L.P.H. van Belle
2017-Jul-03 07:29 UTC
[Samba] Can't create/update Group Policy in Samba 4.6.5
Hai, In reponse to the why i recommend that. Since this is a "windows" only share, i recomment to set it up for that usage, with results in better matching for windows rights. Resulting in better working policies. The current POSIX rights did not match to my needs and resulted in inconsistant policies. This is why i use these for profiles and sysvol. And this is my setup order: setup the sysvol share with : acl_xattr:ignore system acls = yes Setup SeDiskOperatorPrivilege. For sysvol, setup 2 ! Groups. net rpc rights grant "SAMDOM\Domain Admins" SeDiskOperatorPrivilege -U "SAMDOM\administrator" net rpc rights grant "SAMDOM\Group Policy Creator Owners" SeDiskOperatorPrivilege -U "SAMDOM\administrator" And use the default windows group for extra users: "Group Policy Creator Owners" Setup Share rights, (you must re-apply them if you use "ignore system acls" ) Setup Security rights, but since your using, "ignore system acls" the default sysvol rights are now ok. But check if creator group also on the security rights. Check from with GPO manament tools, you wil get some messages about rights to fix, do that. And dont run samba-tools sysvolreset, if you do, then you wil have to repeat above again. Now you GPO should work as normal. Try it out and report your result. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Stefan G. Weichinger via samba > Verzonden: zondag 2 juli 2017 20:41 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Can't create/update Group Policy in Samba 4.6.5 > > Am 2017-07-02 um 17:26 schrieb Rowland Penny via samba: > > >> [sysvol] > >> path = /usr/local/samba/var/locks/sysvol > >> read only = No > >> acl_xattr:ignore system acls = yes > > > > You should remove the above line, it isn't required. > > Louis recommended that one to me a few weeks ago. > Could you explain? > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
L.P.H. van Belle
2017-Jul-04 13:25 UTC
[Samba] Can't create/update Group Policy in Samba 4.6.5
Hai, the steps are (basily) good, only this one can be better.>To solve, I executed the following commands: >Chown 10060: 30028 -R sysvol >Chmod 775 -R sysvolIf you use acl_xattr:ignore system acls = yes on the sysvol share, you must configur the share from withing windows. (* or use smbcalcs , but i never used it. ) This is what i see: ls -al sysvol total 24 drwxrwx---+ 3 root root 4096 Nov 17 2016 . drwxrwxr-x+ 5 root BUILTIN\administrators 4096 Apr 21 13:22 .. drwxrwx---+ 5 root BUILTIN\administrators 4096 Feb 29 2016 internal.domain.tld You notice the + behind the drwx.. , to see that use : getfacl /var/lib/samba/sysvol getfacl: Removing leading '/' from absolute path names # file: var/lib/samba/sysvol # owner: root # group: root user::rwx user:root:rwx user:3000000:rwx user:3000001:r-x user:3000002:rwx user:3000003:r-x group::rwx group:BUILTIN\134administrators:rwx group:BUILTIN\134server\040operators:r-x group:3000002:rwx group:3000003:r-x mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:3000000:rwx default:user:3000001:r-x default:user:3000002:rwx default:user:3000003:r-x default:group::--- default:group:BUILTIN\134administrators:rwx default:group:BUILTIN\134server\040operators:r-x default:group:3000002:rwx default:group:3000003:r-x default:mask::rwx default:other::--- the numbers are explained a bit below. ( see security tab ) Take notice that : "NTDOM\Domain Admins" is member of BUILDIN\Administrators. ( above is not the samba default but a same setup as on a window 2008R2 server. ) A good tip to restore the defaults with samba-tool without errors. move you domain folder out of the /var/lib/samba/sysvol folder. mv /var/lib/samba/sysvol/intern.domain.tld to_somewhere else. run samba-tool ntacl sysvolreset Since there is not domain folder and policies folder, you dont get errors. test with samba-tool ntacl sysvolcheck, if you dont have errors, backup these settings. getfacl -R /var/lib/samba/sysvol > sysvol.permissions.acl (and a restore option : setfacl --restore=sysvol.permissions.acl ) Now move you domain folder back. Next, login with a user account that has domain admin rights. ( is member of ) goto the GPO editor, en klik on every GPO object. You will get some messages about incorrect rights, and if it wants to fix it, thats ok. ( forgot the artical but you can find this one on MS support, minor thing, wont affect you GPOs) Last. open de computer manager, connect to the DC, goto the security tab. Sysvol security rights should be. DOMAIN\Server Operators ( or BUILDIN\Server Operators ) Creator Owner Authenticated Users SYSTEM DOMAIN\Administrators ( or BUILDIN\Administrators ) DOMAIN\Administrators contains : "Domain Admins",Adminstrator and "Enterprise Admins" And the "DOMAIN\Adminstrators" is in the Buildin OU. ( could also be BUILDIN\Administrators ) And same for "DOMAIN\Users" (could also be BUILDIN\Users) contains: Authenticated Users, Domain Users, INTERACTIVE) ignore the DOMAIN\ and BUILDIN differences here. both are correct. And if you done everything right, now you should be able to use the newAdmin and/or NTDOM\Administrator user to setup you GPO. Greetz, Louis Van: Marcio Demetrio Bacci [mailto:marciobacci at gmail.com] Verzonden: dinsdag 4 juli 2017 14:00 Aan: L.P.H. van Belle Onderwerp: Re: [Samba] Can't create/update Group Policy in Samba 4.6.5 Hi I have re-applied "acl_xattr:ignore system acls = yes", and followed all the guidelines, including those of the link: https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller When I have removed the Unix attributes from the "Administrator" user the permissions on the sysvol folder were broken. To solve, I executed the following commands: Chown 10060: 30028 -R sysvol Chmod 775 -R sysvol (Where 10060 is my user and 30028 is Domain Admins group) root at dc1:/usr/local/samba/var/locks# ls -l total 1392 -rw------- 1 root root 421888 Mai 15 21:57 account_policy.tdb -rw------- 1 root root 528384 Mai 15 21:57 registry.tdb -rw------- 1 root root 421888 Mai 15 21:57 share_info.tdb drwxrwxr-x 3 10060 30028 4096 Jul 4 01:15 sysvol -rw------- 1 root root 32768 Jul 4 08:34 winbindd_cache.tdb drwxr-s--- 2 root root 4096 Jul 4 01:17 winbindd_privileged Then I have performed a "net cache flush" command and restarted the Samba 4 service. Now I can create and edit the GPOs normally. Are the above procedures correct? Is there any problem? Regards, Márcio Bacci 2017-07-03 4:29 GMT-03:00 L.P.H. van Belle via samba <samba at lists.samba.org>: Hai, In reponse to the why i recommend that. Since this is a "windows" only share, i recomment to set it up for that usage, with results in better matching for windows rights. Resulting in better working policies. The current POSIX rights did not match to my needs and resulted in inconsistant policies. This is why i use these for profiles and sysvol. And this is my setup order: setup the sysvol share with : acl_xattr:ignore system acls = yes Setup SeDiskOperatorPrivilege. For sysvol, setup 2 ! Groups. net rpc rights grant "SAMDOM\Domain Admins" SeDiskOperatorPrivilege -U "SAMDOM\administrator" net rpc rights grant "SAMDOM\Group Policy Creator Owners" SeDiskOperatorPrivilege -U "SAMDOM\administrator" And use the default windows group for extra users: "Group Policy Creator Owners" Setup Share rights, (you must re-apply them if you use "ignore system acls" ) Setup Security rights, but since your using, "ignore system acls" the default sysvol rights are now ok. But check if creator group also on the security rights. Check from with GPO manament tools, you wil get some messages about rights to fix, do that. And dont run samba-tools sysvolreset, if you do, then you wil have to repeat above again. Now you GPO should work as normal. Try it out and report your result. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Stefan G. Weichinger via samba > Verzonden: zondag 2 juli 2017 20:41 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Can't create/update Group Policy in Samba 4.6.5 > > Am 2017-07-02 um 17:26 schrieb Rowland Penny via samba: > > >> [sysvol] > >> path = /usr/local/samba/var/locks/sysvol > >> read only = No > >> acl_xattr:ignore system acls = yes > > > > You should remove the above line, it isn't required. > > Louis recommended that one to me a few weeks ago. > Could you explain? > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Marcio Demetrio Bacci
2017-Jul-04 19:04 UTC
[Samba] Can't create/update Group Policy in Samba 4.6.5
Hi Louis
I have moved "empresa.com.br" folder to /root. After I run samba-tool
ntacl
sysvolreset, but some errors appear:
samba-tool ntacl sysvolreset
open: error=2 (No such file or directory)
ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error')
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
line
239, in run
lp, use_ntvfs=use_ntvfs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1609, in setsysvolacl
set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
use_ntvfs, passdb=s4_passdb)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1502, in set_gpos_acl
use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb,
service=SYSVOL_SERVICE)
File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py",
line
162, in setntacl
smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP |
security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)
samba-tool ntacl sysvolcheck
ERROR(<type 'exceptions.TypeError'>): uncaught exception - (2,
'No such
file or directory')
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
line
270, in run
lp)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1714, in checksysvolacl
fsacl = getntacl(lp, dir_path, direct_db_access=direct_db_access,
service=SYSVOL_SERVICE)
File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py",
line
81, in getntacl
xattr.XATTR_NTACL_NAME)
My sysvol folder is empty.
What is the problem?
Regards,
Márcio Bacci
2017-07-04 10:25 GMT-03:00 L.P.H. van Belle via samba <samba at
lists.samba.org>:
> Hai, the steps are (basily) good, only this one can be better.
>
> >To solve, I executed the following commands:
> >Chown 10060: 30028 -R sysvol
> >Chmod 775 -R sysvol
>
> If you use acl_xattr:ignore system acls = yes on the sysvol share, you
> must configur the share from withing windows. (* or use smbcalcs , but i
> never used it. )
>
> This is what i see:
>
> ls -al sysvol
> total 24
> drwxrwx---+ 3 root root 4096 Nov 17 2016 .
> drwxrwxr-x+ 5 root BUILTIN\administrators 4096 Apr 21 13:22 ..
> drwxrwx---+ 5 root BUILTIN\administrators 4096 Feb 29 2016
> internal.domain.tld
>
> You notice the + behind the drwx.. , to see that use : getfacl
> /var/lib/samba/sysvol
>
> getfacl: Removing leading '/' from absolute path names
> # file: var/lib/samba/sysvol
> # owner: root
> # group: root
> user::rwx
> user:root:rwx
> user:3000000:rwx
> user:3000001:r-x
> user:3000002:rwx
> user:3000003:r-x
> group::rwx
> group:BUILTIN\134administrators:rwx
> group:BUILTIN\134server\040operators:r-x
> group:3000002:rwx
> group:3000003:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:3000000:rwx
> default:user:3000001:r-x
> default:user:3000002:rwx
> default:user:3000003:r-x
> default:group::---
> default:group:BUILTIN\134administrators:rwx
> default:group:BUILTIN\134server\040operators:r-x
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:mask::rwx
> default:other::---
> the numbers are explained a bit below. ( see security tab )
> Take notice that : "NTDOM\Domain Admins" is member of
> BUILDIN\Administrators.
> ( above is not the samba default but a same setup as on a window 2008R2
> server. )
>
> A good tip to restore the defaults with samba-tool without errors.
>
> move you domain folder out of the /var/lib/samba/sysvol folder.
> mv /var/lib/samba/sysvol/intern.domain.tld to_somewhere else.
> run samba-tool ntacl sysvolreset
>
> Since there is not domain folder and policies folder, you dont get errors.
> test with samba-tool ntacl sysvolcheck, if you dont have errors, backup
> these settings.
>
> getfacl -R /var/lib/samba/sysvol > sysvol.permissions.acl
> (and a restore option : setfacl --restore=sysvol.permissions.acl )
>
> Now move you domain folder back.
>
> Next, login with a user account that has domain admin rights. ( is member
> of )
> goto the GPO editor, en klik on every GPO object. You will get some
> messages about incorrect rights, and if it wants to fix it, thats ok.
> ( forgot the artical but you can find this one on MS support, minor thing,
> wont affect you GPOs)
>
> Last.
> open de computer manager, connect to the DC, goto the security tab.
> Sysvol security rights should be.
> DOMAIN\Server Operators ( or BUILDIN\Server Operators )
> Creator Owner
> Authenticated Users
> SYSTEM
> DOMAIN\Administrators ( or BUILDIN\Administrators )
>
> DOMAIN\Administrators contains : "Domain Admins",Adminstrator and
> "Enterprise Admins"
> And the "DOMAIN\Adminstrators" is in the Buildin OU. ( could
also be
> BUILDIN\Administrators )
>
> And same for "DOMAIN\Users" (could also be BUILDIN\Users)
contains:
> Authenticated Users, Domain Users, INTERACTIVE)
> ignore the DOMAIN\ and BUILDIN differences here. both are correct.
> And if you done everything right, now you should be able to use the
> newAdmin and/or NTDOM\Administrator user to setup you GPO.
>
>
> Greetz,
>
> Louis
>
>
> Van: Marcio Demetrio Bacci [mailto:marciobacci at gmail.com]
> Verzonden: dinsdag 4 juli 2017 14:00
> Aan: L.P.H. van Belle
> Onderwerp: Re: [Samba] Can't create/update Group Policy in Samba 4.6.5
>
>
>
> Hi
>
>
>
>
>
>
> I have re-applied "acl_xattr:ignore system acls = yes", and
followed all
> the guidelines, including those of the link: https://wiki.samba.org/index.
> php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
>
> When I have removed the Unix attributes from the "Administrator"
user the
> permissions on the sysvol folder were broken.
>
> To solve, I executed the following commands:
>
> Chown 10060: 30028 -R sysvol
> Chmod 775 -R sysvol
>
> (Where 10060 is my user and 30028 is Domain Admins group)
>
> root at dc1:/usr/local/samba/var/locks# ls -l
> total 1392
> -rw------- 1 root root 421888 Mai 15 21:57 account_policy.tdb
> -rw------- 1 root root 528384 Mai 15 21:57 registry.tdb
> -rw------- 1 root root 421888 Mai 15 21:57 share_info.tdb
> drwxrwxr-x 3 10060 30028 4096 Jul 4 01:15 sysvol
> -rw------- 1 root root 32768 Jul 4 08:34 winbindd_cache.tdb
> drwxr-s--- 2 root root 4096 Jul 4 01:17 winbindd_privileged
>
> Then I have performed a "net cache flush" command and restarted
the Samba
> 4 service.
>
> Now I can create and edit the GPOs normally.
>
> Are the above procedures correct? Is there any problem?
>
>
> Regards,
>
>
> Márcio Bacci
>
>
>
>
>
> 2017-07-03 4:29 GMT-03:00 L.P.H. van Belle via samba <
> samba at lists.samba.org>:
> Hai,
>
> In reponse to the why i recommend that.
>
> Since this is a "windows" only share, i recomment to set it up
for that
> usage, with results in better matching for windows rights.
> Resulting in better working policies.
> The current POSIX rights did not match to my needs and resulted in
> inconsistant policies.
> This is why i use these for profiles and sysvol.
>
> And this is my setup order:
>
> setup the sysvol share with : acl_xattr:ignore system acls = yes
>
> Setup SeDiskOperatorPrivilege. For sysvol, setup 2 ! Groups.
> net rpc rights grant "SAMDOM\Domain Admins"
SeDiskOperatorPrivilege -U
> "SAMDOM\administrator"
> net rpc rights grant "SAMDOM\Group Policy Creator Owners"
> SeDiskOperatorPrivilege -U "SAMDOM\administrator"
> And use the default windows group for extra users: "Group Policy
Creator
> Owners"
>
> Setup Share rights, (you must re-apply them if you use "ignore system
> acls" )
>
> Setup Security rights, but since your using, "ignore system acls"
the
> default sysvol rights are now ok.
> But check if creator group also on the security rights.
>
> Check from with GPO manament tools, you wil get some messages about rights
> to fix, do that.
> And dont run samba-tools sysvolreset, if you do, then you wil have to
> repeat above again.
>
> Now you GPO should work as normal.
>
> Try it out and report your result.
>
>
> Greetz,
>
> Louis
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > Stefan G. Weichinger via samba
> > Verzonden: zondag 2 juli 2017 20:41
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] Can't create/update Group Policy in Samba
4.6.5
> >
> > Am 2017-07-02 um 17:26 schrieb Rowland Penny via samba:
> >
> > >> [sysvol]
> > >> path = /usr/local/samba/var/locks/sysvol
> > >> read only = No
> > >> acl_xattr:ignore system acls = yes
> > >
> > > You should remove the above line, it isn't required.
> >
> > Louis recommended that one to me a few weeks ago.
> > Could you explain?
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>