ok, do the following. set ignore systemacl to yes on sysvol and netlogon. login as dom\administrator computer manager, connect to dc. share sysvol, goto share security, reset to defalts. same for folder. goto gpo manager, klik on every gpo object, if one has wrong acl, you get a message to reset it, thats ok. now never samba-tool sysvol reset if you do, you might need to set share/file security again. Greetz Louis p.s rowland, now you can change the default gpo’s also.> Op 6 feb. 2018 om 20:14 heeft Rowland Penny via samba <samba at lists.samba.org> het volgende geschreven: > > On Tue, 6 Feb 2018 15:03:16 -0400 > Robert Marcano via samba <samba at lists.samba.org> wrote: > >> Thanks for the information, to use a default GPO was a simple way to >> try to encourage someone to reproduce the problem. >> >> I already created new GPOs (this is a test domain) Using the default >> filter for a new GPO, "Authenticated users", creating a new group for >> the test clients and using that as the filter, checking it have the >> right permissions (apply), checking every guide about applying GPO to >> computers. Using OUs and using domain level GPOs. >> >> What I find weird is that gpresult doesn't list the computer as a >> member of groups I create, only a few predefined ones: >> >> NULL SID >> NT AUTHORITY\NETWORK, >> This company, >> and something like "mandatory level of no trust" (Windows is not in >> english) >> > > Do not alter the two default GPOs, it doesn't work ;-) > > Creating new GPOs should work, just do not run sysvolreset after > creating them. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On 02/06/2018 03:24 PM, L.P.H. van Belle via samba wrote:> ok, > > do the following. > set ignore systemacl to yes on sysvol and netlogon.Added "acl_xattr:ignore system acls = yes" to both shares, restarted the server> > login as dom\administrator > computer manager, connect to dc. > share sysvol, goto share security, reset to defalts. > same for folder.I don't get the "Reset to defaults" option. There are two security related tabs, "Permission of shared resources" (or something like that, Windows is not in English) with only permissions for Everyone with Full control, Change and Read. The other tab is the standard "Security" tab, those tabs don't show any reset to default option> > goto gpo manager, > klik on every gpo object, if one has wrong acl, you get a message to reset it, thats ok. > > now never samba-tool sysvol reset > if you do, you might need to set share/file security again. > > Greetz > Louis > > p.s rowland, now you can change the default gpo’s also. > > > >> Op 6 feb. 2018 om 20:14 heeft Rowland Penny via samba <samba at lists.samba.org> het volgende geschreven: >> >> On Tue, 6 Feb 2018 15:03:16 -0400 >> Robert Marcano via samba <samba at lists.samba.org> wrote: >> >>> Thanks for the information, to use a default GPO was a simple way to >>> try to encourage someone to reproduce the problem. >>> >>> I already created new GPOs (this is a test domain) Using the default >>> filter for a new GPO, "Authenticated users", creating a new group for >>> the test clients and using that as the filter, checking it have the >>> right permissions (apply), checking every guide about applying GPO to >>> computers. Using OUs and using domain level GPOs. >>> >>> What I find weird is that gpresult doesn't list the computer as a >>> member of groups I create, only a few predefined ones: >>> >>> NULL SID >>> NT AUTHORITY\NETWORK, >>> This company, >>> and something like "mandatory level of no trust" (Windows is not in >>> english) >>> >> >> Do not alter the two default GPOs, it doesn't work ;-) >> >> Creating new GPOs should work, just do not run sysvolreset after >> creating them. >> >> Rowland >> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > >
Hai, Ok, for the sysvol. I'll put all steps here again. I suggest start with this one. wget https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-set-sysvol.sh This checks and set the rights to be known to be right. ( aka works great for me ) ;-) Then follow these steps. - login as dom\administrator. - start computer manager, connect to dc. - klik Shared Folders, Shares, sysvol. Option 1, this is the default. Everyone with Full control, Change and Read. Option 2, Everyone: Read. Verified users: Full, Change, Read. SYSTEM Full, Change, Read. DOMAIN\Adminstrators ( or DOMAIN\Domain Admins ) Full, change read. The result of both settings are ( share wize) the same. Except in option2, you must be verified before you can write anywere. - Tab Security. Verified users: Read+exec, Show folder content, Read. SYSTEM: full ( everything on ) DOMAIN\Adminstrators: ( or DOMAIN\Domain Admins ) full ( everything on DOMAIN\Serer operators: Read+exec, Show folder content, Read. Once this is set, klik advanced, klik change below. Check, replace all underlying and replace.. ! Note, always this order, first share security then folder security. That helps preventing making error or resetting rights. - Do the same for Netlogon. Same settings as sysvol, since its a sub folder of sysvol. - These steps are imo only done once, ( ! Or if you get errors again due to a reset or change in windows clients ) Now first goto the GroupPolicyObjects, ( not the linked once's ) Klik on every GPO object there, if you get any message, press ok, then its reset. Now, you need to check the GPO Objects that are assigned/linked to OU and/or groups. Just start in the top, and klik every object. All my "normal" GPO Objects only have Authenticated Users. My "special" GPO Object have different settings. For example, i've disabled all USB/Mobile/CD access on the pc's by GPO's A user policy set in the Standard User. I've created 2 groups, per type. For example. USB-Read, if i look here you see only USB-Allow-Read group. Now klik the Delegation Tab. That shows me: Authenticated User Ready (by security filter) DOM\Domain Admins DOM\Enterprise Admins Server logon SYSTEM What you dont see is the underlying ACL, klik Advanced. Here you see, ... The "Reset to default" button. Reset it. Now remember here, after doing this, no samba-tool sysvolreset.. If you do, repeat the above again. Everything! User GPO's, only a group with the user is fine, and needs "apply GPO" A computer GPO, needs Domain computers with apply GPO AND the users group. I've setup all "problem" shares, due to user NT Authority\SYSTEM problems. Google for it, you see lots of it in the samba list. My shares layout that used it. ( on mulple servers ) DC: Sysvol and Netlogon Members: users and profiles Print server: print$ and printers So in short, all shares were the "computer$" my access as user system or things like that. If you see errors on a computer in the eventlogs with: Computer$ can access .... Bla bla.... On GPO.ini. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ This if often a forgoten "DOM\Domain Computers" in the GPO object with read and/or writes rights missing. People test this and the computer$ can access the GPO.ini without problems, so why the event log. Because of "SYSTEM" or an other user that is haveing user/group/SID problems with linux acls. I hope i explained good enough why i use and set ignore systemacl. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Robert Marcano via samba > Verzonden: woensdag 7 februari 2018 3:19 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] GPOs not Working! > > On 02/06/2018 03:24 PM, L.P.H. van Belle via samba wrote: > > ok, > > > > do the following. > > set ignore systemacl to yes on sysvol and netlogon. > > Added "acl_xattr:ignore system acls = yes" to both shares, > restarted the > server > > > > > login as dom\administrator > > computer manager, connect to dc. > > share sysvol, goto share security, reset to defalts. > > same for folder. > > I don't get the "Reset to defaults" option. There are two security > related tabs, "Permission of shared resources" (or something > like that, > Windows is not in English) with only permissions for Everyone > with Full > control, Change and Read. > > The other tab is the standard "Security" tab, those tabs > don't show any > reset to default option > > > > > goto gpo manager, > > klik on every gpo object, if one has wrong acl, you get a > message to reset it, thats ok. > > > > now never samba-tool sysvol reset > > if you do, you might need to set share/file security again. > > > > Greetz > > Louis > > > > p.s rowland, now you can change the default gpo’s also. > > > > > > > >> Op 6 feb. 2018 om 20:14 heeft Rowland Penny via samba > <samba at lists.samba.org> het volgende geschreven: > >> > >> On Tue, 6 Feb 2018 15:03:16 -0400 > >> Robert Marcano via samba <samba at lists.samba.org> wrote: > >> > >>> Thanks for the information, to use a default GPO was a > simple way to > >>> try to encourage someone to reproduce the problem. > >>> > >>> I already created new GPOs (this is a test domain) Using > the default > >>> filter for a new GPO, "Authenticated users", creating a > new group for > >>> the test clients and using that as the filter, checking > it have the > >>> right permissions (apply), checking every guide about > applying GPO to > >>> computers. Using OUs and using domain level GPOs. > >>> > >>> What I find weird is that gpresult doesn't list the computer as a > >>> member of groups I create, only a few predefined ones: > >>> > >>> NULL SID > >>> NT AUTHORITY\NETWORK, > >>> This company, > >>> and something like "mandatory level of no trust" > (Windows is not in > >>> english) > >>> > >> > >> Do not alter the two default GPOs, it doesn't work ;-) > >> > >> Creating new GPOs should work, just do not run sysvolreset after > >> creating them. > >> > >> Rowland > >> > >> > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Ow and one more thing. Dom?nentyp: Windows 2000 Maybe its also time to upgrade the domain level to 2008R2 minimal. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Robert Marcano via samba > Verzonden: woensdag 7 februari 2018 3:19 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] GPOs not Working! > > On 02/06/2018 03:24 PM, L.P.H. van Belle via samba wrote: > > ok, > > > > do the following. > > set ignore systemacl to yes on sysvol and netlogon. > > Added "acl_xattr:ignore system acls = yes" to both shares, > restarted the > server > > > > > login as dom\administrator > > computer manager, connect to dc. > > share sysvol, goto share security, reset to defalts. > > same for folder. > > I don't get the "Reset to defaults" option. There are two security > related tabs, "Permission of shared resources" (or something > like that, > Windows is not in English) with only permissions for Everyone > with Full > control, Change and Read. > > The other tab is the standard "Security" tab, those tabs > don't show any > reset to default option > > > > > goto gpo manager, > > klik on every gpo object, if one has wrong acl, you get a > message to reset it, thats ok. > > > > now never samba-tool sysvol reset > > if you do, you might need to set share/file security again. > > > > Greetz > > Louis > > > > p.s rowland, now you can change the default gpo?s also. > > > > > > > >> Op 6 feb. 2018 om 20:14 heeft Rowland Penny via samba > <samba at lists.samba.org> het volgende geschreven: > >> > >> On Tue, 6 Feb 2018 15:03:16 -0400 > >> Robert Marcano via samba <samba at lists.samba.org> wrote: > >> > >>> Thanks for the information, to use a default GPO was a > simple way to > >>> try to encourage someone to reproduce the problem. > >>> > >>> I already created new GPOs (this is a test domain) Using > the default > >>> filter for a new GPO, "Authenticated users", creating a > new group for > >>> the test clients and using that as the filter, checking > it have the > >>> right permissions (apply), checking every guide about > applying GPO to > >>> computers. Using OUs and using domain level GPOs. > >>> > >>> What I find weird is that gpresult doesn't list the computer as a > >>> member of groups I create, only a few predefined ones: > >>> > >>> NULL SID > >>> NT AUTHORITY\NETWORK, > >>> This company, > >>> and something like "mandatory level of no trust" > (Windows is not in > >>> english) > >>> > >> > >> Do not alter the two default GPOs, it doesn't work ;-) > >> > >> Creating new GPOs should work, just do not run sysvolreset after > >> creating them. > >> > >> Rowland > >> > >> > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
On Tue, 6 Feb 2018 22:18:41 -0400 Robert Marcano via samba <samba at lists.samba.org> wrote:> On 02/06/2018 03:24 PM, L.P.H. van Belle via samba wrote: > > ok, > > > > do the following. > > set ignore systemacl to yes on sysvol and netlogon. > > Added "acl_xattr:ignore system acls = yes" to both shares, restarted > the server > > > > > login as dom\administrator > > computer manager, connect to dc. > > share sysvol, goto share security, reset to defalts. > > same for folder. > > I don't get the "Reset to defaults" option. There are two security > related tabs, "Permission of shared resources" (or something like > that, Windows is not in English) with only permissions for Everyone > with Full control, Change and Read. > > The other tab is the standard "Security" tab, those tabs don't show > any reset to default option >It might help if I point out that a better name for the 'Security' tab would be 'NTFS permissions'. Rowland
Before i do that, i dont understand why i have to do this! I m just testing straight forward. Now i have 3 GPOs * Default Domain Policy o (no configurations) * test1 o User Configuration: Mount Share and Create Desktop Icon; /Security Filter/: Authenticated Users ---> THIS GPO IS WORKING! * test2 o Computer Configuration: Interactive logon: Do not require CTRL + ALT + DEL and Interactive login: Do not display last user name; /Security Filter/: Authenticated Users, Domain Computers ---> THIS GPO IS *NOT *WORKING! (Also tried Security Filter: Authenticated Users ONLY) The ACLs of my policies: Default Domain Policy (test1 and test2 are the same) # file: {31B2F340-016D-11D2-945F-00C04FB984F9}/ # owner: 3000004 # group: 3000004 user::rwx user:3000002:rwx user:3000003:r-x user:3000007:rwx user:3000010:r-x group::rwx group:3000002:rwx group:3000003:r-x group:3000004:rwx group:3000007:rwx group:3000010:r-x mask::rwx other::--- default:user::rwx default:user:3000002:rwx default:user:3000003:r-x default:user:3000004:rwx default:user:3000007:rwx default:user:3000010:r-x default:group::--- default:group:3000002:rwx default:group:3000003:r-x default:group:3000004:rwx default:group:3000007:rwx default:group:3000010:r-x default:mask::rwx default:other::--- It looks like, User Configurations are working and*Computer Configurations won't do*! Thy very much for help. PS:I do not know if it helps. On a Windows Server 2016 and 2012 I configured the same GPOs above described. On WS all works fine. Am 07.02.2018 um 10:01 schrieb L.P.H. van Belle via samba:> Hai, > > Ok, for the sysvol. > I'll put all steps here again. > > I suggest start with this one. > wget https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-set-sysvol.sh > This checks and set the rights to be known to be right. ( aka works great for me ) ;-) > > Then follow these steps. > > - login as dom\administrator. > - start computer manager, connect to dc. > - klik Shared Folders, Shares, sysvol. > Option 1, this is the default. Everyone with Full control, Change and Read. > Option 2, Everyone: Read. > Verified users: Full, Change, Read. > SYSTEM Full, Change, Read. > DOMAIN\Adminstrators ( or DOMAIN\Domain Admins ) Full, change read. > > The result of both settings are ( share wize) the same. > Except in option2, you must be verified before you can write anywere. > > - Tab Security. > Verified users: Read+exec, Show folder content, Read. > SYSTEM: full ( everything on ) > DOMAIN\Adminstrators: ( or DOMAIN\Domain Admins ) full ( everything on > DOMAIN\Serer operators: Read+exec, Show folder content, Read. > Once this is set, klik advanced, klik change below. > Check, replace all underlying and replace.. > > ! Note, always this order, first share security then folder security. > That helps preventing making error or resetting rights. > > - Do the same for Netlogon. Same settings as sysvol, since its a sub folder of sysvol. > > > - These steps are imo only done once, ( ! Or if you get errors again due to a reset or change in windows clients ) > Now first goto the GroupPolicyObjects, ( not the linked once's ) > Klik on every GPO object there, if you get any message, press ok, then its reset. > > Now, you need to check the GPO Objects that are assigned/linked to OU and/or groups. > > Just start in the top, and klik every object. > All my "normal" GPO Objects only have Authenticated Users. > My "special" GPO Object have different settings. > > For example, i've disabled all USB/Mobile/CD access on the pc's by GPO's > A user policy set in the Standard User. I've created 2 groups, per type. > For example. > USB-Read, if i look here you see only USB-Allow-Read group. Now klik the Delegation Tab. > That shows me: > Authenticated User Ready (by security filter) > DOM\Domain Admins > DOM\Enterprise Admins > Server logon > SYSTEM > > What you dont see is the underlying ACL, klik Advanced. > Here you see, ... The "Reset to default" button. > Reset it. > > Now remember here, after doing this, no samba-tool sysvolreset.. > If you do, repeat the above again. Everything! > > User GPO's, only a group with the user is fine, and needs "apply GPO" > A computer GPO, needs Domain computers with apply GPO AND the users group. > > > I've setup all "problem" shares, due to user NT Authority\SYSTEM problems. > Google for it, you see lots of it in the samba list. > My shares layout that used it. ( on mulple servers ) > DC: Sysvol and Netlogon > Members: users and profiles > Print server: print$ and printers > > So in short, all shares were the "computer$" my access as user system or things like that. > > If you see errors on a computer in the eventlogs with: > Computer$ can access .... Bla bla.... On GPO.ini. > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > This if often a forgoten "DOM\Domain Computers" in the GPO object with read and/or writes rights missing. > People test this and the computer$ can access the GPO.ini without problems, so why the event log. > Because of "SYSTEM" or an other user that is haveing user/group/SID problems with linux acls. > > I hope i explained good enough why i use and set ignore systemacl. > > > Greetz, > > Louis > > > > > > > > > > > > > > > > > > > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Robert Marcano via samba >> Verzonden: woensdag 7 februari 2018 3:19 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] GPOs not Working! >> >> On 02/06/2018 03:24 PM, L.P.H. van Belle via samba wrote: >>> ok, >>> >>> do the following. >>> set ignore systemacl to yes on sysvol and netlogon. >> Added "acl_xattr:ignore system acls = yes" to both shares, >> restarted the >> server >> >>> login as dom\administrator >>> computer manager, connect to dc. >>> share sysvol, goto share security, reset to defalts. >>> same for folder. >> I don't get the "Reset to defaults" option. There are two security >> related tabs, "Permission of shared resources" (or something >> like that, >> Windows is not in English) with only permissions for Everyone >> with Full >> control, Change and Read. >> >> The other tab is the standard "Security" tab, those tabs >> don't show any >> reset to default option >> >>> goto gpo manager, >>> klik on every gpo object, if one has wrong acl, you get a >> message to reset it, thats ok. >>> now never samba-tool sysvol reset >>> if you do, you might need to set share/file security again. >>> >>> Greetz >>> Louis >>> >>> p.s rowland, now you can change the default gpo’s also. >>> >>> >>> >>>> Op 6 feb. 2018 om 20:14 heeft Rowland Penny via samba >> <samba at lists.samba.org> het volgende geschreven: >>>> On Tue, 6 Feb 2018 15:03:16 -0400 >>>> Robert Marcano via samba <samba at lists.samba.org> wrote: >>>> >>>>> Thanks for the information, to use a default GPO was a >> simple way to >>>>> try to encourage someone to reproduce the problem. >>>>> >>>>> I already created new GPOs (this is a test domain) Using >> the default >>>>> filter for a new GPO, "Authenticated users", creating a >> new group for >>>>> the test clients and using that as the filter, checking >> it have the >>>>> right permissions (apply), checking every guide about >> applying GPO to >>>>> computers. Using OUs and using domain level GPOs. >>>>> >>>>> What I find weird is that gpresult doesn't list the computer as a >>>>> member of groups I create, only a few predefined ones: >>>>> >>>>> NULL SID >>>>> NT AUTHORITY\NETWORK, >>>>> This company, >>>>> and something like "mandatory level of no trust" >> (Windows is not in >>>>> english) >>>>> >>>> Do not alter the two default GPOs, it doesn't work ;-) >>>> >>>> Creating new GPOs should work, just do not run sysvolreset after >>>> creating them. >>>> >>>> Rowland >>>> >>>> >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >
hai Micha, The why is explained here. https://wiki.samba.org/index.php/The_SYSTEM_Account Which in the end has todo with SID_BOTH, one sid for a user and group, linux does not understand that correctly. with : acl_xattr:ignore system acls = [yes|no] When set to yes, a best effort mapping from/to the POSIX ACL layer will not be done by this module. The default is no, which means that Samba keeps setting and evaluating both the system ACLs and the NT ACLs. This is better if you need your system ACLs be set for local or NFS file access, too. If you only access the data via Samba you might set this to yes to achieve better NT ACL compatibility. And also see. https://blogs.technet.microsoft.com/askds/2016/06/22/deploying-group-policy-security-update-ms16-072-kb3163622/ And if i missed something guys, please add it ;-) Greetz, Louis Van: Micha Ballmann [mailto:ballmann at uni-landau.de] Verzonden: woensdag 7 februari 2018 11:45 Aan: L.P.H. van Belle; samba at lists.samba.org Onderwerp: Re: [Samba] GPOs not Working! Before i do that, i dont understand why i have to do this! I m just testing straight forward. Now i have 3 GPOs * Default Domain Policy * (no configurations) * test1 * User Configuration: Mount Share and Create Desktop Icon; Security Filter: Authenticated Users ---> THIS GPO IS WORKING! * test2 * Computer Configuration: Interactive logon: Do not require CTRL + ALT + DEL and Interactive login: Do not display last user name; Security Filter: Authenticated Users, Domain Computers ---> THIS GPO IS NOT WORKING! (Also tried Security Filter: Authenticated Users ONLY) The ACLs of my policies: Default Domain Policy (test1 and test2 are the same) # file: {31B2F340-016D-11D2-945F-00C04FB984F9}/ # owner: 3000004 # group: 3000004 user::rwx user:3000002:rwx user:3000003:r-x user:3000007:rwx user:3000010:r-x group::rwx group:3000002:rwx group:3000003:r-x group:3000004:rwx group:3000007:rwx group:3000010:r-x mask::rwx other::--- default:user::rwx default:user:3000002:rwx default:user:3000003:r-x default:user:3000004:rwx default:user:3000007:rwx default:user:3000010:r-x default:group::--- default:group:3000002:rwx default:group:3000003:r-x default:group:3000004:rwx default:group:3000007:rwx default:group:3000010:r-x default:mask::rwx default:other::--- It looks like, User Configurations are working and Computer Configurations won't do! Thy very much for help. PS: I do not know if it helps. On a Windows Server 2016 and 2012 I configured the same GPOs above described. On WS all works fine. Am 07.02.2018 um 10:01 schrieb L.P.H. van Belle via samba: Hai, Ok, for the sysvol. I'll put all steps here again. I suggest start with this one. wget https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-set-sysvol.sh This checks and set the rights to be known to be right. ( aka works great for me ) ;-) Then follow these steps. - login as dom\administrator. - start computer manager, connect to dc. - klik Shared Folders, Shares, sysvol. Option 1, this is the default. Everyone with Full control, Change and Read. Option 2, Everyone: Read. Verified users: Full, Change, Read. SYSTEM Full, Change, Read. DOMAIN\Adminstrators ( or DOMAIN\Domain Admins ) Full, change read. The result of both settings are ( share wize) the same. Except in option2, you must be verified before you can write anywere. - Tab Security. Verified users: Read+exec, Show folder content, Read. SYSTEM: full ( everything on ) DOMAIN\Adminstrators: ( or DOMAIN\Domain Admins ) full ( everything on DOMAIN\Serer operators: Read+exec, Show folder content, Read. Once this is set, klik advanced, klik change below. Check, replace all underlying and replace.. ! Note, always this order, first share security then folder security. That helps preventing making error or resetting rights. - Do the same for Netlogon. Same settings as sysvol, since its a sub folder of sysvol. - These steps are imo only done once, ( ! Or if you get errors again due to a reset or change in windows clients ) Now first goto the GroupPolicyObjects, ( not the linked once's ) Klik on every GPO object there, if you get any message, press ok, then its reset. Now, you need to check the GPO Objects that are assigned/linked to OU and/or groups. Just start in the top, and klik every object. All my "normal" GPO Objects only have Authenticated Users. My "special" GPO Object have different settings. For example, i've disabled all USB/Mobile/CD access on the pc's by GPO's A user policy set in the Standard User. I've created 2 groups, per type. For example. USB-Read, if i look here you see only USB-Allow-Read group. Now klik the Delegation Tab. That shows me: Authenticated User Ready (by security filter) DOM\Domain Admins DOM\Enterprise Admins Server logon SYSTEM What you dont see is the underlying ACL, klik Advanced. Here you see, ... The "Reset to default" button. Reset it. Now remember here, after doing this, no samba-tool sysvolreset.. If you do, repeat the above again. Everything! User GPO's, only a group with the user is fine, and needs "apply GPO" A computer GPO, needs Domain computers with apply GPO AND the users group. I've setup all "problem" shares, due to user NT Authority\SYSTEM problems. Google for it, you see lots of it in the samba list. My shares layout that used it. ( on mulple servers ) DC: Sysvol and Netlogon Members: users and profiles Print server: print$ and printers So in short, all shares were the "computer$" my access as user system or things like that. If you see errors on a computer in the eventlogs with: Computer$ can access .... Bla bla.... On GPO.ini. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ This if often a forgoten "DOM\Domain Computers" in the GPO object with read and/or writes rights missing. People test this and the computer$ can access the GPO.ini without problems, so why the event log. Because of "SYSTEM" or an other user that is haveing user/group/SID problems with linux acls. I hope i explained good enough why i use and set ignore systemacl. Greetz, Louis -----Oorspronkelijk bericht----- Van: samba [mailto:samba-bounces at lists.samba.org] Namens Robert Marcano via samba Verzonden: woensdag 7 februari 2018 3:19 Aan: samba at lists.samba.org Onderwerp: Re: [Samba] GPOs not Working! On 02/06/2018 03:24 PM, L.P.H. van Belle via samba wrote: ok, do the following. set ignore systemacl to yes on sysvol and netlogon. Added "acl_xattr:ignore system acls = yes" to both shares, restarted the server login as dom\administrator computer manager, connect to dc. share sysvol, goto share security, reset to defalts. same for folder. I don't get the "Reset to defaults" option. There are two security related tabs, "Permission of shared resources" (or something like that, Windows is not in English) with only permissions for Everyone with Full control, Change and Read. The other tab is the standard "Security" tab, those tabs don't show any reset to default option goto gpo manager, klik on every gpo object, if one has wrong acl, you get a message to reset it, thats ok. now never samba-tool sysvol reset if you do, you might need to set share/file security again. Greetz Louis p.s rowland, now you can change the default gpo’s also. Op 6 feb. 2018 om 20:14 heeft Rowland Penny via samba <samba at lists.samba.org> het volgende geschreven: On Tue, 6 Feb 2018 15:03:16 -0400 Robert Marcano via samba <samba at lists.samba.org> wrote: Thanks for the information, to use a default GPO was a simple way to try to encourage someone to reproduce the problem. I already created new GPOs (this is a test domain) Using the default filter for a new GPO, "Authenticated users", creating a new group for the test clients and using that as the filter, checking it have the right permissions (apply), checking every guide about applying GPO to computers. Using OUs and using domain level GPOs. What I find weird is that gpresult doesn't list the computer as a member of groups I create, only a few predefined ones: NULL SID NT AUTHORITY\NETWORK, This company, and something like "mandatory level of no trust" (Windows is not in english) Do not alter the two default GPOs, it doesn't work ;-) Creating new GPOs should work, just do not run sysvolreset after creating them. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
On 02/07/2018 05:01 AM, L.P.H. van Belle via samba wrote:> Hai, > > Ok, for the sysvol. > I'll put all steps here again. > > I suggest start with this one. > wget https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-set-sysvol.sh > This checks and set the rights to be known to be right. ( aka works great for me ) ;-) >Thanks, but before I run that script (I need to analyse what it is doing before) I just one more question, why do you think these problems are ACL problems?, when I create a new GPO with default authenticated users filtering, liked at domain level, add user and computers configurations on the same GPO, and gpresult show the machine part is denied. It shouldn't be. I think fs ACL problems are not the problem here, we are talking about the same GPO. Can you help me with one little request, check "gpresult /v" on a Samba AD joined domain computer and tell me if in the section where it list the groups the machine is member of, do it show more entries than NULL SID NT AUTHORITY\NETWORK, This company, and something like "mandatory level of no trust" (Windows is not in english) do it show "Authenticated users" and "Domain Computers" for you?> Then follow these steps. > > - login as dom\administrator. > - start computer manager, connect to dc. > - klik Shared Folders, Shares, sysvol. > Option 1, this is the default. Everyone with Full control, Change and Read. > Option 2, Everyone: Read. > Verified users: Full, Change, Read. > SYSTEM Full, Change, Read. > DOMAIN\Adminstrators ( or DOMAIN\Domain Admins ) Full, change read. > > The result of both settings are ( share wize) the same. > Except in option2, you must be verified before you can write anywere. > > - Tab Security. > Verified users: Read+exec, Show folder content, Read. > SYSTEM: full ( everything on ) > DOMAIN\Adminstrators: ( or DOMAIN\Domain Admins ) full ( everything on > DOMAIN\Serer operators: Read+exec, Show folder content, Read. > Once this is set, klik advanced, klik change below. > Check, replace all underlying and replace.. > > ! Note, always this order, first share security then folder security. > That helps preventing making error or resetting rights. > > - Do the same for Netlogon. Same settings as sysvol, since its a sub folder of sysvol. > > > - These steps are imo only done once, ( ! Or if you get errors again due to a reset or change in windows clients ) > Now first goto the GroupPolicyObjects, ( not the linked once's ) > Klik on every GPO object there, if you get any message, press ok, then its reset. > > Now, you need to check the GPO Objects that are assigned/linked to OU and/or groups. > > Just start in the top, and klik every object. > All my "normal" GPO Objects only have Authenticated Users. > My "special" GPO Object have different settings. > > For example, i've disabled all USB/Mobile/CD access on the pc's by GPO's > A user policy set in the Standard User. I've created 2 groups, per type. > For example. > USB-Read, if i look here you see only USB-Allow-Read group. Now klik the Delegation Tab. > That shows me: > Authenticated User Ready (by security filter) > DOM\Domain Admins > DOM\Enterprise Admins > Server logon > SYSTEM > > What you dont see is the underlying ACL, klik Advanced. > Here you see, ... The "Reset to default" button. > Reset it. > > Now remember here, after doing this, no samba-tool sysvolreset.. > If you do, repeat the above again. Everything! > > User GPO's, only a group with the user is fine, and needs "apply GPO" > A computer GPO, needs Domain computers with apply GPO AND the users group. > > > I've setup all "problem" shares, due to user NT Authority\SYSTEM problems. > Google for it, you see lots of it in the samba list. > My shares layout that used it. ( on mulple servers ) > DC: Sysvol and Netlogon > Members: users and profiles > Print server: print$ and printers > > So in short, all shares were the "computer$" my access as user system or things like that. > > If you see errors on a computer in the eventlogs with: > Computer$ can access .... Bla bla.... On GPO.ini. > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > This if often a forgoten "DOM\Domain Computers" in the GPO object with read and/or writes rights missing. > People test this and the computer$ can access the GPO.ini without problems, so why the event log. > Because of "SYSTEM" or an other user that is haveing user/group/SID problems with linux acls. > > I hope i explained good enough why i use and set ignore systemacl. > > > Greetz, > > Louis > > > > > > > > > > > > > > > > > > > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Robert Marcano via samba >> Verzonden: woensdag 7 februari 2018 3:19 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] GPOs not Working! >> >> On 02/06/2018 03:24 PM, L.P.H. van Belle via samba wrote: >>> ok, >>> >>> do the following. >>> set ignore systemacl to yes on sysvol and netlogon. >> >> Added "acl_xattr:ignore system acls = yes" to both shares, >> restarted the >> server >> >>> >>> login as dom\administrator >>> computer manager, connect to dc. >>> share sysvol, goto share security, reset to defalts. >>> same for folder. >> >> I don't get the "Reset to defaults" option. There are two security >> related tabs, "Permission of shared resources" (or something >> like that, >> Windows is not in English) with only permissions for Everyone >> with Full >> control, Change and Read. >> >> The other tab is the standard "Security" tab, those tabs >> don't show any >> reset to default option >> >>> >>> goto gpo manager, >>> klik on every gpo object, if one has wrong acl, you get a >> message to reset it, thats ok. >>> >>> now never samba-tool sysvol reset >>> if you do, you might need to set share/file security again. >>> >>> Greetz >>> Louis >>> >>> p.s rowland, now you can change the default gpo’s also. >>> >>> >>> >>>> Op 6 feb. 2018 om 20:14 heeft Rowland Penny via samba >> <samba at lists.samba.org> het volgende geschreven: >>>> >>>> On Tue, 6 Feb 2018 15:03:16 -0400 >>>> Robert Marcano via samba <samba at lists.samba.org> wrote: >>>> >>>>> Thanks for the information, to use a default GPO was a >> simple way to >>>>> try to encourage someone to reproduce the problem. >>>>> >>>>> I already created new GPOs (this is a test domain) Using >> the default >>>>> filter for a new GPO, "Authenticated users", creating a >> new group for >>>>> the test clients and using that as the filter, checking >> it have the >>>>> right permissions (apply), checking every guide about >> applying GPO to >>>>> computers. Using OUs and using domain level GPOs. >>>>> >>>>> What I find weird is that gpresult doesn't list the computer as a >>>>> member of groups I create, only a few predefined ones: >>>>> >>>>> NULL SID >>>>> NT AUTHORITY\NETWORK, >>>>> This company, >>>>> and something like "mandatory level of no trust" >> (Windows is not in >>>>> english) >>>>> >>>> >>>> Do not alter the two default GPOs, it doesn't work ;-) >>>> >>>> Creating new GPOs should work, just do not run sysvolreset after >>>> creating them. >>>> >>>> Rowland >>>> >>>> >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>> >>> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> > >