On Wed, 20 Jun 2018 12:05:13 +0200 L.P.H. van Belle
wrote:>
> As said very busy, but i can spare a few minutes now.
>
> -rwxrwxr-x+ 1 3000000 domusers 2240 2018-06-18 17:33:55
/var/lib/samba/sysvol/hprs.local/policies/{3C103F7B-7250-4610-BC45-8B06353CAA7C}/User/Documents
& Settings/fdeploy1.ini
> -rwxrwx---+ 1 3000000 users 64 2018-06-18 17:34:22
/var/lib/samba/sysvol/hprs.local/policies/{3C103F7B-7250-4610-BC45-8B06353CAA7C}/GPT.INI
> -rwxrwx--- 1 3000000 users 59 2015-05-15 14:22:44
/var/lib/samba/sysvol/hprs.local/policies/{BCA8FAF8-6904-44C4-9D32-28400BE61028}/GPT.INI
> -rwxrwxrwx 1 root root 199 2015-05-21 14:42:59
/var/lib/samba/sysvol/hprs.local/policies/{BCA8FAF8-6904-44C4-9D32-28400BE61028}/Machine/Scripts/Startup/addadmins.bat
> -rwxrwx--- 1 3000000 users 104 2015-05-15 14:22:16
/var/lib/samba/sysvol/hprs.local/policies/{BCA8FAF8-6904-44C4-9D32-28400BE61028}/Machine/Scripts/scripts.ini
> -rwxrwx--- 1 3000000 domusers 142 2016-01-19 17:04:23
/var/lib/samba/sysvol/hprs.local/policies/{BCA8FAF8-6904-44C4-9D32-28400BE61028}/Machine/Microsoft/Windows
NT/SecEdit/GptTmpl.inf
> -rwxrwx---+ 1 3000008 HPRS\domain admins 23 2016-01-23 16:03:46
/var/lib/samba/sysvol/hprs.local/policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI
>
>
> Now this is .. Not correct...
>
> There is only one i think is correct. base on what you show.
> -rwxrwx---+ 1 3000008 HPRS\domain admins but for that you need to show the
getfacl output.
>
> Ok, do the following.
> 1) reset the sysvol rights with my script and reapply to all folders
recursive.
> start here: /var/lib/samba/sysvol
A bit unclear on this. You say to "reset the sysvol rights with my
script." I assume that to
actually do the update you have to set APPLY_CHANGES_DIRECT="yes" in
your script. I did that. I
also changed to directory /var/lib/samba/sysvol and ran the script from that
working directory.
I assume that's what you meant. Did this reset the sysvol rights? I
don't know what you mean by
"reapply to all folders recursive." Does your script do that or do I
have to do something
additionally myself?
Here is the current facl list for sysvol:
# file: sysvol
# owner: root
# group: BUILTIN\134administrators
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:BUILTIN\134administrators:rwx
group:BUILTIN\134server\040operators:r-x
group:NT\040AUTHORITY\134system:rwx
group:NT\040AUTHORITY\134authenticated\040users:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134server\040operators:r-x
default:group:NT\040AUTHORITY\134system:rwx
default:group:NT\040AUTHORITY\134authenticated\040users:r-x
default:mask::rwx
default:other::---
There is one directory under sysvol: hprs.local. Here is the facl list for that
directory:
# file: hprs.local
# owner: root
# group: BUILTIN\134administrators
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:BUILTIN\134administrators:rwx
group:BUILTIN\134server\040operators:r-x
group:NT\040AUTHORITY\134system:rwx
group:NT\040AUTHORITY\134authenticated\040users:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134server\040operators:r-x
default:group:NT\040AUTHORITY\134system:rwx
default:group:NT\040AUTHORITY\134authenticated\040users:r-x
default:mask::rwx
default:other::---
> Now, add to you sysvol : acl_xattr:ignore system acls = yes
> restart samba.
Per Rowland's caution, I'm saving this for last if all else fails.
> Goto the share rights and check/reapply them.
Did that. Although I did that BEFORE running your samba-check-set-sysvol.sh
script. Was that bad?
> Goto Folder rights and reapply them Recursively
Did that. Again, I did that BEFORE running your samba-check-set-sysvol.sh
script. Was that bad?> Goto you GPO tools, and klik on every GPO one, you might see a warning
about incorrect rights, that is correct.
>
> Let windows this is, that ok.
I did that. Every GPO said the permissions were inconsistent. I clicked OK on
every one to update.
> Review the linked policies and if needed correct GPO's if you use
groups to apply specific settings.
I reviewed linked policies, but if there was something for me to do it
wasn't obvious. There
was a message saying these policies were linked elsewhere, but nothing for me to
do.
> Whenever you change settings in the sysvol share, you might need to repied
above steps.
> This will fix it, if not, then there is another problem i have not seen
yet.
>
> but the currect rights layout from above is not ok and use getfacl of
setfacl NOT chmod/chown.
> using chmod/chown in sysvol, after settting ignore system acls = yes might
open an problem again,
> then repeat above steps again.
Well, per my previous message in this thread, I did change group ownership from
100 (users) to
10000 (Domain Users) for all files and directories under sysvol that had group
'users'. But I
did apply all of your above steps again after that.
OK, I'm going to restart samba, reboot one of the workstations and see what
happens ...
... OMG! It worked!!!!!!!!! Louis, you're a genius!!!! This has been a
problem for months and
months. Not only did the redirected folders work, I went to the Windows event
log and the only
event for Group Policy says, "The Group Policy settings for the user were
processed
successfully". Yeah! I'm going to put all these instruction into my
documentation for future
reference. I think the main trick was reviewing each GPO and making the
permissions consistent.
If you want to go ahead and comment on any of the steps I may have done
incorrectly or out of
order, please feel free. Meanwhile, enjoy your vacation (holiday!).
THX --Mark
[deleted]
