Marcio Demetrio Bacci
2017-Jul-04 19:04 UTC
[Samba] Can't create/update Group Policy in Samba 4.6.5
Hi Louis
I have moved "empresa.com.br" folder to /root. After I run samba-tool
ntacl
sysvolreset, but some errors appear:
samba-tool ntacl sysvolreset
open: error=2 (No such file or directory)
ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error')
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
line
239, in run
lp, use_ntvfs=use_ntvfs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1609, in setsysvolacl
set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
use_ntvfs, passdb=s4_passdb)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1502, in set_gpos_acl
use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb,
service=SYSVOL_SERVICE)
File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py",
line
162, in setntacl
smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP |
security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)
samba-tool ntacl sysvolcheck
ERROR(<type 'exceptions.TypeError'>): uncaught exception - (2,
'No such
file or directory')
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
line
270, in run
lp)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1714, in checksysvolacl
fsacl = getntacl(lp, dir_path, direct_db_access=direct_db_access,
service=SYSVOL_SERVICE)
File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py",
line
81, in getntacl
xattr.XATTR_NTACL_NAME)
My sysvol folder is empty.
What is the problem?
Regards,
Márcio Bacci
2017-07-04 10:25 GMT-03:00 L.P.H. van Belle via samba <samba at
lists.samba.org>:
> Hai, the steps are (basily) good, only this one can be better.
>
> >To solve, I executed the following commands:
> >Chown 10060: 30028 -R sysvol
> >Chmod 775 -R sysvol
>
> If you use acl_xattr:ignore system acls = yes on the sysvol share, you
> must configur the share from withing windows. (* or use smbcalcs , but i
> never used it. )
>
> This is what i see:
>
> ls -al sysvol
> total 24
> drwxrwx---+ 3 root root 4096 Nov 17 2016 .
> drwxrwxr-x+ 5 root BUILTIN\administrators 4096 Apr 21 13:22 ..
> drwxrwx---+ 5 root BUILTIN\administrators 4096 Feb 29 2016
> internal.domain.tld
>
> You notice the + behind the drwx.. , to see that use : getfacl
> /var/lib/samba/sysvol
>
> getfacl: Removing leading '/' from absolute path names
> # file: var/lib/samba/sysvol
> # owner: root
> # group: root
> user::rwx
> user:root:rwx
> user:3000000:rwx
> user:3000001:r-x
> user:3000002:rwx
> user:3000003:r-x
> group::rwx
> group:BUILTIN\134administrators:rwx
> group:BUILTIN\134server\040operators:r-x
> group:3000002:rwx
> group:3000003:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:3000000:rwx
> default:user:3000001:r-x
> default:user:3000002:rwx
> default:user:3000003:r-x
> default:group::---
> default:group:BUILTIN\134administrators:rwx
> default:group:BUILTIN\134server\040operators:r-x
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:mask::rwx
> default:other::---
> the numbers are explained a bit below. ( see security tab )
> Take notice that : "NTDOM\Domain Admins" is member of
> BUILDIN\Administrators.
> ( above is not the samba default but a same setup as on a window 2008R2
> server. )
>
> A good tip to restore the defaults with samba-tool without errors.
>
> move you domain folder out of the /var/lib/samba/sysvol folder.
> mv /var/lib/samba/sysvol/intern.domain.tld to_somewhere else.
> run samba-tool ntacl sysvolreset
>
> Since there is not domain folder and policies folder, you dont get errors.
> test with samba-tool ntacl sysvolcheck, if you dont have errors, backup
> these settings.
>
> getfacl -R /var/lib/samba/sysvol > sysvol.permissions.acl
> (and a restore option : setfacl --restore=sysvol.permissions.acl )
>
> Now move you domain folder back.
>
> Next, login with a user account that has domain admin rights. ( is member
> of )
> goto the GPO editor, en klik on every GPO object. You will get some
> messages about incorrect rights, and if it wants to fix it, thats ok.
> ( forgot the artical but you can find this one on MS support, minor thing,
> wont affect you GPOs)
>
> Last.
> open de computer manager, connect to the DC, goto the security tab.
> Sysvol security rights should be.
> DOMAIN\Server Operators ( or BUILDIN\Server Operators )
> Creator Owner
> Authenticated Users
> SYSTEM
> DOMAIN\Administrators ( or BUILDIN\Administrators )
>
> DOMAIN\Administrators contains : "Domain Admins",Adminstrator and
> "Enterprise Admins"
> And the "DOMAIN\Adminstrators" is in the Buildin OU. ( could
also be
> BUILDIN\Administrators )
>
> And same for "DOMAIN\Users" (could also be BUILDIN\Users)
contains:
> Authenticated Users, Domain Users, INTERACTIVE)
> ignore the DOMAIN\ and BUILDIN differences here. both are correct.
> And if you done everything right, now you should be able to use the
> newAdmin and/or NTDOM\Administrator user to setup you GPO.
>
>
> Greetz,
>
> Louis
>
>
> Van: Marcio Demetrio Bacci [mailto:marciobacci at gmail.com]
> Verzonden: dinsdag 4 juli 2017 14:00
> Aan: L.P.H. van Belle
> Onderwerp: Re: [Samba] Can't create/update Group Policy in Samba 4.6.5
>
>
>
> Hi
>
>
>
>
>
>
> I have re-applied "acl_xattr:ignore system acls = yes", and
followed all
> the guidelines, including those of the link: https://wiki.samba.org/index.
> php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
>
> When I have removed the Unix attributes from the "Administrator"
user the
> permissions on the sysvol folder were broken.
>
> To solve, I executed the following commands:
>
> Chown 10060: 30028 -R sysvol
> Chmod 775 -R sysvol
>
> (Where 10060 is my user and 30028 is Domain Admins group)
>
> root at dc1:/usr/local/samba/var/locks# ls -l
> total 1392
> -rw------- 1 root root 421888 Mai 15 21:57 account_policy.tdb
> -rw------- 1 root root 528384 Mai 15 21:57 registry.tdb
> -rw------- 1 root root 421888 Mai 15 21:57 share_info.tdb
> drwxrwxr-x 3 10060 30028 4096 Jul 4 01:15 sysvol
> -rw------- 1 root root 32768 Jul 4 08:34 winbindd_cache.tdb
> drwxr-s--- 2 root root 4096 Jul 4 01:17 winbindd_privileged
>
> Then I have performed a "net cache flush" command and restarted
the Samba
> 4 service.
>
> Now I can create and edit the GPOs normally.
>
> Are the above procedures correct? Is there any problem?
>
>
> Regards,
>
>
> Márcio Bacci
>
>
>
>
>
> 2017-07-03 4:29 GMT-03:00 L.P.H. van Belle via samba <
> samba at lists.samba.org>:
> Hai,
>
> In reponse to the why i recommend that.
>
> Since this is a "windows" only share, i recomment to set it up
for that
> usage, with results in better matching for windows rights.
> Resulting in better working policies.
> The current POSIX rights did not match to my needs and resulted in
> inconsistant policies.
> This is why i use these for profiles and sysvol.
>
> And this is my setup order:
>
> setup the sysvol share with : acl_xattr:ignore system acls = yes
>
> Setup SeDiskOperatorPrivilege. For sysvol, setup 2 ! Groups.
> net rpc rights grant "SAMDOM\Domain Admins"
SeDiskOperatorPrivilege -U
> "SAMDOM\administrator"
> net rpc rights grant "SAMDOM\Group Policy Creator Owners"
> SeDiskOperatorPrivilege -U "SAMDOM\administrator"
> And use the default windows group for extra users: "Group Policy
Creator
> Owners"
>
> Setup Share rights, (you must re-apply them if you use "ignore system
> acls" )
>
> Setup Security rights, but since your using, "ignore system acls"
the
> default sysvol rights are now ok.
> But check if creator group also on the security rights.
>
> Check from with GPO manament tools, you wil get some messages about rights
> to fix, do that.
> And dont run samba-tools sysvolreset, if you do, then you wil have to
> repeat above again.
>
> Now you GPO should work as normal.
>
> Try it out and report your result.
>
>
> Greetz,
>
> Louis
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > Stefan G. Weichinger via samba
> > Verzonden: zondag 2 juli 2017 20:41
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] Can't create/update Group Policy in Samba
4.6.5
> >
> > Am 2017-07-02 um 17:26 schrieb Rowland Penny via samba:
> >
> > >> [sysvol]
> > >> path = /usr/local/samba/var/locks/sysvol
> > >> read only = No
> > >> acl_xattr:ignore system acls = yes
> > >
> > > You should remove the above line, it isn't required.
