Marcio Demetrio Bacci
2017-Jul-06 05:14 UTC
[Samba] Can't create/update Group Policy in Samba 4.6.5
Hi,
My DC doesn't know domains users and groups by name, only by uid/gid.
Ex: chmod mike:'EMPRESA\unix_admins' test
chown: invalid group mike:EMPRESA\\unix_admins
if run with GID work properly
chmod mike:30059 test
drwxr-xr-x 2 root 30059 4096 Jul 6 00:17 test
There is unix_admins group
wbinfo --gid-info 30059
EMPRESA\unix_admins:x:30059:
In File Server Domain Member "chown" command by users and groups names
is OK
chmod mike:'EMPRESA\unix_admins' test
drwxr-xr-x 2 root unix_admins 4096 Jul 6 00:19 test
I have performed the following steps:
1) cd /usr/local/samba/var/locks/sysvol
2) mv empresa.com.br /root
3) mkdir empresa.com.br
4) samba-tool ntacl sysvolreset
5) getfacl -R /usr/local/samba/var/locks/sysvol > sysvol.permissions.acl
6) rmdir empresa.com.br
7) mv /root/empresa.com.br .
8) setfacl --restore=sysvol.permissions.acl
9) samba-tool ntacl sysvolcheck
10) I went the GPO editor and fix incorrect rights.
11) I have opened computer manager, connected to the DC, went to the
security tab.
I have set up Sysvol security rights:
DOMAIN\Server Operators
Creator Owner
Authenticated Users
SYSTEM
DOMAIN\Administrators
Note 1: I have changed sysvol folder owner to "unix_admins" too by MS
Windows properties but, when I checked in DC terminal, didn't change (to be
continued the same user and group).
Note 2: I have already removed "Unix Attributes" of the
BUILTIN\Administrators, Group Policy creator Owner and others by Windows
RSAT Tools - Active Directory Users and Computers (changed Domain NIS to
None), but UID/GID remain (keep).
For Example: the GID 3000275 still is of the BUILTIN\Administrators.
Other notes:
output of "samba-tool ntacl sysvolreset" command:
open: error=2 (No such file or directory)
ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error')
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
line
239, in run
lp, use_ntvfs=use_ntvfs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1609, in setsysvolacl
set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
use_ntvfs, passdb=s4_passdb)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1502, in set_gpos_acl
use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb,
service=SYSVOL_SERVICE)
File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py",
line
162, in setntacl
smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP |
security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)
The command above (despite the mistakes) reset owner and group to root and
3000275 (BUILTIN\Administrators) respectively.
ls -l
drwxr-xr-x 2 root 3000275 4096 Jul 6 00:50 empresa.com.br
output of "samba-tool ntacl sysvolcheck" command:
ERROR(<type 'exceptions.TypeError'>): uncaught exception - (2,
'No such
file or directory')
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
line
270, in run
lp)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1714, in checksysvolacl
fsacl = getntacl(lp, dir_path, direct_db_access=direct_db_access,
service=SYSVOL_SERVICE)
File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py",
line
81, in getntacl
xattr.XATTR_NTACL_NAME)
I'm already getting create and edit my GPOs, but I have many doubts:
1) Is there another way to remove UID / GID from the users and groups ?
2) Why GID number of the BUILT\Administrators and other users and groups
still continue ?
3) Is normal DC does not identify user and group by name, but only by UID /
GID number ?
4) What are the problems with "samba-tool ntacl sysvolreset" and
"samba-tool ntacl sysvolcheck" ?
5) When I change the users and groups from the sysvol folder by MS Windows
should I not reflect on the DC terminal?
I would really like to solve these problems!
Regards,
Márcio Bacci
2017-07-05 3:07 GMT-03:00 L.P.H. van Belle via samba <samba at
lists.samba.org>
:
> Sorry, my error, you need an "empty domain" directory in sysvol
then reset.
> Then copy the rights, re-apply them .. Etc.
>
>
> And good point Rowland.
> Greetz,
>
> Louis
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > Rowland Penny via samba
> > Verzonden: dinsdag 4 juli 2017 21:51
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] Can't create/update Group Policy in Samba
4.6.5
> >
> > On Tue, 4 Jul 2017 16:04:20 -0300
> > Marcio Demetrio Bacci via samba <samba at lists.samba.org>
wrote:
> >
> > > Hi Louis
> > >
> > >
> > > I have moved "empresa.com.br" folder to /root. After I
run
> > samba-tool
> > > ntacl sysvolreset, but some errors appear:
> >
> > Please put it back.
> >
> > Also which DC is this on, your first DC or the second one ?
> > and if it is the second one, have you followed the wiki page
> > I pointed you to, on your other post ?
> >
> > Or to put it another way, do both of your DCs sysvol directories (and
> > sub-directories) match and have you synced idmap.ldb from the
> > first DC to the second DC.
> >
> > I know what Louis told you to do, but you should only give
> > 'Domain Users' a gidNumber attribute, you can also give
> > 'Domain Admins' a gidNumber, but I personally think it is
> > better to create a group called 'Unix Admins', make this
> > group a member of 'Domain Admins' and then give this new
> > group a gidNumber. Now use this group when setting
> > permissions from Windows. My reasoning behind this: 'Domain
Admins'
> > needs to own policies in sysvol, it cannot do this if it has
> > a gidNumber attribute.
> > Do not give any other user or group from the well known sids
> > a uidNumber or gidNumber, see here for the well known sids:
> >
> > https://support.microsoft.com/en-us/help/243330/well-known-sec
> > urity-identifiers-in-windows-operating-systems
> >
> > Rowland
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
Marcio Demetrio Bacci
2017-Jul-06 05:18 UTC
[Samba] Can't create/update Group Policy in Samba 4.6.5
* Sorry, is not "chmod mike:'EMPRESA\unix_admins' test". I wanted to say "chown mike:'EMPRESA\unix_admins' test" I'm tired! 2017-07-06 2:14 GMT-03:00 Marcio Demetrio Bacci <marciobacci at gmail.com>:> Hi, > > My DC doesn't know domains users and groups by name, only by uid/gid. > > Ex: chmod mike:'EMPRESA\unix_admins' test > chown: invalid group mike:EMPRESA\\unix_admins > > if run with GID work properly > chmod mike:30059 test > drwxr-xr-x 2 root 30059 4096 Jul 6 00:17 test > > There is unix_admins group > wbinfo --gid-info 30059 > EMPRESA\unix_admins:x:30059: > > In File Server Domain Member "chown" command by users and groups names is > OK > chmod mike:'EMPRESA\unix_admins' test > drwxr-xr-x 2 root unix_admins 4096 Jul 6 00:19 test > > I have performed the following steps: > > 1) cd /usr/local/samba/var/locks/sysvol > 2) mv empresa.com.br /root > 3) mkdir empresa.com.br > 4) samba-tool ntacl sysvolreset > 5) getfacl -R /usr/local/samba/var/locks/sysvol > sysvol.permissions.acl > 6) rmdir empresa.com.br > 7) mv /root/empresa.com.br . > 8) setfacl --restore=sysvol.permissions.acl > 9) samba-tool ntacl sysvolcheck > > 10) I went the GPO editor and fix incorrect rights. > > 11) I have opened computer manager, connected to the DC, went to the > security tab. > I have set up Sysvol security rights: > DOMAIN\Server Operators > Creator Owner > Authenticated Users > SYSTEM > DOMAIN\Administrators > > Note 1: I have changed sysvol folder owner to "unix_admins" too by MS > Windows properties but, when I checked in DC terminal, didn't change (to be > continued the same user and group). > > Note 2: I have already removed "Unix Attributes" of the > BUILTIN\Administrators, Group Policy creator Owner and others by Windows > RSAT Tools - Active Directory Users and Computers (changed Domain NIS to > None), but UID/GID remain (keep). > > For Example: the GID 3000275 still is of the BUILTIN\Administrators. > > Other notes: > > output of "samba-tool ntacl sysvolreset" command: > open: error=2 (No such file or directory) > ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error') > File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", > line 176, in _run > return self.run(*args, **kwargs) > File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", > line 239, in run > lp, use_ntvfs=use_ntvfs) > File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", > line 1609, in setsysvolacl > set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, > use_ntvfs, passdb=s4_passdb) > File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", > line 1502, in set_gpos_acl > use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, > service=SYSVOL_SERVICE) > File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py", > line 162, in setntacl > smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP > | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service) > > > The command above (despite the mistakes) reset owner and group to root and > 3000275 (BUILTIN\Administrators) respectively. > ls -l > drwxr-xr-x 2 root 3000275 4096 Jul 6 00:50 empresa.com.br > > > output of "samba-tool ntacl sysvolcheck" command: > ERROR(<type 'exceptions.TypeError'>): uncaught exception - (2, 'No such > file or directory') > File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", > line 176, in _run > return self.run(*args, **kwargs) > File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", > line 270, in run > lp) > File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", > line 1714, in checksysvolacl > fsacl = getntacl(lp, dir_path, direct_db_access=direct_db_access, > service=SYSVOL_SERVICE) > File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py", > line 81, in getntacl > xattr.XATTR_NTACL_NAME) > > I'm already getting create and edit my GPOs, but I have many doubts: > > 1) Is there another way to remove UID / GID from the users and groups ? > > 2) Why GID number of the BUILT\Administrators and other users and groups > still continue ? > > 3) Is normal DC does not identify user and group by name, but only by UID > / GID number ? > > 4) What are the problems with "samba-tool ntacl sysvolreset" and > "samba-tool ntacl sysvolcheck" ? > > 5) When I change the users and groups from the sysvol folder by MS Windows > should I not reflect on the DC terminal? > > I would really like to solve these problems! > > Regards, > > Márcio Bacci > > 2017-07-05 3:07 GMT-03:00 L.P.H. van Belle via samba < > samba at lists.samba.org>: > >> Sorry, my error, you need an "empty domain" directory in sysvol then >> reset. >> Then copy the rights, re-apply them .. Etc. >> >> >> And good point Rowland. >> Greetz, >> >> Louis >> >> >> > -----Oorspronkelijk bericht----- >> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> > Rowland Penny via samba >> > Verzonden: dinsdag 4 juli 2017 21:51 >> > Aan: samba at lists.samba.org >> > Onderwerp: Re: [Samba] Can't create/update Group Policy in Samba 4.6.5 >> > >> > On Tue, 4 Jul 2017 16:04:20 -0300 >> > Marcio Demetrio Bacci via samba <samba at lists.samba.org> wrote: >> > >> > > Hi Louis >> > > >> > > >> > > I have moved "empresa.com.br" folder to /root. After I run >> > samba-tool >> > > ntacl sysvolreset, but some errors appear: >> > >> > Please put it back. >> > >> > Also which DC is this on, your first DC or the second one ? >> > and if it is the second one, have you followed the wiki page >> > I pointed you to, on your other post ? >> > >> > Or to put it another way, do both of your DCs sysvol directories (and >> > sub-directories) match and have you synced idmap.ldb from the >> > first DC to the second DC. >> > >> > I know what Louis told you to do, but you should only give >> > 'Domain Users' a gidNumber attribute, you can also give >> > 'Domain Admins' a gidNumber, but I personally think it is >> > better to create a group called 'Unix Admins', make this >> > group a member of 'Domain Admins' and then give this new >> > group a gidNumber. Now use this group when setting >> > permissions from Windows. My reasoning behind this: 'Domain Admins' >> > needs to own policies in sysvol, it cannot do this if it has >> > a gidNumber attribute. >> > Do not give any other user or group from the well known sids >> > a uidNumber or gidNumber, see here for the well known sids: >> > >> > https://support.microsoft.com/en-us/help/243330/well-known-sec >> > urity-identifiers-in-windows-operating-systems >> > >> > Rowland >> > >> > -- >> > To unsubscribe from this list go to the following URL and read the >> > instructions: https://lists.samba.org/mailman/options/samba >> > >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > >
L.P.H. van Belle
2017-Jul-06 06:46 UTC
[Samba] Can't create/update Group Policy in Samba 4.6.5
Hai Marcio, Now, this looks good. Normaly i switch step 10 and 11. After you remove the uid/gid, run : net cache flush> I'm already getting create and edit my GPOs, but I have many doubts:remove you doubts, setup some gpo's and test. You wil see everything works.> 1) Is there another way to remove UID / GID from the users and groups ?net cache flush >> 2) Why GID number of the BUILT\Administrators and other users and groups still continue ?id's are still in idmap and these are default groups in the AD.> > 3) Is normal DC does not identify user and group by name, but only by UID / GID number ?I dont understand this question to be exact, but try to forget chmod/chown, getfacl and setfacl is what you need.> > 4) What are the problems with "samba-tool ntacl sysvolreset" and "samba-tool ntacl sysvolcheck" ?Few small bugs, but you can safely ignore this. solution her is simple, dont run samba-tool ntacl sysvolreset and samba-tool ntacl sysvolcheck after you did setup the rights from within windows.> > 5) When I change the users and groups from the sysvol folder by MS Windows should I not reflect on the DC terminal?hm, i dont understand this question.>The command above (despite the mistakes) reset owner and group to root and 3000275 (BUILTIN\Administrators) respectively. >ls -l >drwxr-xr-x 2 root 3000275 4096 Jul 6 00:50 empresa.com.brNow, this isnt right, you changed with chown, not setfacl. look this is my line drwxrwx---+ 5 root BUILTIN\administrators 4096 Feb 29 2016 xxxxxxx.bazuin.nl and getfacl /home/samba/sysvol/ getfacl: Removing leading '/' from absolute path names # file: home/samba/sysvol/ # owner: root # group: root user::rwx user:root:rwx user:3000000:rwx user:3000001:r-x user:3000002:rwx user:3000003:r-x group::rwx group:BUILTIN\134administrators:rwx group:BUILTIN\134server\040operators:r-x group:3000002:rwx group:3000003:r-x mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:3000000:rwx default:user:3000001:r-x default:user:3000002:rwx default:user:3000003:r-x default:group::--- default:group:BUILTIN\134administrators:rwx default:group:BUILTIN\134server\040operators:r-x default:group:3000002:rwx default:group:3000003:r-x default:mask::rwx default:other::--- i suggest, to make sure, redo you 3 steps outlined below, in this order. 8, 11, 10 . Then when thats done, dont touch the sysvol folders from console. but you getting there, its always hard in the beginning.. ;-) Greetz, Louis Van: Marcio Demetrio Bacci [mailto:marciobacci at gmail.com] Verzonden: donderdag 6 juli 2017 7:19 Aan: L.P.H. van Belle; samba at lists.samba.org Onderwerp: Re: [Samba] Can't create/update Group Policy in Samba 4.6.5 * Sorry, is not "chmod mike:'EMPRESA\unix_admins' test". I wanted to say "chown mike:'EMPRESA\unix_admins' test" I'm tired! 2017-07-06 2:14 GMT-03:00 Marcio Demetrio Bacci <marciobacci at gmail.com>: Hi, My DC doesn't know domains users and groups by name, only by uid/gid. Ex: chmod mike:'EMPRESA\unix_admins' test chown: invalid group mike:EMPRESA\\unix_admins if run with GID work properly chmod mike:30059 test drwxr-xr-x 2 root 30059 4096 Jul 6 00:17 test There is unix_admins group wbinfo --gid-info 30059 EMPRESA\unix_admins:x:30059: In File Server Domain Member "chown" command by users and groups names is OK chmod mike:'EMPRESA\unix_admins' test drwxr-xr-x 2 root unix_admins 4096 Jul 6 00:19 test I have performed the following steps: 1) cd /usr/local/samba/var/locks/sysvol 2) mv empresa.com.br /root 3) mkdir empresa.com.br 4) samba-tool ntacl sysvolreset 5) getfacl -R /usr/local/samba/var/locks/sysvol > sysvol.permissions.acl 6) rmdir empresa.com.br 7) mv /root/empresa.com.br . 8) setfacl --restore=sysvol.permissions.acl 9) samba-tool ntacl sysvolcheck 10) I went the GPO editor and fix incorrect rights. 11) I have opened computer manager, connected to the DC, went to the security tab. I have set up Sysvol security rights: DOMAIN\Server Operators Creator Owner Authenticated Users SYSTEM DOMAIN\Administrators Note 1: I have changed sysvol folder owner to "unix_admins" too by MS Windows properties but, when I checked in DC terminal, didn't change (to be continued the same user and group). Note 2: I have already removed "Unix Attributes" of the BUILTIN\Administrators, Group Policy creator Owner and others by Windows RSAT Tools - Active Directory Users and Computers (changed Domain NIS to None), but UID/GID remain (keep). For Example: the GID 3000275 still is of the BUILTIN\Administrators. Other notes: output of "samba-tool ntacl sysvolreset" command: open: error=2 (No such file or directory) ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error') File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", line 239, in run lp, use_ntvfs=use_ntvfs) File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1609, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb) File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1502, in set_gpos_acl use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=SYSVOL_SERVICE) File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py", line 162, in setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service) The command above (despite the mistakes) reset owner and group to root and 3000275 (BUILTIN\Administrators) respectively. ls -l drwxr-xr-x 2 root 3000275 4096 Jul 6 00:50 empresa.com.br output of "samba-tool ntacl sysvolcheck" command: ERROR(<type 'exceptions.TypeError'>): uncaught exception - (2, 'No such file or directory') File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", line 270, in run lp) File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1714, in checksysvolacl fsacl = getntacl(lp, dir_path, direct_db_access=direct_db_access, service=SYSVOL_SERVICE) File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py", line 81, in getntacl xattr.XATTR_NTACL_NAME) I'm already getting create and edit my GPOs, but I have many doubts: 1) Is there another way to remove UID / GID from the users and groups ? 2) Why GID number of the BUILT\Administrators and other users and groups still continue ? 3) Is normal DC does not identify user and group by name, but only by UID / GID number ? 4) What are the problems with "samba-tool ntacl sysvolreset" and "samba-tool ntacl sysvolcheck" ? 5) When I change the users and groups from the sysvol folder by MS Windows should I not reflect on the DC terminal? I would really like to solve these problems! Regards, Márcio Bacci 2017-07-05 3:07 GMT-03:00 L.P.H. van Belle via samba <samba at lists.samba.org>: Sorry, my error, you need an "empty domain" directory in sysvol then reset. Then copy the rights, re-apply them .. Etc. And good point Rowland. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland Penny via samba > Verzonden: dinsdag 4 juli 2017 21:51 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Can't create/update Group Policy in Samba 4.6.5 > > On Tue, 4 Jul 2017 16:04:20 -0300 > Marcio Demetrio Bacci via samba <samba at lists.samba.org> wrote: > > > Hi Louis > > > > > > I have moved "empresa.com.br" folder to /root. After I run > samba-tool > > ntacl sysvolreset, but some errors appear: > > Please put it back. > > Also which DC is this on, your first DC or the second one ? > and if it is the second one, have you followed the wiki page > I pointed you to, on your other post ? > > Or to put it another way, do both of your DCs sysvol directories (and > sub-directories) match and have you synced idmap.ldb from the > first DC to the second DC. > > I know what Louis told you to do, but you should only give > 'Domain Users' a gidNumber attribute, you can also give > 'Domain Admins' a gidNumber, but I personally think it is > better to create a group called 'Unix Admins', make this > group a member of 'Domain Admins' and then give this new > group a gidNumber. Now use this group when setting > permissions from Windows. My reasoning behind this: 'Domain Admins' > needs to own policies in sysvol, it cannot do this if it has > a gidNumber attribute. > Do not give any other user or group from the well known sids > a uidNumber or gidNumber, see here for the well known sids: > > https://support.microsoft.com/en-us/help/243330/well-known-sec > urity-identifiers-in-windows-operating-systems > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2017-Jul-06 07:58 UTC
[Samba] Can't create/update Group Policy in Samba 4.6.5
On Thu, 6 Jul 2017 02:14:42 -0300 Marcio Demetrio Bacci via samba <samba at lists.samba.org> wrote:> Hi, > > My DC doesn't know domains users and groups by name, only by uid/gid.Sounds like you haven't set up the libnss_winbind.so links or /etc/nsswitch.conf> > Ex: chmod mike:'EMPRESA\unix_admins' test > chown: invalid group mike:EMPRESA\\unix_admins > > if run with GID work properly > chmod mike:30059 test > drwxr-xr-x 2 root 30059 4096 Jul 6 00:17 testWhere is 30059 coming from ? As standard I would expect numbers in the '3000000' range.> > There is unix_admins group > wbinfo --gid-info 30059 > EMPRESA\unix_admins:x:30059: > > In File Server Domain Member "chown" command by users and groups > names is OK chmod mike:'EMPRESA\unix_admins' test > drwxr-xr-x 2 root unix_admins 4096 Jul 6 00:19 test > > I have performed the following steps: > > 1) cd /usr/local/samba/var/locks/sysvol > 2) mv empresa.com.br /root > 3) mkdir empresa.com.br > 4) samba-tool ntacl sysvolreset > 5) getfacl -R /usr/local/samba/var/locks/sysvol > > sysvol.permissions.acl 6) rmdir empresa.com.br > 7) mv /root/empresa.com.br . > 8) setfacl --restore=sysvol.permissions.acl > 9) samba-tool ntacl sysvolcheck > > 10) I went the GPO editor and fix incorrect rights. > > 11) I have opened computer manager, connected to the DC, went to the > security tab. > I have set up Sysvol security rights: > DOMAIN\Server Operators > Creator Owner > Authenticated Users > SYSTEM > DOMAIN\Administrators > > Note 1: I have changed sysvol folder owner to "unix_admins" too by MS > Windows properties but, when I checked in DC terminal, didn't change > (to be continued the same user and group). > > Note 2: I have already removed "Unix Attributes" of the > BUILTIN\Administrators, Group Policy creator Owner and others by > Windows RSAT Tools - Active Directory Users and Computers (changed > Domain NIS to None), but UID/GID remain (keep). > > For Example: the GID 3000275 still is of the BUILTIN\Administrators. > > Other notes: > > output of "samba-tool ntacl sysvolreset" command: > open: error=2 (No such file or directory) > ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined > error') File > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", > line 176, in _run > return self.run(*args, **kwargs) > File > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", > line 239, in run > lp, use_ntvfs=use_ntvfs) > File > "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", > line 1609, in setsysvolacl > set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, > use_ntvfs, passdb=s4_passdb) > File > "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", > line 1502, in set_gpos_acl > use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, > service=SYSVOL_SERVICE) > File > "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py", line > 162, in setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER | > security.SECINFO_GROUP | security.SECINFO_DACL | > security.SECINFO_SACL, sd, service=service) > > > The command above (despite the mistakes) reset owner and group to > root and 3000275 (BUILTIN\Administrators) respectively. > ls -l > drwxr-xr-x 2 root 3000275 4096 Jul 6 00:50 empresa.com.br > > > output of "samba-tool ntacl sysvolcheck" command: > ERROR(<type 'exceptions.TypeError'>): uncaught exception - (2, 'No > such file or directory') > File > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", > line 176, in _run > return self.run(*args, **kwargs) > File > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", > line 270, in run > lp) > File > "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", > line 1714, in checksysvolacl > fsacl = getntacl(lp, dir_path, direct_db_access=direct_db_access, > service=SYSVOL_SERVICE) > File > "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py", line > 81, in getntacl xattr.XATTR_NTACL_NAME) > > I'm already getting create and edit my GPOs, but I have many doubts: > > 1) Is there another way to remove UID / GID from the users and > groups ?Have you run 'net cache flush' on the DC ?> > 2) Why GID number of the BUILT\Administrators and other users and > groups still continue ?See above> > 3) Is normal DC does not identify user and group by name, but only by > UID / GID number ?Yes> > 4) What are the problems with "samba-tool ntacl sysvolreset" and > "samba-tool ntacl sysvolcheck" ?From my tests, to many to mention, but the main one is that sysvolreset does not set the correct ACEs.> > 5) When I change the users and groups from the sysvol folder by MS > Windows should I not reflect on the DC terminal? > > I would really like to solve these problems!So would I ;-) Rowland
Marcio Demetrio Bacci
2017-Jul-06 18:35 UTC
[Samba] Can't create/update Group Policy in Samba 4.6.5
Hi Rowland> My DC doesn't know domains users and groups by name, only by uid/gid.Sounds like you haven't set up the libnss_winbind.so links or /etc/nsswitch.conf I had not installed Winbind, but I installed it now. (winbind, libnss-winbind and libpam-winbind packages). I configured /etc/nsswitch as below: passwd: compat winbind group: compat winbind shadow: compat gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis My /etc/pam.d/common-session looks like this: session [default=1] pam_permit.so session requisite pam_deny.so session required pam_permit.so session required pam_unix.so session optional pam_winbind.so Below is my /usr/local/samba/etc/smb.conf of the DC [global] workgroup = EMPRESA realm = EMPRESA.COM.BR netbios name = EMPRESA server role = active directory domain controller dns forwarder = 192.168.0.88 idmap_ldb:use rfc2307 = yes ldap server require strong auth = no template shell = /bin/bash template homedir = home/%U [netlogon] path = /usr/local/samba/var/locks/sysvol/empresa.com.br/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No acl_xattr:ignore system acls = yes ########################################## wbinfo -u, wbinfo -g, wbinfo -a <user> commands are Ok, but "getent passwd" only shows local users. wbinfo --ping-dc doesn't show the short domain name, please see the output: checking the NETLOGON dc connection to "" succeeded id <user> command doesn't work too: id marcio id: marcio: no such user Do I need set up smb.conf Domain Controller with the parameters below? idmap config *:backend = tdb idmap config *:range = 1000-3000 idmap config EMPRESA:backend = ad idmap config EMPRESA:schema_mode = rfc2307 idmap config EMPRESA:range = 10000-9999999 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind refresh tickets = yes What else could be wrong? Regards, Márcio Bacci 2017-07-06 4:58 GMT-03:00 Rowland Penny via samba <samba at lists.samba.org>:> On Thu, 6 Jul 2017 02:14:42 -0300 > Marcio Demetrio Bacci via samba <samba at lists.samba.org> wrote: > > > Hi, > > > > My DC doesn't know domains users and groups by name, only by uid/gid. > > Sounds like you haven't set up the libnss_winbind.so links > or /etc/nsswitch.conf > > > > > Ex: chmod mike:'EMPRESA\unix_admins' test > > chown: invalid group mike:EMPRESA\\unix_admins > > > > if run with GID work properly > > chmod mike:30059 test > > drwxr-xr-x 2 root 30059 4096 Jul 6 00:17 test > > Where is 30059 coming from ? > As standard I would expect numbers in the '3000000' range. > > > > > There is unix_admins group > > wbinfo --gid-info 30059 > > EMPRESA\unix_admins:x:30059: > > > > In File Server Domain Member "chown" command by users and groups > > names is OK chmod mike:'EMPRESA\unix_admins' test > > drwxr-xr-x 2 root unix_admins 4096 Jul 6 00:19 test > > > > I have performed the following steps: > > > > 1) cd /usr/local/samba/var/locks/sysvol > > 2) mv empresa.com.br /root > > 3) mkdir empresa.com.br > > 4) samba-tool ntacl sysvolreset > > 5) getfacl -R /usr/local/samba/var/locks/sysvol > > > sysvol.permissions.acl 6) rmdir empresa.com.br > > 7) mv /root/empresa.com.br . > > 8) setfacl --restore=sysvol.permissions.acl > > 9) samba-tool ntacl sysvolcheck > > > > 10) I went the GPO editor and fix incorrect rights. > > > > 11) I have opened computer manager, connected to the DC, went to the > > security tab. > > I have set up Sysvol security rights: > > DOMAIN\Server Operators > > Creator Owner > > Authenticated Users > > SYSTEM > > DOMAIN\Administrators > > > > Note 1: I have changed sysvol folder owner to "unix_admins" too by MS > > Windows properties but, when I checked in DC terminal, didn't change > > (to be continued the same user and group). > > > > Note 2: I have already removed "Unix Attributes" of the > > BUILTIN\Administrators, Group Policy creator Owner and others by > > Windows RSAT Tools - Active Directory Users and Computers (changed > > Domain NIS to None), but UID/GID remain (keep). > > > > For Example: the GID 3000275 still is of the BUILTIN\Administrators. > > > > Other notes: > > > > output of "samba-tool ntacl sysvolreset" command: > > open: error=2 (No such file or directory) > > ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined > > error') File > > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", > > line 176, in _run > > return self.run(*args, **kwargs) > > File > > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", > > line 239, in run > > lp, use_ntvfs=use_ntvfs) > > File > > "/usr/local/samba/lib/python2.7/site-packages/samba/ > provision/__init__.py", > > line 1609, in setsysvolacl > > set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, > > use_ntvfs, passdb=s4_passdb) > > File > > "/usr/local/samba/lib/python2.7/site-packages/samba/ > provision/__init__.py", > > line 1502, in set_gpos_acl > > use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, > > service=SYSVOL_SERVICE) > > File > > "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py", line > > 162, in setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER | > > security.SECINFO_GROUP | security.SECINFO_DACL | > > security.SECINFO_SACL, sd, service=service) > > > > > > The command above (despite the mistakes) reset owner and group to > > root and 3000275 (BUILTIN\Administrators) respectively. > > ls -l > > drwxr-xr-x 2 root 3000275 4096 Jul 6 00:50 empresa.com.br > > > > > > output of "samba-tool ntacl sysvolcheck" command: > > ERROR(<type 'exceptions.TypeError'>): uncaught exception - (2, 'No > > such file or directory') > > File > > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", > > line 176, in _run > > return self.run(*args, **kwargs) > > File > > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", > > line 270, in run > > lp) > > File > > "/usr/local/samba/lib/python2.7/site-packages/samba/ > provision/__init__.py", > > line 1714, in checksysvolacl > > fsacl = getntacl(lp, dir_path, direct_db_access=direct_db_access, > > service=SYSVOL_SERVICE) > > File > > "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py", line > > 81, in getntacl xattr.XATTR_NTACL_NAME) > > > > I'm already getting create and edit my GPOs, but I have many doubts: > > > > 1) Is there another way to remove UID / GID from the users and > > groups ? > > Have you run 'net cache flush' on the DC ? > > > > > 2) Why GID number of the BUILT\Administrators and other users and > > groups still continue ? > > See above > > > > > 3) Is normal DC does not identify user and group by name, but only by > > UID / GID number ? > > Yes > > > > > 4) What are the problems with "samba-tool ntacl sysvolreset" and > > "samba-tool ntacl sysvolcheck" ? > > From my tests, to many to mention, but the main one is that sysvolreset > does not set the correct ACEs. > > > > > 5) When I change the users and groups from the sysvol folder by MS > > Windows should I not reflect on the DC terminal? > > > > I would really like to solve these problems! > > So would I ;-) > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >