samba - Jun 2018 - Proper sysvol permissions

(I am not getting emails from the samba list (I do not know why), this is copy
from web archive, sorry :-( )<br><br>On Fri, 22 Jun 2018 16:07:39
+0200
Michal via samba <<a
href='https://lists.samba.org/mailman/listinfo/samba'>samba at
lists.samba.org</a>> wrote:
>><i> Samba 4.8.2 as AD controller, installed from scratch (no
upgrade).
</i>>><i> 
</i>>><i> I am getting "access denied" for GPO
objects and netlogon or sysvol
</i>>><i> shares both on Win7 and W10 clients.
</i>>><i> 
</i>>><i> [<a
href='https://lists.samba.org/mailman/listinfo/samba'>root at
ad1</a> etc]# ll /usr/local/samba.ad/var/locks/
</i>>><i> total 1384
</i>>><i> -rw-------  1 root root 421888 May 17 08:30
account_policy.tdb
</i>>><i> -rw-------  1 root root 528384 May 17 08:30
registry.tdb
</i>>><i> -rw-------  1 root root 421888 May 17 08:29
share_info.tdb
</i>>><i> drwxrwx---+ 6 root  544   4096 Jun  1 16:38 sysvol
</i>>><i> -rw-------  1 root root  32768 Jun 22 15:40
winbindd_cache.tdb
</i>>><i> drwxr-x---  2 root root   4096 Jun 22 15:40
winbindd_privileged
</i>>><i> 
</i>>><i> [<a
href='https://lists.samba.org/mailman/listinfo/samba'>root at
ad1</a> etc]# ll /usr/local/samba.ad/var/locks/sysvol/
</i>>><i> total 32
</i>>><i> drwxrwx---+ 3 root 544 4096 May 17 08:21 ad.nemuh.cz
</i>>><i> drwxrwx---+ 4 root 544 4096 Jun  1 16:22 nemuh.cz
</i>>><i> drwxrwx---+ 4 root 544 4096 May 17 08:27 nspuh.cz
</i>>><i> drwxrwx---+ 4 root 544 4096 Jun  1 16:33 uhn.cz
</i>
> Two questions, why do you have 4 directories under sysvol, when all
> that should be there (according to your smb.conf) is
'nemuh.cz'<br><br>  I suppose these other directories was
created during my first attempts to install Samba AD some time ago. <br>I
run (repeatedly) samba-tool with some install parameters, then deleted smb.conf
and run samba-tool again<br> (I have had no knowledge about existence of
the var/locks/ structures before).<br><br>>  The second question
is, where did '544' come from ?<br>  No idea, sorry.
<br><br>>  How did you install and provision Samba, did you
follow the Samba wiki
or some other web page ?<br>  <br>  The server is Centos and I did
not find AD ready Centos samba package. So I compiled samba from
sources<br>and install it myself (configure --prefix /usr/local/samba.ad
..., make, make install).  <br>  Then I run samba-tool (repeatedly, this
is my 1st samba ad installation) in "interactive" mode.
<br>I've read a lot of web pages, I can not say exactly what was the
last used "install" parameters for
samba-tool.<br><br><br>>><i> [global]
</i>>><i>         netbios name = AD1
</i>>><i>         realm = NEMUH.CZ
</i>>><i>         server role = active directory domain
controller
</i>>><i>         server services = s3fs, rpc, nbt, wrepl,
ldap, cldap, kdc,
</i>>><i> drepl, winbindd, ntp_signd, k
</i>>><i>        server services = s3fs, rpc, nbt, wrepl,
ldap, cldap, kdc,
</i>>><i> drepl, winbindd, ntp_signd, k
</i>>><i>        workgroup = UHN
</i>>><i>        idmap_ldb:use rfc2307 = yes
</i>
> Why are there two 'server services' lines ?<br>  No idea. No
edit "by hand" of this file, as far as I remember.
<br><br>>  And why do they both end with a 'k'
?<br> My fault, clipped long lines - they end with  "... ntp_signd,
kcc, dnsupdate" <br>  <br>> I also take it you are running
Bind9 as the dns server, is this running on the DC and is it set up correctly
?<br><br>  Yes, bind as DNS, yes, running on the DC. Installed just
for this samba instance. I have been using bind on <br>my other servers
for years and I was hoping I have better control over DNS (no luck; I love bind9
text zones<br>files, but samba AD DNS is a f..ing blackbox, as black as
Samba's internal ldap server. Very annoying for me <br>after years
with openldap, used for Samba v3).<br><br>  Thanks, Michal<br>

On Fri, 22 Jun 2018 22:39:17 +0200 (CEST)
Michal via samba <samba at lists.samba.org> wrote:
> 
> > Two questions, why do you have 4 directories under sysvol, when all
> > that should be there (according to your smb.conf) is
> > 'nemuh.cz'<br><br>  I suppose these other
directories was created
> > during my first attempts to install Samba AD some time ago. 
OK, makes sense, but I would remove the ones you don't need.
> where did '544' come from ?
>  No idea, sorry.
You must have some idea, by default '544' is the RID for
'Administrators' and, on a Samba AD DC, I would expect a number in the
'3000000' range, so you must have changed it.
> > provision Samba, did you follow the Samba wiki
> or some other web page ?<br>  <br>  The server is Centos and I
did
> not find AD ready Centos samba package. 
Apart from the Sernet packages, there are no readily available AD DC
packages for Centos (Cue somebody saying 'have you tried these ?')
>So I compiled samba from
> sources<br>and install it myself (configure
> --prefix /usr/local/samba.ad ..., make, make install).  
I wouldn't have bothered with the 'prefix', Samba would then have
ended
up in '/usr/local/samba'
>  Then I
> run samba-tool (repeatedly, this is my 1st samba ad installation) in
> "interactive" mode. 
If you are going to do this, then can I suggest that you delete the
main Samba dir (/usr/local/samba.ad in your case) and then run 'make'
again.
>I've read a lot of web pages,
Well, give up reading random webpages, read the Samba wiki instead:

https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller

Any questions or things you don't understand, please ask.

 
> > Yes, bind as DNS, yes,
> > running on the DC. Installed just for this samba instance. I have
> > been using bind on <br>my other servers for years and I was
hoping
> > I have better control over DNS (no luck; I love bind9 text
> > zones<br>files, but samba AD DNS is a f..ing blackbox, as black
as
> > Samba's internal ldap server. Very annoying for me <br>after
years
> > with openldap, used for Samba v3).<br><br>  Thanks,
Michal<br>
Ah, if you are used to setting up Bind9, then you might have set it up
correctly for Bind9, but wrong for a Samba AD DC. Have you put the zone
files into the bind config ?

Perhaps reading this might help:

https://wiki.samba.org/index.php/Setting_up_a_BIND_DNS_Server

Rowland