> >
> > Louis recommended that one to me a few weeks ago.
> > Could you explain?
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
Rowland Penny
2017-Jul-04 19:51 UTC
[Samba] Can't create/update Group Policy in Samba 4.6.5
On Tue, 4 Jul 2017 16:04:20 -0300 Marcio Demetrio Bacci via samba <samba at lists.samba.org> wrote:> Hi Louis > > > I have moved "empresa.com.br" folder to /root. After I run samba-tool > ntacl sysvolreset, but some errors appear:Please put it back. Also which DC is this on, your first DC or the second one ? and if it is the second one, have you followed the wiki page I pointed you to, on your other post ? Or to put it another way, do both of your DCs sysvol directories (and sub-directories) match and have you synced idmap.ldb from the first DC to the second DC. I know what Louis told you to do, but you should only give 'Domain Users' a gidNumber attribute, you can also give 'Domain Admins' a gidNumber, but I personally think it is better to create a group called 'Unix Admins', make this group a member of 'Domain Admins' and then give this new group a gidNumber. Now use this group when setting permissions from Windows. My reasoning behind this: 'Domain Admins' needs to own policies in sysvol, it cannot do this if it has a gidNumber attribute. Do not give any other user or group from the well known sids a uidNumber or gidNumber, see here for the well known sids: https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems Rowland
L.P.H. van Belle
2017-Jul-05 06:07 UTC
[Samba] Can't create/update Group Policy in Samba 4.6.5
Sorry, my error, you need an "empty domain" directory in sysvol then reset. Then copy the rights, re-apply them .. Etc. And good point Rowland. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland Penny via samba > Verzonden: dinsdag 4 juli 2017 21:51 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Can't create/update Group Policy in Samba 4.6.5 > > On Tue, 4 Jul 2017 16:04:20 -0300 > Marcio Demetrio Bacci via samba <samba at lists.samba.org> wrote: > > > Hi Louis > > > > > > I have moved "empresa.com.br" folder to /root. After I run > samba-tool > > ntacl sysvolreset, but some errors appear: > > Please put it back. > > Also which DC is this on, your first DC or the second one ? > and if it is the second one, have you followed the wiki page > I pointed you to, on your other post ? > > Or to put it another way, do both of your DCs sysvol directories (and > sub-directories) match and have you synced idmap.ldb from the > first DC to the second DC. > > I know what Louis told you to do, but you should only give > 'Domain Users' a gidNumber attribute, you can also give > 'Domain Admins' a gidNumber, but I personally think it is > better to create a group called 'Unix Admins', make this > group a member of 'Domain Admins' and then give this new > group a gidNumber. Now use this group when setting > permissions from Windows. My reasoning behind this: 'Domain Admins' > needs to own policies in sysvol, it cannot do this if it has > a gidNumber attribute. > Do not give any other user or group from the well known sids > a uidNumber or gidNumber, see here for the well known sids: > > https://support.microsoft.com/en-us/help/243330/well-known-sec > urity-identifiers-in-windows-operating-systems > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Marcio Demetrio Bacci
2017-Jul-06 05:14 UTC
[Samba] Can't create/update Group Policy in Samba 4.6.5
Hi,
My DC doesn't know domains users and groups by name, only by uid/gid.
Ex: chmod mike:'EMPRESA\unix_admins' test
chown: invalid group mike:EMPRESA\\unix_admins
if run with GID work properly
chmod mike:30059 test
drwxr-xr-x 2 root 30059 4096 Jul 6 00:17 test
There is unix_admins group
wbinfo --gid-info 30059
EMPRESA\unix_admins:x:30059:
In File Server Domain Member "chown" command by users and groups names
is OK
chmod mike:'EMPRESA\unix_admins' test
drwxr-xr-x 2 root unix_admins 4096 Jul 6 00:19 test
I have performed the following steps:
1) cd /usr/local/samba/var/locks/sysvol
2) mv empresa.com.br /root
3) mkdir empresa.com.br
4) samba-tool ntacl sysvolreset
5) getfacl -R /usr/local/samba/var/locks/sysvol > sysvol.permissions.acl
6) rmdir empresa.com.br
7) mv /root/empresa.com.br .
8) setfacl --restore=sysvol.permissions.acl
9) samba-tool ntacl sysvolcheck
10) I went the GPO editor and fix incorrect rights.
11) I have opened computer manager, connected to the DC, went to the
security tab.
I have set up Sysvol security rights:
DOMAIN\Server Operators
Creator Owner
Authenticated Users
SYSTEM
DOMAIN\Administrators
Note 1: I have changed sysvol folder owner to "unix_admins" too by MS
Windows properties but, when I checked in DC terminal, didn't change (to be
continued the same user and group).
Note 2: I have already removed "Unix Attributes" of the
BUILTIN\Administrators, Group Policy creator Owner and others by Windows
RSAT Tools - Active Directory Users and Computers (changed Domain NIS to
None), but UID/GID remain (keep).
For Example: the GID 3000275 still is of the BUILTIN\Administrators.
Other notes:
output of "samba-tool ntacl sysvolreset" command:
open: error=2 (No such file or directory)
ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error')
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
line
239, in run
lp, use_ntvfs=use_ntvfs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1609, in setsysvolacl
set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
use_ntvfs, passdb=s4_passdb)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1502, in set_gpos_acl
use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb,
service=SYSVOL_SERVICE)
File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py",
line
162, in setntacl
smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP |
security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)
The command above (despite the mistakes) reset owner and group to root and
3000275 (BUILTIN\Administrators) respectively.
ls -l
drwxr-xr-x 2 root 3000275 4096 Jul 6 00:50 empresa.com.br
output of "samba-tool ntacl sysvolcheck" command:
ERROR(<type 'exceptions.TypeError'>): uncaught exception - (2,
'No such
file or directory')
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
line
270, in run
lp)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1714, in checksysvolacl
fsacl = getntacl(lp, dir_path, direct_db_access=direct_db_access,
service=SYSVOL_SERVICE)
File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py",
line
81, in getntacl
xattr.XATTR_NTACL_NAME)
I'm already getting create and edit my GPOs, but I have many doubts:
1) Is there another way to remove UID / GID from the users and groups ?
2) Why GID number of the BUILT\Administrators and other users and groups
still continue ?
3) Is normal DC does not identify user and group by name, but only by UID /
GID number ?
4) What are the problems with "samba-tool ntacl sysvolreset" and
"samba-tool ntacl sysvolcheck" ?
5) When I change the users and groups from the sysvol folder by MS Windows
should I not reflect on the DC terminal?
I would really like to solve these problems!
Regards,
Márcio Bacci
2017-07-05 3:07 GMT-03:00 L.P.H. van Belle via samba <samba at
lists.samba.org>
:
> Sorry, my error, you need an "empty domain" directory in sysvol
then reset.
> Then copy the rights, re-apply them .. Etc.
>
>
> And good point Rowland.
> Greetz,
>
> Louis
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > Rowland Penny via samba
> > Verzonden: dinsdag 4 juli 2017 21:51
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] Can't create/update Group Policy in Samba
4.6.5
> >
> > On Tue, 4 Jul 2017 16:04:20 -0300
> > Marcio Demetrio Bacci via samba <samba at lists.samba.org>
wrote:
> >
> > > Hi Louis
> > >
> > >
> > > I have moved "empresa.com.br" folder to /root. After I
run
> > samba-tool
> > > ntacl sysvolreset, but some errors appear:
> >
> > Please put it back.
> >
> > Also which DC is this on, your first DC or the second one ?
> > and if it is the second one, have you followed the wiki page
> > I pointed you to, on your other post ?
> >
> > Or to put it another way, do both of your DCs sysvol directories (and
> > sub-directories) match and have you synced idmap.ldb from the
> > first DC to the second DC.
> >
> > I know what Louis told you to do, but you should only give
> > 'Domain Users' a gidNumber attribute, you can also give
> > 'Domain Admins' a gidNumber, but I personally think it is
> > better to create a group called 'Unix Admins', make this
> > group a member of 'Domain Admins' and then give this new
> > group a gidNumber. Now use this group when setting
> > permissions from Windows. My reasoning behind this: 'Domain
Admins'
> > needs to own policies in sysvol, it cannot do this if it has
> > a gidNumber attribute.
> > Do not give any other user or group from the well known sids
> > a uidNumber or gidNumber, see here for the well known sids:
> >
> > https://support.microsoft.com/en-us/help/243330/well-known-sec
> > urity-identifiers-in-windows-operating-systems
> >
> > Rowland
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>