Dear all,
after migrating from Samba 4.6.15 to 4.8.3 (two fresh DCs) I see that
computers are no longer applying GPOs while it still works for Users.
GPResult states that GPOs are not applied due to missing access rights.
My smb.conf:
# Global parameters
[global]
netbios name = DC
realm = MY.DOMAIN.TLD
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
workgroup = MYDOMAIN
binddns dir = /var/lib/samba/bind-dns
smb ports = 445
host msdfs = yes
vfs object = dfs_samba4, acl_xattr
tls enabled = yes
tls keyfile = tls/dc.key
tls certfile = tls/dc2018.crt
tls cafile = tls/ca.crt
ntlm auth = yes
winbind use default domain = yes
kerberos method = secrets and keytab
template shell = /bin/bash
template homedir = /home/%U
#log level = 1 smbd:5
[netlogon]
path = /var/lib/samba/sysvol/my.domain.tld/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
acl_xattr:ignore system acls = yes
[dfs]
path = /export/dfsroot
msdfs root = yes
read only = no
getfacl for one of the GPO folders in question shows this:
# file:
var/lib/samba/sysvol/my.domain.tld/Policies/{EE5E503C-4CB9-4B95-ABD5-705EFE4E088A}/
# owner: 3000007
# group: MYDOMAIN\134domain\040admins
user::rwx
user:root:rwx
user:3000000:r-x
user:3000001:rwx
user:3000002:rwx
user:3000030:r-x
group::rwx
group:BUILTIN\134server\040operators:r-x
group:NT\040AUTHORITY\134system:rwx
group:BUILTIN\134administrators:rwx
group:NT\040AUTHORITY\134authenticated\040users:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:r-x
default:user:3000001:rwx
default:user:3000002:rwx
default:user:3000030:r-x
default:group::---
default:group:BUILTIN\134server\040operators:r-x
default:group:NT\040AUTHORITY\134system:rwx
default:group:BUILTIN\134administrators:rwx
default:group:NT\040AUTHORITY\134authenticated\040users:r-x
default:mask::rwx
default:other::---
Any suggestion how to fix this? Thanks a lot!
Best regards
Johannes
On Sat, 28 Jul 2018 16:32:30 +0200 Johannes Engel via samba <samba at lists.samba.org> wrote:> Dear all, > > after migrating from Samba 4.6.15 to 4.8.3 (two fresh DCs) I see that > computers are no longer applying GPOs while it still works for Users. > GPResult states that GPOs are not applied due to missing access > rights. My smb.conf: > # Global parameters > [global]> host msdfs = yes > vfs object = dfs_samba4, acl_xattr > winbind use default domain = yesYou should remove the above lines from your smb.conf, the first is a default setting, you do not need to set the second and the third does nothing. What distro is this, or to be more precise, are you using MIT ? If so, there is a bug for this: https://bugzilla.samba.org/show_bug.cgi?id=13516 The present cure seems to be, don't use MIT ;-) Rowland
Am Samstag, 28. Juli 2018, 17:05:35 CEST schrieb Rowland Penny via samba:> On Sat, 28 Jul 2018 16:32:30 +0200 > > # Global parameters > > [global] > > > > host msdfs = yes > > vfs object = dfs_samba4, acl_xattr > > winbind use default domain = yes > > You should remove the above lines from your smb.conf, the first is a > default setting, you do not need to set the second and the third does > nothing.Thanks for the hint, will do.> > What distro is this, or to be more precise, are you using MIT ? > If so, there is a bug for this: > > https://bugzilla.samba.org/show_bug.cgi?id=13516 > > The present cure seems to be, don't use MIT ;-)Indeed, I am using openSUSE Leap 15.0 with a Samba built against MIT Kerberos. I guess I will wait for Andreas then. ;) Thanks a lot for your help, you are always a most reliable source of helpful information! :) Best regards Johannes -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: This is a digitally signed message part. URL: <http://lists.samba.org/pipermail/samba/attachments/20180728/5d6405f4/signature.sig>