: >>> I have Samba 4.5.3 working fine as an AD DC and DNS provider. >>> >>> I now need to set up a group policy on the DC but I am having >>> problems with the internal sysvol and netlogon shares. >>> >>> Via the Windows Group Policy Manager snap-in I successfully created a >>> GPO specifying the DC as the primary time source for all clients, >>> using the Administrator user >>> >>> ...but my windows domain test client "ignores" the new policy >>> completely and in the event log on the client I see the following: >>> >>> >>> >>> The processing of Group Policy failed. Windows attempted to read the >>> file >>> \\mydomain.com\sysvol\mydomain.com\Policies\{31B2F340-016D-11D2-945F- >>> 0 >>> 0C04FB >>> 984F9}\gpt.ini >>> <file://mydomain.com/sysvol/mydomain.com/Policies/%7b31B2F340-016D-11 >>> D 2-945F -00C04FB984F9%7d/gpt.ini> from a domain controller and was >>> not successful. >>> Group Policy settings may not be applied until this event is resolved. >>> This issue may be transient and could be caused by one or more of the following: >>> >>> a) Name Resolution/Network Connectivity to the current domain controller. >>> >>> b) File Replication Service Latency (a file created on another domain >>> controller has not replicated to the current domain controller). >>> >>> c) The Distributed File System (DFS) client has been disabled. >>> >>> >>> >>> >>> >>> On further investigation on the domain controller itself: >>> >>> >>> >>> smbclient //localhost/sysvol -UAdministrator -c 'ls' >>> >>> >>> >>> returns a valid directory listing, but running the same command for >>> any other valid domain account returns: >>> >>> >>> >>> Domain=[mydomain] OS=[Windows 6.1] Server=[Samba 4.5.3] >>> >>> NT_STATUS_ACCESS_DENIED listing \* >>> >>> >>> >>> .so it appears that normal domain accounts are unable to access the >>> sysvol share, which would explain the error returned by the windows >>> client. (the same applies to the netlogon share) >>> >>> >>> >>> Among other things, I have run: >>> >>> >>> >>> samba-tool ntacl sysvolreset >>> >>> >>> >>> but the problem persists. >>> >>> >>> >>> So it appears there is something wrong with the permissions on these >>> shares but I am at my wits end trying to correct the issue. >>> >>> >>> >>> Any help would be greatly appreciated! >>> >>> >>> >>> Thanks in advance >>> >>> >>> >>> Richard >>> >>> >>> >>> >>> >>> >>> >> It looks as if you are trying to modify the default domain policy GPO? >> I normally don't touch that policy but create additional ones. What is >> the output of >> >> getfacl >> /usr/local/samba/var/locks/sysvol/mydomain.com/Policies/\{31B2F340-016 >> D-11D2-945F-00C04FB984F9\}/ >> >> Can you create a new GPO with your settings and check the permissions again? >> >> -- >> - James >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> > It looks as if you are using 'idmap_ldb:use rfc2307 = Yes' in your smb.conf? It also looks as if you have given 'Domain Admins' a GID number? I have noticed problems in the past if I gave Domain Admins a GID. I would remove it. It also looks as if you may have given Administrator a UID? After removing the UID and GID attempt to reset your sysvol. What is the output of the following before you do though? > > wbinfo --gid-info=10013 > > wbinfo --gid-info=10014 > > wbinfo --uid-info=3000000 > > wbinfo --uid-info=3000008 > > > > > > -- > - James > >Just remove the domain admins GID. Afterwords run sysvolreset and post the getfacl command again on GPO. -- - James
Rowland Penny
2017-Jan-12 19:09 UTC
[Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies
On Thu, 12 Jan 2017 20:46:15 +0200 Richard via samba <samba at lists.samba.org> wrote:> Hi James > > The output is as follows... > > wbinfo --gid-info=10013 => CT\domain admins:x:10013: > > wbinfo --uid-info=3000008 => CT\domain > admins:*:3000008:3000008::/home/CT/domain admins:/bin/falseIf you remove the gidNumber from Domain Admins, you will find that it gets the same GID as its UID '3000008'> > Yes I have set "domain admins" to have NIS domain "CT" and GID > "10013" - I can remove this no problemSee above and I would suggest removing the gidNumber, then run 'net cache flush'> > Yes I have set "domain users" to have NIS domain "CT" and GID > "10014" - I can remove this no problemNo that is OK> > No I haven't set a UID or GID for AdministratorGood, you just Administrator into a normal Unix user if you do.> > I do indeed have 'idmap_ldb:use rfc2307 = Yes' - should I remove this > from smb.conf?No, you need it Rowland
lingpanda101
2017-Jan-12 19:24 UTC
[Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies
On 1/12/2017 2:09 PM, Rowland Penny via samba wrote:> On Thu, 12 Jan 2017 20:46:15 +0200 > Richard via samba <samba at lists.samba.org> wrote: > >> Hi James >> >> The output is as follows... >> >> wbinfo --gid-info=10013 => CT\domain admins:x:10013: >> >> wbinfo --uid-info=3000008 => CT\domain >> admins:*:3000008:3000008::/home/CT/domain admins:/bin/false > If you remove the gidNumber from Domain Admins, you will find that it > gets the same GID as its UID '3000008' > >> Yes I have set "domain admins" to have NIS domain "CT" and GID >> "10013" - I can remove this no problem > See above and I would suggest removing the gidNumber, then run 'net > cache flush' > >> Yes I have set "domain users" to have NIS domain "CT" and GID >> "10014" - I can remove this no problem > No that is OK > >> No I haven't set a UID or GID for Administrator > Good, you just Administrator into a normal Unix user if you do. > >> I do indeed have 'idmap_ldb:use rfc2307 = Yes' - should I remove this >> from smb.conf? > No, you need it > > Rowland >I'm hoping if you remove the domain admins GID and run sysvolreset, it will put the ownership back to # file: usr/local/samba/var/locks/sysvol/mydomain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/ # owner: 3000008 # group: 3000008 Yours currently is # owner: root # group: 10013 -- - James
Richard
2017-Jan-12 19:47 UTC
[Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies
Hi Rowland, I've done the below and retried to log on as a normal user, but sadly: C:\> gpupdate /force still returns The processing of Group Policy failed. Windows attempted to read the file \\ct.mydomain.com\sysvol\ct.mydomain.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: a) Name Resolution/Network Connectivity to the current domain controller. b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller). c) The Distributed File System (DFS) client has been disabled. Also a normal domain user still can't get a listing on sysvol smbclient //localhost/sysvol -Urichard.h -c 'ls' Enter richard.h's password: Domain=[CT] OS=[Windows 6.1] Server=[Samba 4.5.3] NT_STATUS_ACCESS_DENIED listing \* but Administrator can fine: smbclient //localhost/sysvol -UAdministrator -c 'ls' Enter Administrator's password: Domain=[CT] OS=[Windows 6.1] Server=[Samba 4.5.3] . D 0 Thu Jan 12 20:58:10 2017 .. D 0 Thu Jan 12 21:21:00 2017 ct.mydomain.com D 0 Thu Feb 18 00:16:24 2016 244669724 blocks of size 1024. 235669456 blocks available Also, I've rerun getfacl and I see that GID 10013 still exists for both group and other, even though I have removed it from "domain admins" group::rwx group:10013:rwx group:10014:r-x group:3000002:rwx group:3000003:r-x group:3000006:rwx group:3000010:r-x mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:3000002:rwx default:user:3000003:r-x default:user:3000006:rwx default:user:3000010:r-x default:group::--- default:group:10013:rwx default:group:10014:r-x default:group:3000002:rwx default:group:3000003:r-x default:group:3000006:rwx default:group:3000010:r-x default:mask::rwx default:other::--- so not really sure where to go from here (btw - I won't keep saying thank you but just to let you know that I really really appreciate all the help you guys are giving on this) Richard PS - I just thought may be worthwhile pasting my smb.conf file here (domain name and forwarder ips changed) [global] workgroup = CT realm = ct.mydomain.com netbios name = DC1 server role = active directory domain controller allow dns updates = nonsecure and secure dns forwarder = 1.2.3.4 10.20.30.40 idmap_ldb:use rfc2307 = yes ldap server require strong auth = no [netlogon] path = /usr/local/samba/var/locks/sysvol/ct.mydomain.com/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No -----Original Message----- From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny via samba Sent: 12 January 2017 21:10 To: samba at lists.samba.org Subject: Re: [Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies On Thu, 12 Jan 2017 20:46:15 +0200 Richard via samba <samba at lists.samba.org> wrote:> Hi James > > The output is as follows... > > wbinfo --gid-info=10013 => CT\domain admins:x:10013: > > wbinfo --uid-info=3000008 => CT\domain > admins:*:3000008:3000008::/home/CT/domain admins:/bin/falseIf you remove the gidNumber from Domain Admins, you will find that it gets the same GID as its UID '3000008'> > Yes I have set "domain admins" to have NIS domain "CT" and GID "10013" > - I can remove this no problemSee above and I would suggest removing the gidNumber, then run 'net cache flush'> > Yes I have set "domain users" to have NIS domain "CT" and GID "10014" > - I can remove this no problemNo that is OK> > No I haven't set a UID or GID for AdministratorGood, you just Administrator into a normal Unix user if you do.> > I do indeed have 'idmap_ldb:use rfc2307 = Yes' - should I remove this > from smb.conf?No, you need it Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba