Richard
2017-Jan-12 21:20 UTC
[Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies
cool! root at dc1:~ # wbinfo -r richard.h 10001 3000008 10000 10014 10004 10005 3000005 3000009 3000000 -----Original Message----- From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of lingpanda101 via samba Sent: 12 January 2017 22:57 To: samba at lists.samba.org Subject: Re: [Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies On 1/12/2017 3:47 PM, Richard via samba wrote:> Hi > > root at dc1:~ # samba-tool dbcheck --cross-ncs --reset-well-known-acls > --fix --yes ...some error information... > Checked 3647 objects (2 errors) > root at dc1:~ # samba-tool dbcheck --cross-ncs --reset-well-known-acls > --fix Checking 3647 objects Checked 3647 objects (0 errors) > > root at dc1:~ # getfacl /usr/local/samba/var/locks/sysvol/ > getfacl: Removing leading '/' from absolute path names # file: > usr/local/samba/var/locks/sysvol/ # owner: root # group: 3000000 > user::rwx user:root:rwx user:3000000:rwx user:3000001:r-x > user:3000002:rwx user:3000003:r-x group::rwx group:3000000:rwx > group:3000001:r-x group:3000002:rwx group:3000003:r-x mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:user:3000000:rwx > default:user:3000001:r-x > default:user:3000002:rwx > default:user:3000003:r-x > default:group::--- > default:group:3000000:rwx > default:group:3000001:r-x > default:group:3000002:rwx > default:group:3000003:r-x > default:mask::rwx > default:other::--- > > > gpupdate /force still fails :o( > > -----Original Message----- > From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of > lingpanda101 via samba > Sent: 12 January 2017 22:34 > To: samba at lists.samba.org > Subject: Re: [Samba] Samba 4.5.3 AD DC - issues with sysvol when > setting up Group Policies > > On 1/12/2017 3:25 PM, Richard via samba wrote: >> Hi >> >> here are the commands in the order I ran them: >> >> root at dc1:~ # systemctl stop samba >> root at dc1:~ # net cache flush >> root at dc1:~ # samba-tool ntacl sysvolreset root at dc1:~ # net cache >> flush root at dc1:~ # samba-tool ntacl sysvolcheck root at dc1:~ # >> systemctl start samba root at dc1:~ # smbclient //localhost/sysvol >> -UAdministrator -c 'ls' >> Enter Administrator's password: >> Domain=[CT] OS=[Windows 6.1] Server=[Samba 4.5.3] >> . D 0 Thu Jan 12 22:14:18 2017 >> .. D 0 Thu Jan 12 22:14:45 2017 >> ct.mydomain.com D 0 Thu Feb 18 00:16:24 2016 >> >> 244669724 blocks of size 1024. 235669260 blocks available >> root at dc1:~ # smbclient //localhost/sysvol -Urichard.h -c 'ls' >> Enter richard.h's password: >> Domain=[CT] OS=[Windows 6.1] Server=[Samba 4.5.3] >> NT_STATUS_ACCESS_DENIED listing \* root at dc1:~ # >> >> then on the client: >> >> C:\WINDOWS\system32>gpupdate /force >> Updating policy... >> >> Computer policy could not be updated successfully. The following errors were encountered: >> >> The processing of Group Policy failed. Windows attempted to read the file \\ct.mydomain.com\SysVol\ct.mydomain.com\Policies\{073A6C41-BE24-4CA2-8F00-386A9F2D3908}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: >> a) Name Resolution/Network Connectivity to the current domain controller. >> b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller). >> c) The Distributed File System (DFS) client has been disabled. >> User Policy could not be updated successfully. The following errors were encountered: >> >> >> >> >> >> >> >> >> >> >> -----Original Message----- >> From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of >> lingpanda101 via samba >> Sent: 12 January 2017 21:54 >> To: samba at lists.samba.org >> Subject: Re: [Samba] Samba 4.5.3 AD DC - issues with sysvol when >> setting up Group Policies >> >> On 1/12/2017 2:47 PM, Richard via samba wrote: >>> Hi Rowland, >>> >>> I've done the below and retried to log on as a normal user, but sadly: >>> >>> C:\> gpupdate /force still returns >>> >>> The processing of Group Policy failed. Windows attempted to read the file \\ct.mydomain.com\sysvol\ct.mydomain.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: >>> a) Name Resolution/Network Connectivity to the current domain controller. >>> b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller). >>> c) The Distributed File System (DFS) client has been disabled. >>> >>> Also a normal domain user still can't get a listing on sysvol >>> >>> smbclient //localhost/sysvol -Urichard.h -c 'ls' >>> Enter richard.h's password: >>> Domain=[CT] OS=[Windows 6.1] Server=[Samba 4.5.3] >>> NT_STATUS_ACCESS_DENIED listing \* >>> >>> but Administrator can fine: >>> >>> smbclient //localhost/sysvol -UAdministrator -c 'ls' >>> Enter Administrator's password: >>> Domain=[CT] OS=[Windows 6.1] Server=[Samba 4.5.3] >>> . D 0 Thu Jan 12 20:58:10 2017 >>> .. D 0 Thu Jan 12 21:21:00 2017 >>> ct.mydomain.com D 0 Thu Feb 18 00:16:24 2016 >>> >>> 244669724 blocks of size 1024. 235669456 blocks available >>> >>> >>> Also, I've rerun getfacl and I see that GID 10013 still exists for both group and other, even though I have removed it from "domain admins" >>> >>> group::rwx >>> group:10013:rwx >>> group:10014:r-x >>> group:3000002:rwx >>> group:3000003:r-x >>> group:3000006:rwx >>> group:3000010:r-x >>> mask::rwx >>> other::--- >>> default:user::rwx >>> default:user:root:rwx >>> default:user:3000002:rwx >>> default:user:3000003:r-x >>> default:user:3000006:rwx >>> default:user:3000010:r-x >>> default:group::--- >>> default:group:10013:rwx >>> default:group:10014:r-x >>> default:group:3000002:rwx >>> default:group:3000003:r-x >>> default:group:3000006:rwx >>> default:group:3000010:r-x >>> default:mask::rwx >>> default:other::--- >>> >>> so not really sure where to go from here >>> >>> (btw - I won't keep saying thank you but just to let you know that I >>> really really appreciate all the help you guys are giving on this) >>> >>> Richard >>> >>> PS - I just thought may be worthwhile pasting my smb.conf file here >>> (domain name and forwarder ips changed) >>> >>> [global] >>> workgroup = CT >>> realm = ct.mydomain.com >>> netbios name = DC1 >>> server role = active directory domain controller >>> >>> allow dns updates = nonsecure and secure >>> >>> dns forwarder = 1.2.3.4 10.20.30.40 >>> idmap_ldb:use rfc2307 = yes >>> >>> ldap server require strong auth = no >>> >>> [netlogon] >>> path = /usr/local/samba/var/locks/sysvol/ct.mydomain.com/scripts >>> read only = No >>> >>> [sysvol] >>> path = /usr/local/samba/var/locks/sysvol >>> read only = No >>> >>> >>> -----Original Message----- >>> From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of >>> Rowland Penny via samba >>> Sent: 12 January 2017 21:10 >>> To: samba at lists.samba.org >>> Subject: Re: [Samba] Samba 4.5.3 AD DC - issues with sysvol when >>> setting up Group Policies >>> >>> On Thu, 12 Jan 2017 20:46:15 +0200 >>> Richard via samba <samba at lists.samba.org> wrote: >>> >>>> Hi James >>>> >>>> The output is as follows... >>>> >>>> wbinfo --gid-info=10013 => CT\domain admins:x:10013: >>>> >>>> wbinfo --uid-info=3000008 => CT\domain >>>> admins:*:3000008:3000008::/home/CT/domain admins:/bin/false >>> If you remove the gidNumber from Domain Admins, you will find that it gets the same GID as its UID '3000008' >>> >>>> Yes I have set "domain admins" to have NIS domain "CT" and GID "10013" >>>> - I can remove this no problem >>> See above and I would suggest removing the gidNumber, then run 'net cache flush' >>> >>>> Yes I have set "domain users" to have NIS domain "CT" and GID "10014" >>>> - I can remove this no problem >>> No that is OK >>> >>>> No I haven't set a UID or GID for Administrator >>> Good, you just Administrator into a normal Unix user if you do. >>> >>>> I do indeed have 'idmap_ldb:use rfc2307 = Yes' - should I remove >>>> this from smb.conf? >>> No, you need it >>> >>> Rowland >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> >> Did you run 'net cache flush'? >> >> -- >> - James >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> > What is the output of the below now? > > getfacl /usr/local/samba/var/locks/sysvol/ > > You may also need to run > > samba-tool dbcheck --cross-ncs --reset-well-known-acls --fix > > > -- > - James > >Progress What is the output of 'wbinfo -r richard.h' -- - James -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Richard
2017-Jan-12 21:33 UTC
[Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies
I'm not sure if of value but here also is the richard.h group information as reported by Windows on the client: C:\WINDOWS\system32>whoami /groups GROUP INFORMATION ----------------- Group Name Type SID Attributes ========================================= ================ ============================================ ==============================================================CT\osDirector Group S-1-5-21-962076006-582617201-2751578557-1107 Mandatory group, Enabled by default, Enabled group Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner BUILTIN\Performance Log Users Alias S-1-5-32-559 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group CT\Domain Admins Group S-1-5-21-962076006-582617201-2751578557-512 Mandatory group, Enabled by default, Enabled group CT\Denied RODC Password Replication Group Alias S-1-5-21-962076006-582617201-2751578557-572 Mandatory group, Enabled by default, Enabled group CT\osDevelopment Group S-1-5-21-962076006-582617201-2751578557-1110 Mandatory group, Enabled by default, Enabled group CT\osSecurity Group S-1-5-21-962076006-582617201-2751578557-1111 Mandatory group, Enabled by default, Enabled group CT\osVPN Group S-1-5-21-962076006-582617201-2751578557-1112 Mandatory group, Enabled by default, Enabled group Mandatory Label\High Mandatory Level Label S-1-16-12288 -----Original Message----- From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Richard via samba Sent: 12 January 2017 23:21 To: samba at lists.samba.org Subject: Re: [Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies cool! root at dc1:~ # wbinfo -r richard.h 10001 3000008 10000 10014 10004 10005 3000005 3000009 3000000 -----Original Message----- From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of lingpanda101 via samba Sent: 12 January 2017 22:57 To: samba at lists.samba.org Subject: Re: [Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies On 1/12/2017 3:47 PM, Richard via samba wrote:> Hi > > root at dc1:~ # samba-tool dbcheck --cross-ncs --reset-well-known-acls > --fix --yes ...some error information... > Checked 3647 objects (2 errors) > root at dc1:~ # samba-tool dbcheck --cross-ncs --reset-well-known-acls > --fix Checking 3647 objects Checked 3647 objects (0 errors) > > root at dc1:~ # getfacl /usr/local/samba/var/locks/sysvol/ > getfacl: Removing leading '/' from absolute path names # file: > usr/local/samba/var/locks/sysvol/ # owner: root # group: 3000000 > user::rwx user:root:rwx user:3000000:rwx user:3000001:r-x > user:3000002:rwx user:3000003:r-x group::rwx group:3000000:rwx > group:3000001:r-x group:3000002:rwx group:3000003:r-x mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:user:3000000:rwx > default:user:3000001:r-x > default:user:3000002:rwx > default:user:3000003:r-x > default:group::--- > default:group:3000000:rwx > default:group:3000001:r-x > default:group:3000002:rwx > default:group:3000003:r-x > default:mask::rwx > default:other::--- > > > gpupdate /force still fails :o( > > -----Original Message----- > From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of > lingpanda101 via samba > Sent: 12 January 2017 22:34 > To: samba at lists.samba.org > Subject: Re: [Samba] Samba 4.5.3 AD DC - issues with sysvol when > setting up Group Policies > > On 1/12/2017 3:25 PM, Richard via samba wrote: >> Hi >> >> here are the commands in the order I ran them: >> >> root at dc1:~ # systemctl stop samba >> root at dc1:~ # net cache flush >> root at dc1:~ # samba-tool ntacl sysvolreset root at dc1:~ # net cache >> flush root at dc1:~ # samba-tool ntacl sysvolcheck root at dc1:~ # >> systemctl start samba root at dc1:~ # smbclient //localhost/sysvol >> -UAdministrator -c 'ls' >> Enter Administrator's password: >> Domain=[CT] OS=[Windows 6.1] Server=[Samba 4.5.3] >> . D 0 Thu Jan 12 22:14:18 2017 >> .. D 0 Thu Jan 12 22:14:45 2017 >> ct.mydomain.com D 0 Thu Feb 18 00:16:24 2016 >> >> 244669724 blocks of size 1024. 235669260 blocks available >> root at dc1:~ # smbclient //localhost/sysvol -Urichard.h -c 'ls' >> Enter richard.h's password: >> Domain=[CT] OS=[Windows 6.1] Server=[Samba 4.5.3] >> NT_STATUS_ACCESS_DENIED listing \* root at dc1:~ # >> >> then on the client: >> >> C:\WINDOWS\system32>gpupdate /force >> Updating policy... >> >> Computer policy could not be updated successfully. The following errors were encountered: >> >> The processing of Group Policy failed. Windows attempted to read the file \\ct.mydomain.com\SysVol\ct.mydomain.com\Policies\{073A6C41-BE24-4CA2-8F00-386A9F2D3908}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: >> a) Name Resolution/Network Connectivity to the current domain controller. >> b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller). >> c) The Distributed File System (DFS) client has been disabled. >> User Policy could not be updated successfully. The following errors were encountered: >> >> >> >> >> >> >> >> >> >> >> -----Original Message----- >> From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of >> lingpanda101 via samba >> Sent: 12 January 2017 21:54 >> To: samba at lists.samba.org >> Subject: Re: [Samba] Samba 4.5.3 AD DC - issues with sysvol when >> setting up Group Policies >> >> On 1/12/2017 2:47 PM, Richard via samba wrote: >>> Hi Rowland, >>> >>> I've done the below and retried to log on as a normal user, but sadly: >>> >>> C:\> gpupdate /force still returns >>> >>> The processing of Group Policy failed. Windows attempted to read the file \\ct.mydomain.com\sysvol\ct.mydomain.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: >>> a) Name Resolution/Network Connectivity to the current domain controller. >>> b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller). >>> c) The Distributed File System (DFS) client has been disabled. >>> >>> Also a normal domain user still can't get a listing on sysvol >>> >>> smbclient //localhost/sysvol -Urichard.h -c 'ls' >>> Enter richard.h's password: >>> Domain=[CT] OS=[Windows 6.1] Server=[Samba 4.5.3] >>> NT_STATUS_ACCESS_DENIED listing \* >>> >>> but Administrator can fine: >>> >>> smbclient //localhost/sysvol -UAdministrator -c 'ls' >>> Enter Administrator's password: >>> Domain=[CT] OS=[Windows 6.1] Server=[Samba 4.5.3] >>> . D 0 Thu Jan 12 20:58:10 2017 >>> .. D 0 Thu Jan 12 21:21:00 2017 >>> ct.mydomain.com D 0 Thu Feb 18 00:16:24 2016 >>> >>> 244669724 blocks of size 1024. 235669456 blocks available >>> >>> >>> Also, I've rerun getfacl and I see that GID 10013 still exists for both group and other, even though I have removed it from "domain admins" >>> >>> group::rwx >>> group:10013:rwx >>> group:10014:r-x >>> group:3000002:rwx >>> group:3000003:r-x >>> group:3000006:rwx >>> group:3000010:r-x >>> mask::rwx >>> other::--- >>> default:user::rwx >>> default:user:root:rwx >>> default:user:3000002:rwx >>> default:user:3000003:r-x >>> default:user:3000006:rwx >>> default:user:3000010:r-x >>> default:group::--- >>> default:group:10013:rwx >>> default:group:10014:r-x >>> default:group:3000002:rwx >>> default:group:3000003:r-x >>> default:group:3000006:rwx >>> default:group:3000010:r-x >>> default:mask::rwx >>> default:other::--- >>> >>> so not really sure where to go from here >>> >>> (btw - I won't keep saying thank you but just to let you know that I >>> really really appreciate all the help you guys are giving on this) >>> >>> Richard >>> >>> PS - I just thought may be worthwhile pasting my smb.conf file here >>> (domain name and forwarder ips changed) >>> >>> [global] >>> workgroup = CT >>> realm = ct.mydomain.com >>> netbios name = DC1 >>> server role = active directory domain controller >>> >>> allow dns updates = nonsecure and secure >>> >>> dns forwarder = 1.2.3.4 10.20.30.40 >>> idmap_ldb:use rfc2307 = yes >>> >>> ldap server require strong auth = no >>> >>> [netlogon] >>> path = /usr/local/samba/var/locks/sysvol/ct.mydomain.com/scripts >>> read only = No >>> >>> [sysvol] >>> path = /usr/local/samba/var/locks/sysvol >>> read only = No >>> >>> >>> -----Original Message----- >>> From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of >>> Rowland Penny via samba >>> Sent: 12 January 2017 21:10 >>> To: samba at lists.samba.org >>> Subject: Re: [Samba] Samba 4.5.3 AD DC - issues with sysvol when >>> setting up Group Policies >>> >>> On Thu, 12 Jan 2017 20:46:15 +0200 >>> Richard via samba <samba at lists.samba.org> wrote: >>> >>>> Hi James >>>> >>>> The output is as follows... >>>> >>>> wbinfo --gid-info=10013 => CT\domain admins:x:10013: >>>> >>>> wbinfo --uid-info=3000008 => CT\domain >>>> admins:*:3000008:3000008::/home/CT/domain admins:/bin/false >>> If you remove the gidNumber from Domain Admins, you will find that it gets the same GID as its UID '3000008' >>> >>>> Yes I have set "domain admins" to have NIS domain "CT" and GID "10013" >>>> - I can remove this no problem >>> See above and I would suggest removing the gidNumber, then run 'net cache flush' >>> >>>> Yes I have set "domain users" to have NIS domain "CT" and GID "10014" >>>> - I can remove this no problem >>> No that is OK >>> >>>> No I haven't set a UID or GID for Administrator >>> Good, you just Administrator into a normal Unix user if you do. >>> >>>> I do indeed have 'idmap_ldb:use rfc2307 = Yes' - should I remove >>>> this from smb.conf? >>> No, you need it >>> >>> Rowland >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> >> Did you run 'net cache flush'? >> >> -- >> - James >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> > What is the output of the below now? > > getfacl /usr/local/samba/var/locks/sysvol/ > > You may also need to run > > samba-tool dbcheck --cross-ncs --reset-well-known-acls --fix > > > -- > - James > >Progress What is the output of 'wbinfo -r richard.h' -- - James -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Richard
2017-Jan-15 18:30 UTC
[Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies
I remain baffled as to why richard.h cannot access the sysvol share. Permissions all seem ok from what I can see and I'm not sure why this should be any different from normal AD share behaviour (our other shares are working fine for domain users) I would really appreciate it if someone could let me know whether the sysvol has become corrupt in some way and I am wasting my time even trying to sort this out. thanks -----Original Message----- From: Richard [mailto:p1 at originsystems.co.za] Sent: 12 January 2017 23:34 To: 'samba at lists.samba.org' <samba at lists.samba.org> Subject: RE: [Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies I'm not sure if of value but here also is the richard.h group information as reported by Windows on the client: C:\WINDOWS\system32>whoami /groups GROUP INFORMATION ----------------- Group Name Type SID Attributes ========================================= ================ ============================================ ==============================================================CT\osDirector Group S-1-5-21-962076006-582617201-2751578557-1107 Mandatory group, Enabled by default, Enabled group Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner BUILTIN\Performance Log Users Alias S-1-5-32-559 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group CT\Domain Admins Group S-1-5-21-962076006-582617201-2751578557-512 Mandatory group, Enabled by default, Enabled group CT\Denied RODC Password Replication Group Alias S-1-5-21-962076006-582617201-2751578557-572 Mandatory group, Enabled by default, Enabled group CT\osDevelopment Group S-1-5-21-962076006-582617201-2751578557-1110 Mandatory group, Enabled by default, Enabled group CT\osSecurity Group S-1-5-21-962076006-582617201-2751578557-1111 Mandatory group, Enabled by default, Enabled group CT\osVPN Group S-1-5-21-962076006-582617201-2751578557-1112 Mandatory group, Enabled by default, Enabled group Mandatory Label\High Mandatory Level Label S-1-16-12288 -----Original Message----- From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Richard via samba Sent: 12 January 2017 23:21 To: samba at lists.samba.org Subject: Re: [Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies cool! root at dc1:~ # wbinfo -r richard.h 10001 3000008 10000 10014 10004 10005 3000005 3000009 3000000 -----Original Message----- From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of lingpanda101 via samba Sent: 12 January 2017 22:57 To: samba at lists.samba.org Subject: Re: [Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies On 1/12/2017 3:47 PM, Richard via samba wrote:> Hi > > root at dc1:~ # samba-tool dbcheck --cross-ncs --reset-well-known-acls > --fix --yes ...some error information... > Checked 3647 objects (2 errors) > root at dc1:~ # samba-tool dbcheck --cross-ncs --reset-well-known-acls > --fix Checking 3647 objects Checked 3647 objects (0 errors) > > root at dc1:~ # getfacl /usr/local/samba/var/locks/sysvol/ > getfacl: Removing leading '/' from absolute path names # file: > usr/local/samba/var/locks/sysvol/ # owner: root # group: 3000000 > user::rwx user:root:rwx user:3000000:rwx user:3000001:r-x > user:3000002:rwx user:3000003:r-x group::rwx group:3000000:rwx > group:3000001:r-x group:3000002:rwx group:3000003:r-x mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:user:3000000:rwx > default:user:3000001:r-x > default:user:3000002:rwx > default:user:3000003:r-x > default:group::--- > default:group:3000000:rwx > default:group:3000001:r-x > default:group:3000002:rwx > default:group:3000003:r-x > default:mask::rwx > default:other::--- > > > gpupdate /force still fails :o( > > -----Original Message----- > From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of > lingpanda101 via samba > Sent: 12 January 2017 22:34 > To: samba at lists.samba.org > Subject: Re: [Samba] Samba 4.5.3 AD DC - issues with sysvol when > setting up Group Policies > > On 1/12/2017 3:25 PM, Richard via samba wrote: >> Hi >> >> here are the commands in the order I ran them: >> >> root at dc1:~ # systemctl stop samba >> root at dc1:~ # net cache flush >> root at dc1:~ # samba-tool ntacl sysvolreset root at dc1:~ # net cache >> flush root at dc1:~ # samba-tool ntacl sysvolcheck root at dc1:~ # >> systemctl start samba root at dc1:~ # smbclient //localhost/sysvol >> -UAdministrator -c 'ls' >> Enter Administrator's password: >> Domain=[CT] OS=[Windows 6.1] Server=[Samba 4.5.3] >> . D 0 Thu Jan 12 22:14:18 2017 >> .. D 0 Thu Jan 12 22:14:45 2017 >> ct.mydomain.com D 0 Thu Feb 18 00:16:24 2016 >> >> 244669724 blocks of size 1024. 235669260 blocks available >> root at dc1:~ # smbclient //localhost/sysvol -Urichard.h -c 'ls' >> Enter richard.h's password: >> Domain=[CT] OS=[Windows 6.1] Server=[Samba 4.5.3] >> NT_STATUS_ACCESS_DENIED listing \* root at dc1:~ # >> >> then on the client: >> >> C:\WINDOWS\system32>gpupdate /force >> Updating policy... >> >> Computer policy could not be updated successfully. The following errors were encountered: >> >> The processing of Group Policy failed. Windows attempted to read the file \\ct.mydomain.com\SysVol\ct.mydomain.com\Policies\{073A6C41-BE24-4CA2-8F00-386A9F2D3908}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: >> a) Name Resolution/Network Connectivity to the current domain controller. >> b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller). >> c) The Distributed File System (DFS) client has been disabled. >> User Policy could not be updated successfully. The following errors were encountered: >> >> >> >> >> >> >> >> >> >> >> -----Original Message----- >> From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of >> lingpanda101 via samba >> Sent: 12 January 2017 21:54 >> To: samba at lists.samba.org >> Subject: Re: [Samba] Samba 4.5.3 AD DC - issues with sysvol when >> setting up Group Policies >> >> On 1/12/2017 2:47 PM, Richard via samba wrote: >>> Hi Rowland, >>> >>> I've done the below and retried to log on as a normal user, but sadly: >>> >>> C:\> gpupdate /force still returns >>> >>> The processing of Group Policy failed. Windows attempted to read the file \\ct.mydomain.com\sysvol\ct.mydomain.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: >>> a) Name Resolution/Network Connectivity to the current domain controller. >>> b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller). >>> c) The Distributed File System (DFS) client has been disabled. >>> >>> Also a normal domain user still can't get a listing on sysvol >>> >>> smbclient //localhost/sysvol -Urichard.h -c 'ls' >>> Enter richard.h's password: >>> Domain=[CT] OS=[Windows 6.1] Server=[Samba 4.5.3] >>> NT_STATUS_ACCESS_DENIED listing \* >>> >>> but Administrator can fine: >>> >>> smbclient //localhost/sysvol -UAdministrator -c 'ls' >>> Enter Administrator's password: >>> Domain=[CT] OS=[Windows 6.1] Server=[Samba 4.5.3] >>> . D 0 Thu Jan 12 20:58:10 2017 >>> .. D 0 Thu Jan 12 21:21:00 2017 >>> ct.mydomain.com D 0 Thu Feb 18 00:16:24 2016 >>> >>> 244669724 blocks of size 1024. 235669456 blocks available >>> >>> >>> Also, I've rerun getfacl and I see that GID 10013 still exists for both group and other, even though I have removed it from "domain admins" >>> >>> group::rwx >>> group:10013:rwx >>> group:10014:r-x >>> group:3000002:rwx >>> group:3000003:r-x >>> group:3000006:rwx >>> group:3000010:r-x >>> mask::rwx >>> other::--- >>> default:user::rwx >>> default:user:root:rwx >>> default:user:3000002:rwx >>> default:user:3000003:r-x >>> default:user:3000006:rwx >>> default:user:3000010:r-x >>> default:group::--- >>> default:group:10013:rwx >>> default:group:10014:r-x >>> default:group:3000002:rwx >>> default:group:3000003:r-x >>> default:group:3000006:rwx >>> default:group:3000010:r-x >>> default:mask::rwx >>> default:other::--- >>> >>> so not really sure where to go from here >>> >>> (btw - I won't keep saying thank you but just to let you know that I >>> really really appreciate all the help you guys are giving on this) >>> >>> Richard >>> >>> PS - I just thought may be worthwhile pasting my smb.conf file here >>> (domain name and forwarder ips changed) >>> >>> [global] >>> workgroup = CT >>> realm = ct.mydomain.com >>> netbios name = DC1 >>> server role = active directory domain controller >>> >>> allow dns updates = nonsecure and secure >>> >>> dns forwarder = 1.2.3.4 10.20.30.40 >>> idmap_ldb:use rfc2307 = yes >>> >>> ldap server require strong auth = no >>> >>> [netlogon] >>> path = /usr/local/samba/var/locks/sysvol/ct.mydomain.com/scripts >>> read only = No >>> >>> [sysvol] >>> path = /usr/local/samba/var/locks/sysvol >>> read only = No >>> >>> >>> -----Original Message----- >>> From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of >>> Rowland Penny via samba >>> Sent: 12 January 2017 21:10 >>> To: samba at lists.samba.org >>> Subject: Re: [Samba] Samba 4.5.3 AD DC - issues with sysvol when >>> setting up Group Policies >>> >>> On Thu, 12 Jan 2017 20:46:15 +0200 >>> Richard via samba <samba at lists.samba.org> wrote: >>> >>>> Hi James >>>> >>>> The output is as follows... >>>> >>>> wbinfo --gid-info=10013 => CT\domain admins:x:10013: >>>> >>>> wbinfo --uid-info=3000008 => CT\domain >>>> admins:*:3000008:3000008::/home/CT/domain admins:/bin/false >>> If you remove the gidNumber from Domain Admins, you will find that it gets the same GID as its UID '3000008' >>> >>>> Yes I have set "domain admins" to have NIS domain "CT" and GID "10013" >>>> - I can remove this no problem >>> See above and I would suggest removing the gidNumber, then run 'net cache flush' >>> >>>> Yes I have set "domain users" to have NIS domain "CT" and GID "10014" >>>> - I can remove this no problem >>> No that is OK >>> >>>> No I haven't set a UID or GID for Administrator >>> Good, you just Administrator into a normal Unix user if you do. >>> >>>> I do indeed have 'idmap_ldb:use rfc2307 = Yes' - should I remove >>>> this from smb.conf? >>> No, you need it >>> >>> Rowland >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> >> Did you run 'net cache flush'? >> >> -- >> - James >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> > What is the output of the below now? > > getfacl /usr/local/samba/var/locks/sysvol/ > > You may also need to run > > samba-tool dbcheck --cross-ncs --reset-well-known-acls --fix > > > -- > - James > >Progress What is the output of 'wbinfo -r richard.h' -- - James -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2017-Jan-15 19:05 UTC
[Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies
On Sun, 15 Jan 2017 20:30:25 +0200 Richard via samba <samba at lists.samba.org> wrote:> I remain baffled as to why richard.h cannot access the sysvol share. > > Permissions all seem ok from what I can see and I'm not sure why this > should be any different from normal AD share behaviour (our other > shares are working fine for domain users) > > I would really appreciate it if someone could let me know whether the > sysvol has become corrupt in some way and I am wasting my time even > trying to sort this out. > > thanks >I have thought about this and notice that you gave 'Domain Admins' a gidNumber (which you have now removed), but 'getfacl' only showed the number not the group name. This makes me wonder if you have set up the libnss_winbind links etc. If you haven't, or don't know what I mean, see here: https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC Rowland
Apparently Analagous Threads
- user cannot access shares on new ad-dc
- Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies
- Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies
- user cannot access shares on new ad-dc
- Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies