On Fri, 15 Jun 2018 12:32:52 +0200 L.P.H. van Belle wrote:> > > OK, Everyone is currently set to FULL CONTROL. I'll set that to READ. > > Ai, now... Nobody can write over the share, pc's wil complain. > Some GPO setting will stop working.But, when I ran your samba-check-set-sysvol.sh script it told me to set EVERYONE: READ. See below:> > $ ./samba-check-set-sysvol.sh > > Review the file : default-rights-sysvol.acl, these contains > > the defaults for sysvol. > > The sysvol ACLS info..... > > > > Please check your share rights for sysvol from within windows. > > If these are incorrect, correct them and run this script again. > > Set your sysvol SHARE permissions as followed. > > EVERYONE: READ <---------------------------------- > > Authenticated Users: FULL CONTROL > > (BUILTIN or NTDOM)\Administrators: FULL CONTROL > > (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL > > User/Group system is added compaired to a win2008R2 sysvol, > > you need this for some GPO > > settings. > > > > Set your sysvol FOLDER permissions as followed. > > Authenticated Users: Read & Exec, Show folder content, Read > > (BUILTIN or NTDOM)\Administrators: FULL CONTROL > > (BUILTIN or NTDOM)\SYSTEM, FULL CONTROLPerhaps I'm confusing Folder permissions and Share permissions.> Look here, and setup like that. > https://support.microsoft.com/nl-nl/help/2838154/permissions-for-this-gpo-in-the-sysvol-folder-are-inconsistent-with-thProblem: On that link, step 2 "Check whether the Listobject permission is set for the Authenticated Users group and whether the Authenticated Users group is missing from the Delegation tab of the Group Policy Object." When I edit 'Authenticated Users', I don't have that "Default Domain Controllers Policy" dialog. Or if I do, that link doesn't tell me how to get there. Let me list everything I've got: sysvol FOLDER Permissions: CREATOR OWNER special (Advanced) Subfolders and files only Full Control - everything is checked) (apply these permissions to objects and/or containers ... not checked) CREATOR GROUP Subfolders and files only special (Advanced) Subfolders and files only Traverse folder / execute file List folder / read data Read attributes Read extended attributes Read permissions (apply these permissions to objects and/or containers ... not checked) Authenticated Users Read & Execute List folder contents Read (Advanced) This folder, Subfolders and files Traverse folder / execute file List folder / read data Read attributes Read extended attributes Read permissions (apply these permissions to objects and/or containers ... not checked) SYSTEM Full control (advanced) This folder, subfolders and files full control - everything is checked (apply these permissions to objects and/or containers ... not checked) Administrators (HPRS\Administrators) Full control (advanced) This folder, subfolders and files full control - everything is checked (apply these permissions to objects and/or containers ... not checked) sysvol SHARE Permissions: EVERYONE: READ Authenticated Users: FULL CONTROL HPRS\Administrators: FULL CONTROL SYSTEM, FULL CONTROL Does this look correct? Is this what you have? Nevertheless, when I try to log into a workstation as a domain user I still do not get that user's desktop. In the Windows eventlog Windows Logs > System, I get Event 1906 error, GroupPolicy: Error Description: Access is denied. GPOCName: LDAP://CN=User,cn={178C3418-E432-414A-9185-DCD1AB359A3B},cn=policies,cn=system,DC=hprs,DC=local FilePath: \\hprs.local\SysVol\hprs.local\Policies\{178C3418-E432-414A-9185-DCD1AB359A3B}\User\registry.pol This is driving me crazy! --Mark
Given no responses on this question for a few days, I'm concluding that
we're out of ideas on
this problem. Let me propose a couple of ideas. Apparently, the basic Windows
FOLDER and
SHARE permissions are correct according to Louis' recommendations (see
message below). One
thing I've noticed that is a bit puzzling is the group ownership of these
policy files:
-rwxrwxr-x+ 1 3000000 domusers 2240 2018-06-18 17:33:55
/var/lib/samba/sysvol/hprs.local/policies/{3C103F7B-7250-4610-BC45-8B06353CAA7C}/User/Documents
& Settings/fdeploy1.ini
-rwxrwx---+ 1 3000000 users 64 2018-06-18 17:34:22
/var/lib/samba/sysvol/hprs.local/policies/{3C103F7B-7250-4610-BC45-8B06353CAA7C}/GPT.INI
-rwxrwx--- 1 3000000 users 59 2015-05-15 14:22:44
/var/lib/samba/sysvol/hprs.local/policies/{BCA8FAF8-6904-44C4-9D32-28400BE61028}/GPT.INI
-rwxrwxrwx 1 root root 199 2015-05-21 14:42:59
/var/lib/samba/sysvol/hprs.local/policies/{BCA8FAF8-6904-44C4-9D32-28400BE61028}/Machine/Scripts/Startup/addadmins.bat
-rwxrwx--- 1 3000000 users 104 2015-05-15 14:22:16
/var/lib/samba/sysvol/hprs.local/policies/{BCA8FAF8-6904-44C4-9D32-28400BE61028}/Machine/Scripts/scripts.ini
-rwxrwx--- 1 3000000 domusers 142 2016-01-19 17:04:23
/var/lib/samba/sysvol/hprs.local/policies/{BCA8FAF8-6904-44C4-9D32-28400BE61028}/Machine/Microsoft/Windows
NT/SecEdit/GptTmpl.inf
-rwxrwx---+ 1 3000008 HPRS\domain admins 23 2016-01-23 16:03:46
/var/lib/samba/sysvol/hprs.local/policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI
They are variously owned by groups "domusers" (10000),
"users" (100), root (only the one
shown), and "HPRS/domain admins" (3000008). The vast majority of
these files belong to group
'users' including the specific files that are giving me the 'Access
denied' Windows event.
'users' is one of the ubiquitous default groups created when Linux is
installed. I believe
it's also the default group when 'adduser' is run to add a user.
Almost all of these files
belonging to group 'users' have rwxrwx--- permissions (no extended
attributes).
Could this be a problem? Should these files belong to some other group? The
users themselves
belong to 'domusers' (10000) which is the group assigned to all domain
users. Perhaps higher
level extended attributes are supposed to handle access, but I don't see how
a user belonging
to group 'domusers' can read any of these files belonging to group
'users' (except possibly
that first one listed having o+rx and extended attributes). Should I change all
these group
'users' to group 'domusers'?
Thought 2: If I shouldn't do that, or that doesn't help should I try
setting 'acl_xattr:ignore
system acls = yes'?
--Mark
-----Original Message-----
Date: Mon, 18 Jun 2018 12:34:12 -0400
To: samba at lists.samba.org
Subject: Re: [Samba] Fixing sysvol permissions
From: Mark Foley via samba <samba at lists.samba.org>
On Fri, 15 Jun 2018 12:32:52 +0200 L.P.H. van Belle
wrote:>
> > OK, Everyone is currently set to FULL CONTROL. I'll set that to
READ.
>
> Ai, now... Nobody can write over the share, pc's wil complain.
> Some GPO setting will stop working.
But, when I ran your samba-check-set-sysvol.sh script it told me to set
EVERYONE: READ. See
below:
> > $ ./samba-check-set-sysvol.sh
> > Review the file : default-rights-sysvol.acl, these contains
> > the defaults for sysvol.
> > The sysvol ACLS info.....
> >
> > Please check your share rights for sysvol from within windows.
> > If these are incorrect, correct them and run this script again.
> > Set your sysvol SHARE permissions as followed.
> > EVERYONE: READ <----------------------------------
> > Authenticated Users: FULL CONTROL
> > (BUILTIN or NTDOM)\Administrators: FULL CONTROL
> > (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL
> > User/Group system is added compaired to a win2008R2 sysvol,
> > you need this for some GPO
> > settings.
> >
> > Set your sysvol FOLDER permissions as followed.
> > Authenticated Users: Read & Exec, Show folder content, Read
> > (BUILTIN or NTDOM)\Administrators: FULL CONTROL
> > (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL
Perhaps I'm confusing Folder permissions and Share permissions.
> Look here, and setup like that.
>
https://support.microsoft.com/nl-nl/help/2838154/permissions-for-this-gpo-in-the-sysvol-folder-are-inconsistent-with-th
Problem: On that link, step 2 "Check whether the Listobject permission is
set for the
Authenticated Users group and whether the Authenticated Users group is missing
from the
Delegation tab of the Group Policy Object." When I edit 'Authenticated
Users', I don't have
that "Default Domain Controllers Policy" dialog. Or if I do, that link
doesn't tell me how to
get there.
Let me list everything I've got:
sysvol FOLDER Permissions:
CREATOR OWNER
special
(Advanced) Subfolders and files only
Full Control - everything is checked)
(apply these permissions to objects and/or containers ... not checked)
CREATOR GROUP Subfolders and files only
special
(Advanced) Subfolders and files only
Traverse folder / execute file
List folder / read data
Read attributes
Read extended attributes
Read permissions
(apply these permissions to objects and/or containers ... not checked)
Authenticated Users
Read & Execute
List folder contents
Read
(Advanced) This folder, Subfolders and files
Traverse folder / execute file
List folder / read data
Read attributes
Read extended attributes
Read permissions
(apply these permissions to objects and/or containers ... not checked)
SYSTEM
Full control
(advanced) This folder, subfolders and files
full control - everything is checked
(apply these permissions to objects and/or containers ... not checked)
Administrators (HPRS\Administrators)
Full control
(advanced) This folder, subfolders and files
full control - everything is checked
(apply these permissions to objects and/or containers ... not checked)
sysvol SHARE Permissions:
EVERYONE: READ
Authenticated Users: FULL CONTROL
HPRS\Administrators: FULL CONTROL
SYSTEM, FULL CONTROL
Does this look correct? Is this what you have?
Nevertheless, when I try to log into a workstation as a domain user I still do
not get that
user's desktop. In the Windows eventlog Windows Logs > System, I get
Event 1906 error,
GroupPolicy:
Error Description: Access is denied.
GPOCName:
LDAP://CN=User,cn={178C3418-E432-414A-9185-DCD1AB359A3B},cn=policies,cn=system,DC=hprs,DC=local
FilePath:
\\hprs.local\SysVol\hprs.local\Policies\{178C3418-E432-414A-9185-DCD1AB359A3B}\User\registry.pol
This is driving me crazy!
--Mark
On Tue, 19 Jun 2018 12:52:46 -0400 Mark Foley via samba <samba at lists.samba.org> wrote:> Given no responses on this question for a few days, I'm concluding > that we're out of ideas on this problem. Let me propose a couple of > ideas. Apparently, the basic Windows FOLDER and SHARE permissions > are correct according to Louis' recommendations (see message below). > One thing I've noticed that is a bit puzzling is the group ownership > of these policy files: > > -rwxrwxr-x+ 1 3000000 domusers 2240 2018-06-18 > 17:33:55 /var/lib/samba/sysvol/hprs.local/policies/{3C103F7B-7250-4610-BC45-8B06353CAA7C}/User/Documents > & Settings/fdeploy1.ini -rwxrwx---+ 1 3000000 users 64 2018-06-18 > 17:34:22 /var/lib/samba/sysvol/hprs.local/policies/{3C103F7B-7250-4610-BC45-8B06353CAA7C}/GPT.INI > -rwxrwx--- 1 3000000 users 59 2015-05-15 > 14:22:44 /var/lib/samba/sysvol/hprs.local/policies/{BCA8FAF8-6904-44C4-9D32-28400BE61028}/GPT.INI > -rwxrwxrwx 1 root root 199 2015-05-21 > 14:42:59 /var/lib/samba/sysvol/hprs.local/policies/{BCA8FAF8-6904-44C4-9D32-28400BE61028}/Machine/Scripts/Startup/addadmins.bat > -rwxrwx--- 1 3000000 users 104 2015-05-15 > 14:22:16 /var/lib/samba/sysvol/hprs.local/policies/{BCA8FAF8-6904-44C4-9D32-28400BE61028}/Machine/Scripts/scripts.ini > -rwxrwx--- 1 3000000 domusers 142 2016-01-19 > 17:04:23 /var/lib/samba/sysvol/hprs.local/policies/{BCA8FAF8-6904-44C4-9D32-28400BE61028}/Machine/Microsoft/Windows > NT/SecEdit/GptTmpl.inf -rwxrwx---+ 1 3000008 HPRS\domain admins 23 > 2016-01-23 > 16:03:46 /var/lib/samba/sysvol/hprs.local/policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI > > They are variously owned by groups "domusers" (10000),Where did 'domusers' come from ? By default all users are members of 'Domain Users' and this is the group you should have given '10000' to. root at dc4:~# getent passwd rowland SAMDOM\rowland:*:10000:10000::/home/rowland:/bin/bash root at dc4:~# getent group 10000 SAMDOM\domain users:x:10000:> "users" (100),This is from idmap.ldb where 'Domain Users' is mapped to the Unix group 'users' (ID 100) if 'Domain Users' isn't given a gidNumber.> root (only the one shown), and "HPRS/domain admins" (3000008). The > vast majority of these files belong to group 'users' including the > specific files that are giving me the 'Access denied' Windows event.Hmm, I wonder if this because Windows does not know who the Unix group 'users' is ?> 'users' is one of the ubiquitous default groups created when Linux is > installed.As I said above, 'users' is a Unix group.>I believe it's also the default group when 'adduser' is > run to add a user.No, the default is to create a usergroup with the same name as the user.> Almost all of these files belonging to group > 'users' have rwxrwx--- permissions (no extended attributes).The group 'users' has no meaning to Windows, it is a Unix group that appears only on a Samba AD DC, it is better to use 'Domain Users' instead, especially in Sysvol.> > Could this be a problem? Should these files belong to some other > group? The users themselves belong to 'domusers' (10000) which is the > group assigned to all domain users.Again I ask why ? there is no need to create such a group in Samba AD, just give 'Domain Users' a gidNumber and use this instead.> Perhaps higher level extended > attributes are supposed to handle access, but I don't see how a user > belonging to group 'domusers' can read any of these files belonging > to group 'users' (except possibly that first one listed having o+rx > and extended attributes). Should I change all these group 'users' to > group 'domusers'?No, you should change 'users' and 'domusers' to 'Domain Users' ;-)> > Thought 2: If I shouldn't do that, or that doesn't help should I try > setting 'acl_xattr:ignore system acls = yes'?Only if you have no Unix clients. Rowland
Hai Mark, Sorry for the late reply, im prepairing for me holiday and i've lots of work finish, or i get called in my holiday..> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Mark > Foley via samba > Verzonden: maandag 18 juni 2018 18:34 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Fixing sysvol permissions > > On Fri, 15 Jun 2018 12:32:52 +0200 L.P.H. van Belle wrote: > > > > > OK, Everyone is currently set to FULL CONTROL. I'll set > that to READ. > > > > Ai, now... Nobody can write over the share, pc's wil complain. > > Some GPO setting will stop working. > > But, when I ran your samba-check-set-sysvol.sh script it told > me to set EVERYONE: READ. See > below: > > > > $ ./samba-check-set-sysvol.sh > > > Review the file : default-rights-sysvol.acl, these contains > > > the defaults for sysvol. > > > The sysvol ACLS info..... > > > > > > > Please check your share rights for sysvol from within windows. > > > If these are incorrect, correct them and run this script again. > > > Set your sysvol SHARE permissions as followed. > > > EVERYONE: READ <---------------------------------- > > > Authenticated Users: FULL CONTROL > > > (BUILTIN or NTDOM)\Administrators: FULL CONTROL > > > (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL > > > User/Group system is added compaired to a win2008R2 sysvol, > > > you need this for some GPO > > > settings. > > > > > > Set your sysvol FOLDER permissions as followed. > > > Authenticated Users: Read & Exec, Show folder content, Read > > > (BUILTIN or NTDOM)\Administrators: FULL CONTROL > > > (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL > > Perhaps I'm confusing Folder permissions and Share permissions.No, im answered wrong here. Whats posted is correct. Set the "SHARE" permissions as above tells you.