samba - Jan 2017 - Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies

On Sun, 15 Jan 2017 20:30:25 +0200
Richard via samba <samba at lists.samba.org> wrote:
> I remain baffled as to why richard.h cannot access the sysvol share. 
> 
> Permissions all seem ok from what I can see and I'm not sure why this
> should be any different from normal AD share behaviour (our other
> shares are working fine for domain users)
> 
> I would really appreciate it if someone could let me know whether the
> sysvol has become corrupt in some way and  I am wasting my time even
> trying to sort this out.
> 
> thanks
> 
I have thought about this and notice that you gave 'Domain Admins' a
gidNumber (which you have now removed), but 'getfacl' only showed the
number not the group name. This makes me wonder if you have set up the
libnss_winbind links etc. If you haven't, or don't know what I mean,
see here:

https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC

Rowland

Hi Rowland,

100% ! I hadn't set up the libnss_winbind links.

I have now done this using:

# ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib64/
# ln -s /lib64/libnss_winbind.so.2 /lib64/libnss_winbind.so
# ldconfig

When I test as follows all looks good:

root at dc1:~ # wbinfo --ping-dc
checking the NETLOGON for domain[CT] dc connection to
"dc1.ct.mydomain.com" succeeded

but for some reason I don’t understand "getent" still doesn't work
when executed on the DC

root at dc1:~ # getent passwd richard.h
root at dc1:~ #

If I do the same on one of the domain members  it works fine...

root at office1:~ # getent passwd richard.h
richard.h:*:10010:10001::/home/ richard.h:/bin/bash


I'm pretty sure I'm doing the same pam / nsswitch setup on the DC as I
did on the domain members (not sure whether relevant but the domain members are
running standard CentOS 7 Samba 4.4.4 packages)

do you possibly have any idea why getent isn't working on the domain
controller?

thanks!


-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
via samba
Sent: 15 January 2017 21:05
To: samba at lists.samba.org
Subject: Re: [Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up
Group Policies

On Sun, 15 Jan 2017 20:30:25 +0200
Richard via samba <samba at lists.samba.org> wrote:
> I remain baffled as to why richard.h cannot access the sysvol share. 
> 
> Permissions all seem ok from what I can see and I'm not sure why this 
> should be any different from normal AD share behaviour (our other 
> shares are working fine for domain users)
> 
> I would really appreciate it if someone could let me know whether the 
> sysvol has become corrupt in some way and  I am wasting my time even 
> trying to sort this out.
> 
> thanks
> 
I have thought about this and notice that you gave 'Domain Admins' a
gidNumber (which you have now removed), but 'getfacl' only showed the
number not the group name. This makes me wonder if you have set up the
libnss_winbind links etc. If you haven't, or don't know what I mean, see
here:

https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On Sun, 15 Jan 2017 22:52:03 +0200
Richard via samba <samba at lists.samba.org> wrote:
> Hi Rowland,
> 
> 100% ! I hadn't set up the libnss_winbind links.
> 
> I have now done this using:
> 
> # ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib64/
> # ln -s /lib64/libnss_winbind.so.2 /lib64/libnss_winbind.so
> # ldconfig
> 
> When I test as follows all looks good:
> 
> root at dc1:~ # wbinfo --ping-dc
> checking the NETLOGON for domain[CT] dc connection to
> "dc1.ct.mydomain.com" succeeded
> 
> but for some reason I don’t understand "getent" still doesn't
work
> when executed on the DC
> 
> root at dc1:~ # getent passwd richard.h
> root at dc1:~ #
> 
> If I do the same on one of the domain members  it works fine...
> 
> root at office1:~ # getent passwd richard.h
> richard.h:*:10010:10001::/home/ richard.h:/bin/bash
> 
> 
> I'm pretty sure I'm doing the same pam / nsswitch setup on the DC
as
> I did on the domain members (not sure whether relevant but the domain
> members are running standard CentOS 7 Samba 4.4.4 packages)
> 
> do you possibly have any idea why getent isn't working on the domain
> controller? 
> 
> thanks!
> 
> 
> -----Original Message-----
> From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of
> Rowland Penny via samba Sent: 15 January 2017 21:05
> To: samba at lists.samba.org
> Subject: Re: [Samba] Samba 4.5.3 AD DC - issues with sysvol when
> setting up Group Policies
> 
> On Sun, 15 Jan 2017 20:30:25 +0200
> Richard via samba <samba at lists.samba.org> wrote:
> 
> > I remain baffled as to why richard.h cannot access the sysvol
> > share. 
> > 
> > Permissions all seem ok from what I can see and I'm not sure why
> > this should be any different from normal AD share behaviour (our
> > other shares are working fine for domain users)
> > 
> > I would really appreciate it if someone could let me know whether
> > the sysvol has become corrupt in some way and  I am wasting my time
> > even trying to sort this out.
> > 
> > thanks
> > 
> 
> I have thought about this and notice that you gave 'Domain Admins'
a
> gidNumber (which you have now removed), but 'getfacl' only showed
the
> number not the group name. This makes me wonder if you have set up
> the libnss_winbind links etc. If you haven't, or don't know what I
> mean, see here:
> 
> https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
> 
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 
Check PAM, see here:

https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM

Rowland