thr3ads.net - samba - [Samba] GPO Problem [Jun 2017]

If this information is useful, please help other people find it:
Share via:

Epsilon Minus

2017-Jun-06 18:35 UTC

[Samba] GPO Problem

Hi. I have a problem applying GPO. I do not know where to look
Reviewing I found this:

# samba-tool ntacl sysvolcheck
lp_load_ex: refreshing parameters
Initialising global parameters
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[sistemas]"
ldb_wrap open of idmap.ldb
Module 'acl_xattr' loaded
Module 'dfs_samba4' loaded
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true'
and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true'
and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true'
and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true'
and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true'
and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true'
and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true'
and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true'
and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true'
and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true'
and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true'
and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true'
and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true'
and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true'
and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true'
and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true'
and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true'
and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true'
and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true'
and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true'
and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true'
and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true'
and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true'
and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true'
and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true'
and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true'
and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true'
and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true'
and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true'
and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true'
and 'force unknown acl user = true' for service sysvol
#


My smb.conf:
oot at DC02:~# cat /etc/samba/smb.conf

# Global parameters
[global]
    workgroup = CLINICAGUEMES
    realm = CLINICAGUEMES.COM.AR
    netbios name = DC02
    server role = active directory domain controller
    server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
    idmap_ldb:use rfc2307 = yes
    ldap server require strong auth = No
    log level = 3

    #### Deshabilito error en los logs por las impresoras
    load printers = no
        printing = bsd
        printcap name = /dev/null
        disable spoolss = yes


[netlogon]
    path = /var/lib/samba/sysvol/clinicaguemes.com.ar/scripts
    read only = No

[sysvol]
    path = /var/lib/samba/sysvol
    read only = No

[sistemas]
    path = /datos/grupos/sistemas
    read only = No
    valid users = +sistemas


Is ok this? :

root at DC02:/var/lib/samba# ls -l
total 1404
-rw-------   1 root root       421888 nov 21  2016 account_policy.tdb
-rw-------   1 root root          696 nov 21  2016 group_mapping.tdb
drwxr-x---   2 root root         4096 ene 24 21:04 ntp_signd
drwxr-xr-x  10 root root         4096 nov 21  2016 printers
drwxr-xr-x   7 root root         4096 jun  6 15:33 private
-rw-------   1 root root       528384 nov 21  2016 registry.tdb
-rw-------   1 root root       421888 nov 21  2016 share_info.tdb
drwxrwx---+  3 root    3000000   4096 jun  6 15:19 sysvol
<<<<----------  is okey ?
drwxrwx--T   2 root sambashare   4096 nov 21  2016 usershares
-rw-------   1 root root        32768 jun  5 22:54 winbindd_cache.tdb
drwxr-x---   2 root root         4096 ene 24 21:04 winbindd_privileged





I do not know where to look for the logs to apply the GPOs

Rowland Penny

2017-Jun-06 18:54 UTC

head link

[Samba] GPO Problem

On Tue, 6 Jun 2017 15:35:42 -0300
Epsilon Minus via samba <samba at lists.samba.org> wrote:
> Hi. I have a problem applying GPO. I do not know where to look
> Reviewing I found this:
> 
> # samba-tool ntacl sysvolcheck
> lp_load_ex: refreshing parameters
> Initialising global parameters
> Processing section "[global]"
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> Processing section "[sistemas]"
> ldb_wrap open of idmap.ldb
> Module 'acl_xattr' loaded
> Module 'dfs_samba4' loaded
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode
= true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode
= true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode
= true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode
= true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode
= true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode
= true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode
= true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode
= true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode
= true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode
= true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode
= true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode
= true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode
= true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode
= true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode
= true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode
= true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode
= true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode
= true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode
= true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode
= true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode
= true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode
= true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode
= true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode
= true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode
= true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode
= true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode
= true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode
= true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode
= true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode
= true'
> and 'force unknown acl user = true' for service sysvol
> #
> 
> 
> My smb.conf:
> oot at DC02:~# cat /etc/samba/smb.conf
> 
> # Global parameters
> [global]
>     workgroup = CLINICAGUEMES
>     realm = CLINICAGUEMES.COM.AR
>     netbios name = DC02
>     server role = active directory domain controller
>     server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
>     idmap_ldb:use rfc2307 = yes
>     ldap server require strong auth = No
>     log level = 3
> 
>     #### Deshabilito error en los logs por las impresoras
>     load printers = no
>         printing = bsd
>         printcap name = /dev/null
>         disable spoolss = yes
> 
> 
> [netlogon]
>     path = /var/lib/samba/sysvol/clinicaguemes.com.ar/scripts
>     read only = No
> 
> [sysvol]
>     path = /var/lib/samba/sysvol
>     read only = No
> 
> [sistemas]
>     path = /datos/grupos/sistemas
>     read only = No
>     valid users = +sistemas
> 
> 
> Is ok this? :
> 
> root at DC02:/var/lib/samba# ls -l
> total 1404
> -rw-------   1 root root       421888 nov 21  2016 account_policy.tdb
> -rw-------   1 root root          696 nov 21  2016 group_mapping.tdb
> drwxr-x---   2 root root         4096 ene 24 21:04 ntp_signd
> drwxr-xr-x  10 root root         4096 nov 21  2016 printers
> drwxr-xr-x   7 root root         4096 jun  6 15:33 private
> -rw-------   1 root root       528384 nov 21  2016 registry.tdb
> -rw-------   1 root root       421888 nov 21  2016 share_info.tdb
> drwxrwx---+  3 root    3000000   4096 jun  6 15:19 sysvol
> <<<<----------  is okey ?
> drwxrwx--T   2 root sambashare   4096 nov 21  2016 usershares
> -rw-------   1 root root        32768 jun  5 22:54 winbindd_cache.tdb
> drwxr-x---   2 root root         4096 ene 24 21:04 winbindd_privileged
> 
> 
> 
> 
> 
> I do not know where to look for the logs to apply the GPOs
> 
Not sure about the GPO (I don't use them), but the owner:group on
sysvol is okay.

Also, you cannot use 'valid users' on a DC, you need to set the ACLs
from windows.

Rowland

Epsilon Minus

2017-Jun-06 19:09 UTC

head link

[Samba] GPO Problem

2017-06-06 15:54 GMT-03:00 Rowland Penny via samba <samba at
lists.samba.org>:> On Tue, 6 Jun 2017 15:35:42 -0300
> Epsilon Minus via samba <samba at lists.samba.org> wrote:
>
>> Hi. I have a problem applying GPO. I do not know where to look
>> Reviewing I found this:
>>
>> # samba-tool ntacl sysvolcheck
>> lp_load_ex: refreshing parameters
>> Initialising global parameters
>> Processing section "[global]"
>> Processing section "[netlogon]"
>> Processing section "[sysvol]"
>> Processing section "[sistemas]"
>> ldb_wrap open of idmap.ldb
>> Module 'acl_xattr' loaded
>> Module 'dfs_samba4' loaded
>> connect_acl_xattr: setting 'inherit acls = true' 'dos
filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos
filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos
filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos
filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos
filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos
filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos
filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos
filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos
filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos
filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos
filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos
filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos
filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos
filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos
filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos
filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos
filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos
filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos
filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos
filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos
filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos
filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos
filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos
filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos
filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos
filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos
filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos
filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos
filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos
filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> #
>>
>>
>> My smb.conf:
>> oot at DC02:~# cat /etc/samba/smb.conf
>>
>> # Global parameters
>> [global]
>>     workgroup = CLINICAGUEMES
>>     realm = CLINICAGUEMES.COM.AR
>>     netbios name = DC02
>>     server role = active directory domain controller
>>     server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
>> winbindd, ntp_signd, kcc, dnsupdate
>>     idmap_ldb:use rfc2307 = yes
>>     ldap server require strong auth = No
>>     log level = 3
>>
>>     #### Deshabilito error en los logs por las impresoras
>>     load printers = no
>>         printing = bsd
>>         printcap name = /dev/null
>>         disable spoolss = yes
>>
>>
>> [netlogon]
>>     path = /var/lib/samba/sysvol/clinicaguemes.com.ar/scripts
>>     read only = No
>>
>> [sysvol]
>>     path = /var/lib/samba/sysvol
>>     read only = No
>>
>> [sistemas]
>>     path = /datos/grupos/sistemas
>>     read only = No
>>     valid users = +sistemas
>>
>>
>> Is ok this? :
>>
>> root at DC02:/var/lib/samba# ls -l
>> total 1404
>> -rw-------   1 root root       421888 nov 21  2016 account_policy.tdb
>> -rw-------   1 root root          696 nov 21  2016 group_mapping.tdb
>> drwxr-x---   2 root root         4096 ene 24 21:04 ntp_signd
>> drwxr-xr-x  10 root root         4096 nov 21  2016 printers
>> drwxr-xr-x   7 root root         4096 jun  6 15:33 private
>> -rw-------   1 root root       528384 nov 21  2016 registry.tdb
>> -rw-------   1 root root       421888 nov 21  2016 share_info.tdb
>> drwxrwx---+  3 root    3000000   4096 jun  6 15:19 sysvol
>> <<<<----------  is okey ?
>> drwxrwx--T   2 root sambashare   4096 nov 21  2016 usershares
>> -rw-------   1 root root        32768 jun  5 22:54 winbindd_cache.tdb
>> drwxr-x---   2 root root         4096 ene 24 21:04 winbindd_privileged
>>
>>
>>
>>
>>
>> I do not know where to look for the logs to apply the GPOs
>>
>
> Not sure about the GPO (I don't use them), but the owner:group on
> sysvol is okay.
>
> Also, you cannot use 'valid users' on a DC, you need to set the
ACLs
> from windows.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
Thanks you. I remove "valid user" but the error continius.

Add new information:

root at DC02:/var/lib/samba/sysvol/clinicaguemes.com.ar# samba-tool gpo aclcheck
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
resolve_lmhosts: Attempting lmhosts lookup for name
_ldap._tcp.CLINICAGUEMES.COM.AR<0x0>
resolve_lmhosts: Attempting lmhosts lookup for name
_ldap._tcp.CLINICAGUEMES.COM.AR<0x0>
resolve_lmhosts: Attempting lmhosts lookup for name
dc01.clinicaguemes.com.ar<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name
dc01.clinicaguemes.com.ar<0x20>
ERROR(runtime): uncaught exception - (-1073741766, '{Path Not Found}
The path %hs does not exist.')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/gpo.py", line
1148, in run
    fs_sd = conn.get_acl(sharepath, security.SECINFO_OWNER |
security.SECINFO_GROUP | security.SECINFO_DACL,
security.SEC_FLAG_MAXIMUM_ALLOWED)
root at DC02:/var/lib/samba/sysvol/clinicaguemes.com.ar#
root at DC02:/var/lib/samba/sysvol/clinicaguemes.com.ar#


Excuse me. I'm not mean those erros.

Maybe Matching Threads

Search for more apparently analagous threads

samba - Jun 2017 - GPO Problem

[Samba] GPO Problem

[Samba] GPO Problem

[Samba] GPO Problem

Maybe Matching Threads