> > > Look here, and setup like that. > > > https://support.microsoft.com/nl-nl/help/2838154/permissions-f > or-this-gpo-in-the-sysvol-folder-are-inconsistent-with-th > > Problem: On that link, step 2 "Check whether the Listobject > permission is set for the > Authenticated Users group and whether the Authenticated Users > group is missing from the > Delegation tab of the Group Policy Object." When I edit > 'Authenticated Users', I don't have > that "Default Domain Controllers Policy" dialog. Or if I do, > that link doesn't tell me how to > get there. > > Let me list everything I've got: > > sysvol FOLDER Permissions: > > CREATOR OWNER > special > (Advanced) Subfolders and files only > Full Control - everything is checked) > (apply these permissions to objects and/or containers ... not checked) > > CREATOR GROUP Subfolders and files only > special > (Advanced) Subfolders and files only > Traverse folder / execute file > List folder / read data > Read attributes > Read extended attributes > Read permissions > (apply these permissions to objects and/or containers ... not checked) > > Authenticated Users > Read & Execute > List folder contents > Read > (Advanced) This folder, Subfolders and files > Traverse folder / execute file > List folder / read data > Read attributes > Read extended attributes > Read permissions > (apply these permissions to objects and/or containers ... not checked) > > SYSTEM > Full control > (advanced) This folder, subfolders and files > full control - everything is checked > (apply these permissions to objects and/or containers ... not checked) > > Administrators (HPRS\Administrators) > Full control > (advanced) This folder, subfolders and files > full control - everything is checked > (apply these permissions to objects and/or containers ... not checked) > > sysvol SHARE Permissions: > > EVERYONE: READ > Authenticated Users: FULL CONTROL > HPRS\Administrators: FULL CONTROL > SYSTEM, FULL CONTROL > > Does this look correct? Is this what you have?Yes, thats exact what i also have. But ... Did you reapply all settings to all the subfolders after you applied them. And what might be wrong, is you might try to apply u user setting for computer or computer setting for a user. The difference is, which user is trying to access the file of the group policy. A) computer = user SYSTEM that impersonates user COMPUTERNAME$ B) user = user You_Windows_User> > Nevertheless, when I try to log into a workstation as a > domain user I still do not get that > user's desktop. In the Windows eventlog Windows Logs > > System, I get Event 1906 error, > GroupPolicy: > > Error Description: Access is denied. > GPOCName: > LDAP://CN=User,cn={178C3418-E432-414A-9185-DCD1AB359A3B},cn=po > licies,cn=system,DC=hprs,DC=local > FilePath: > \\hprs.local\SysVol\hprs.local\Policies\{178C3418-E432-414A-91 > 85-DCD1AB359A3B}\User\registry.pol > > This is driving me crazy!Yep know that, been there.> > --Mark > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >Greetz, Louis
On Wed, 20 Jun 2018 11:52:34 +0200 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> Hai Mark, > > Sorry for the late reply, im prepairing for me holiday and i've lots > of work finish, or i get called in my holiday..Hi Louis, have a good holiday, but don't forget the three golden rules: Don't tell them where you are going. Turn your Phone off. Don't look at emails. That way, you cannot get called in ;-) Rowland
As said very busy, but i can spare a few minutes now.
-rwxrwxr-x+ 1 3000000 domusers 2240 2018-06-18 17:33:55
/var/lib/samba/sysvol/hprs.local/policies/{3C103F7B-7250-4610-BC45-8B06353CAA7C}/User/Documents
& Settings/fdeploy1.ini
-rwxrwx---+ 1 3000000 users 64 2018-06-18 17:34:22
/var/lib/samba/sysvol/hprs.local/policies/{3C103F7B-7250-4610-BC45-8B06353CAA7C}/GPT.INI
-rwxrwx--- 1 3000000 users 59 2015-05-15 14:22:44
/var/lib/samba/sysvol/hprs.local/policies/{BCA8FAF8-6904-44C4-9D32-28400BE61028}/GPT.INI
-rwxrwxrwx 1 root root 199 2015-05-21 14:42:59
/var/lib/samba/sysvol/hprs.local/policies/{BCA8FAF8-6904-44C4-9D32-28400BE61028}/Machine/Scripts/Startup/addadmins.bat
-rwxrwx--- 1 3000000 users 104 2015-05-15 14:22:16
/var/lib/samba/sysvol/hprs.local/policies/{BCA8FAF8-6904-44C4-9D32-28400BE61028}/Machine/Scripts/scripts.ini
-rwxrwx--- 1 3000000 domusers 142 2016-01-19 17:04:23
/var/lib/samba/sysvol/hprs.local/policies/{BCA8FAF8-6904-44C4-9D32-28400BE61028}/Machine/Microsoft/Windows
NT/SecEdit/GptTmpl.inf
-rwxrwx---+ 1 3000008 HPRS\domain admins 23 2016-01-23 16:03:46
/var/lib/samba/sysvol/hprs.local/policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI
Now this is .. Not correct...
There is only one i think is correct. base on what you show.
-rwxrwx---+ 1 3000008 HPRS\domain admins but for that you need to show the
getfacl output.
Ok, do the following.
1) reset the sysvol rights with my script and reapply to all folders recursive.
start here: /var/lib/samba/sysvol
Now, add to you sysvol : acl_xattr:ignore system acls = yes
restart samba.
Goto the share rights and check/reapply them.
Goto Folder rights and reapply them Recursively
Goto you GPO tools, and klik on every GPO one, you might see a warning about
incorrect rights, that is correct.
Let windows this is, that ok.
Review the linked policies and if needed correct GPO's if you use groups to
apply specific settings.
Whenever you change settings in the sysvol share, you might need to repied above
steps.
This will fix it, if not, then there is another problem i have not seen yet.
but the currect rights layout from above is not ok and use getfacl of setfacl
NOT chmod/chown.
using chmod/chown in sysvol, after settting ignore system acls = yes might open
an problem again,
then repeat above steps again.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Mark
> Foley via samba
> Verzonden: dinsdag 19 juni 2018 18:53
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Fixing sysvol permissions
>
> Given no responses on this question for a few days, I'm
> concluding that we're out of ideas on
> this problem. Let me propose a couple of ideas. Apparently,
> the basic Windows FOLDER and
> SHARE permissions are correct according to Louis'
> recommendations (see message below). One
> thing I've noticed that is a bit puzzling is the group
> ownership of these policy files:
>
> -rwxrwxr-x+ 1 3000000 domusers 2240 2018-06-18 17:33:55
> /var/lib/samba/sysvol/hprs.local/policies/{3C103F7B-7250-4610-
> BC45-8B06353CAA7C}/User/Documents & Settings/fdeploy1.ini
> -rwxrwx---+ 1 3000000 users 64 2018-06-18 17:34:22
> /var/lib/samba/sysvol/hprs.local/policies/{3C103F7B-7250-4610-
> BC45-8B06353CAA7C}/GPT.INI
> -rwxrwx--- 1 3000000 users 59 2015-05-15 14:22:44
> /var/lib/samba/sysvol/hprs.local/policies/{BCA8FAF8-6904-44C4-
> 9D32-28400BE61028}/GPT.INI
> -rwxrwxrwx 1 root root 199 2015-05-21 14:42:59
> /var/lib/samba/sysvol/hprs.local/policies/{BCA8FAF8-6904-44C4-
> 9D32-28400BE61028}/Machine/Scripts/Startup/addadmins.bat
> -rwxrwx--- 1 3000000 users 104 2015-05-15 14:22:16
> /var/lib/samba/sysvol/hprs.local/policies/{BCA8FAF8-6904-44C4-
> 9D32-28400BE61028}/Machine/Scripts/scripts.ini
> -rwxrwx--- 1 3000000 domusers 142 2016-01-19 17:04:23
> /var/lib/samba/sysvol/hprs.local/policies/{BCA8FAF8-6904-44C4-
> 9D32-28400BE61028}/Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf
> -rwxrwx---+ 1 3000008 HPRS\domain admins 23 2016-01-23
> 16:03:46
> /var/lib/samba/sysvol/hprs.local/policies/{31B2F340-016D-11D2-
> 945F-00C04FB984F9}/GPT.INI
>
> They are variously owned by groups "domusers" (10000),
> "users" (100), root (only the one
> shown), and "HPRS/domain admins" (3000008). The vast
> majority of these files belong to group
> 'users' including the specific files that are giving me the
> 'Access denied' Windows event.
> 'users' is one of the ubiquitous default groups created when
> Linux is installed. I believe
> it's also the default group when 'adduser' is run to add a
> user. Almost all of these files
> belonging to group 'users' have rwxrwx--- permissions (no
> extended attributes).
>
> Could this be a problem? Should these files belong to some
> other group? The users themselves
> belong to 'domusers' (10000) which is the group assigned to
> all domain users. Perhaps higher
> level extended attributes are supposed to handle access, but
> I don't see how a user belonging
> to group 'domusers' can read any of these files belonging to
> group 'users' (except possibly
> that first one listed having o+rx and extended attributes).
> Should I change all these group
> 'users' to group 'domusers'?
>
> Thought 2: If I shouldn't do that, or that doesn't help
> should I try setting 'acl_xattr:ignore
> system acls = yes'?
>
> --Mark
>
> -----Original Message-----
> Date: Mon, 18 Jun 2018 12:34:12 -0400
> To: samba at lists.samba.org
> Subject: Re: [Samba] Fixing sysvol permissions
> From: Mark Foley via samba <samba at lists.samba.org>
>
> On Fri, 15 Jun 2018 12:32:52 +0200 L.P.H. van Belle wrote:
> >
> > > OK, Everyone is currently set to FULL CONTROL. I'll set
> that to READ.
> >
> > Ai, now... Nobody can write over the share, pc's wil complain.
> > Some GPO setting will stop working.
>
> But, when I ran your samba-check-set-sysvol.sh script it told
> me to set EVERYONE: READ. See
> below:
>
> > > $ ./samba-check-set-sysvol.sh
> > > Review the file : default-rights-sysvol.acl, these contains
> > > the defaults for sysvol.
> > > The sysvol ACLS info.....
>
> > >
> > > Please check your share rights for sysvol from within windows.
> > > If these are incorrect, correct them and run this script again.
> > > Set your sysvol SHARE permissions as followed.
> > > EVERYONE: READ
<----------------------------------
> > > Authenticated Users: FULL CONTROL
> > > (BUILTIN or NTDOM)\Administrators: FULL CONTROL
> > > (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL
> > > User/Group system is added compaired to a win2008R2 sysvol,
> > > you need this for some GPO
> > > settings.
> > >
> > > Set your sysvol FOLDER permissions as followed.
> > > Authenticated Users: Read & Exec, Show folder content, Read
> > > (BUILTIN or NTDOM)\Administrators: FULL CONTROL
> > > (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL
>
> Perhaps I'm confusing Folder permissions and Share permissions.
>
> > Look here, and setup like that.
> >
> https://support.microsoft.com/nl-nl/help/2838154/permissions-f
> or-this-gpo-in-the-sysvol-folder-are-inconsistent-with-th
>
> Problem: On that link, step 2 "Check whether the Listobject
> permission is set for the
> Authenticated Users group and whether the Authenticated Users
> group is missing from the
> Delegation tab of the Group Policy Object." When I edit
> 'Authenticated Users', I don't have
> that "Default Domain Controllers Policy" dialog. Or if I do,
> that link doesn't tell me how to
> get there.
>
> Let me list everything I've got:
>
> sysvol FOLDER Permissions:
>
> CREATOR OWNER
> special
> (Advanced) Subfolders and files only
> Full Control - everything is checked)
> (apply these permissions to objects and/or containers ... not checked)
>
> CREATOR GROUP Subfolders and files only
> special
> (Advanced) Subfolders and files only
> Traverse folder / execute file
> List folder / read data
> Read attributes
> Read extended attributes
> Read permissions
> (apply these permissions to objects and/or containers ... not checked)
>
> Authenticated Users
> Read & Execute
> List folder contents
> Read
> (Advanced) This folder, Subfolders and files
> Traverse folder / execute file
> List folder / read data
> Read attributes
> Read extended attributes
> Read permissions
> (apply these permissions to objects and/or containers ... not checked)
>
> SYSTEM
> Full control
> (advanced) This folder, subfolders and files
> full control - everything is checked
> (apply these permissions to objects and/or containers ... not checked)
>
> Administrators (HPRS\Administrators)
> Full control
> (advanced) This folder, subfolders and files
> full control - everything is checked
> (apply these permissions to objects and/or containers ... not checked)
>
> sysvol SHARE Permissions:
>
> EVERYONE: READ
> Authenticated Users: FULL CONTROL
> HPRS\Administrators: FULL CONTROL
> SYSTEM, FULL CONTROL
>
> Does this look correct? Is this what you have?
>
> Nevertheless, when I try to log into a workstation as a
> domain user I still do not get that
> user's desktop. In the Windows eventlog Windows Logs >
> System, I get Event 1906 error,
> GroupPolicy:
>
> Error Description: Access is denied.
> GPOCName:
> LDAP://CN=User,cn={178C3418-E432-414A-9185-DCD1AB359A3B},cn=po
> licies,cn=system,DC=hprs,DC=local
> FilePath:
> \\hprs.local\SysVol\hprs.local\Policies\{178C3418-E432-414A-91
> 85-DCD1AB359A3B}\User\registry.pol
>
> This is driving me crazy!
>
> --Mark
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
Hai Rowland, Thank you, ah, yes, i've prepaired myself. ;-) only my direct collega is allow to call or app.. We have a good policy about that, and they better call me if something happens. Since my fix time is lots quicker and then i dont have to cleanup the mess after when im back. That happend once, but not again and they dont call often, thats why im quite on the list, prepairing all servers with my "holiday" settings. Im "off-list" between 27-06 and 04-07, then im checking out portugal. I'll watch the list as of Friday 22-june until 11-july, replies? .... That depends if i didnt forget my glasses and im not doing anything .... Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland Penny via samba > Verzonden: woensdag 20 juni 2018 12:01 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Fixing sysvol permissions > > On Wed, 20 Jun 2018 11:52:34 +0200 > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > > > Hai Mark, > > > > Sorry for the late reply, im prepairing for me holiday and i've lots > > of work finish, or i get called in my holiday.. > > Hi Louis, have a good holiday, but don't forget the three > golden rules: > > Don't tell them where you are going. > Turn your Phone off. > Don't look at emails. > > That way, you cannot get called in ;-) > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >