The principle was not made any changes to occur this problem. We infra have dc3 and dc4 ADDC. root at dc3:/etc/samba# samba -V Version 4.7.7-Debian (van-blle apt) Result of gpupdate /force in a joined computer client: C:\>gpupdate /force> Updating Policy... > User policy could not be updated successfully. The following errors were > encountered: > The processing of Group Policy failed. Windows could not determine if the > user and computer accounts are in the same forest. Ensure the user domain > name matches the name of a trusted domain that resides in the same forest > as the computer account. > Computer Policy update has completed successfully. > To diagnose the failure, review the event log or run GPRESULT /H > GPReport.html from the command line to access information about Group > Policy results.root at dc3:/etc/samba/scripts# cat /etc/hosts 127.0.0.1 localhost 200.xxx.xxx.160 dc3.campus.sertao.ifrs.edu.br dc3 200.xxx.xxx.151 puppet.sertao.ifrs.edu.br puppet # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters root at dc3:/etc/samba/scripts# cat /etc/resolv.conf domain campus.sertao.ifrs.edu.br search campus.sertao.ifrs.edu.br nameserver 200.xxx.xxx.160 smb.conf # Global parameters [global] netbios name = DC3 realm = CAMPUS.SERTAO.IFRS.EDU.BR server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = CAMPUS server role = active directory domain controller idmap_ldb:use rfc2307 = yes ldap server require strong auth = no #log file = /var/log/samba/log.%m #log level = 10 ntlm auth = yes #ntlm auth = mschapv2-and-ntlmv2-only [netlogon] path = /var/lib/samba/sysvol/campus.sertao.ifrs.edu.br/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No krb5.conf [libdefaults] default_realm = CAMPUS.SERTAO.IFRS.EDU.BR dns_lookup_realm = false dns_lookup_kdc = true root at dc3:/etc/samba/scripts# ls -lah /etc/krb5.conf -rw-r--r-- 1 root bind 106 nov 16 2017 /etc/krb5.conf sysvol permissions: root at dc3:/var/lib/samba# ls -lah total 1,4M drwxr-xr-x 8 root root 4,0K jul 30 10:03 . drwxr-xr-x 32 root root 4,0K jul 3 09:27 .. -rw------- 1 root root 412K nov 8 2017 account_policy.tdb -rw------- 1 root root 696 nov 8 2017 group_mapping.tdb drwxr-x--- 2 root ntp 4,0K jul 30 10:03 ntp_signd drwxr-xr-x 10 root root 4,0K nov 8 2017 printers drwxr-xr-x 8 root root 4,0K jul 30 10:12 private -rw------- 1 root root 516K nov 23 2017 registry.tdb -rw------- 1 root root 412K jul 30 09:29 share_info.tdb drwxrwx---+ 3 root 3000000 4,0K jul 30 09:37 sysvol drwxrwx--T 2 root sambashare 4,0K nov 8 2017 usershares -rw------- 1 root root 32K jul 30 10:11 winbindd_cache.tdb drwxr-x--- 2 root winbindd_priv 4,0K jul 30 10:03 winbindd_privileged samba-tool ntacl sysvolreset (sysvolcheck appears an error, but I believe that is normal) root at dc3:/var/lib/samba# samba-tool ntacl sysvolcheck ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/ campus.sertao.ifrs.edu.br/Policies/{BE145C6B-F6FA-4772-8EE3-9C2816FF29E6} O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match expected value O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 270, in run lp) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1723, in checksysvolacl direct_db_access) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1674, in check_gpos_acl domainsid, direct_db_access) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1621, in check_dir_acl raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl)) samba-tool ntacl sysvolreset OK samba-tool dbcheck --cross-ncs --reset-well-known-acls --fix --yes OK samba_dnsupdate --verbose --all-names OK Louis script (samba-check-set-sysvol.sh) for sysvol check return this output: root at dc3:/etc/samba/scripts# ./samba-check-set-sysvol.sh The sysvol ACLS info..... Please check your share rights for sysvol from within windows. If these are incorrect, correct them and run this script again. Set your sysvol SHARE permissions as followed. EVERYONE: READ Authenticated Users: FULL CONTROL (BUILTIN or NTDOM)\Administrators: FULL CONTROL (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL User/Group system is added compaired to a win2008R2 sysvol, you need this for some GPO settings. Set your sysvol FOLDER permissions as followed. Authenticated Users: Read & Exec, Show folder content, Read (BUILTIN or NTDOM)\Administrators: FULL CONTROL (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL https://wiki.samba.org/index.php/Sysvolreset I also checked the link above and made the suggested changes, but even then the initial gpoupdate error still occurs. Any idea? -- Elias Pereira
I had set up a trust relationship between our domain and another configured domain on our network, and at first it seems that this is what caused the GPO problem. I removed the trust and it all worked again. In internal tests that I had done, everything worked normal. Of course this is different when we put it into production. :) I know the trust is not 100%, but would you have any way to analyze these issues and have a troubleshooting of it? On Mon, Jul 30, 2018 at 11:17 AM Elias Pereira <empbilly at gmail.com> wrote:> The principle was not made any changes to occur this problem. > > We infra have dc3 and dc4 ADDC. > > root at dc3:/etc/samba# samba -V > Version 4.7.7-Debian (van-blle apt) > > Result of gpupdate /force in a joined computer client: > > C:\>gpupdate /force >> Updating Policy... >> User policy could not be updated successfully. The following errors were >> encountered: >> The processing of Group Policy failed. Windows could not determine if the >> user and computer accounts are in the same forest. Ensure the user >> domain name matches the name of a trusted domain that resides in the >> same forest as the computer account. >> Computer Policy update has completed successfully. >> To diagnose the failure, review the event log or run GPRESULT /H >> GPReport.html from the command line to access information about Group >> Policy results. > > > root at dc3:/etc/samba/scripts# cat /etc/hosts > 127.0.0.1 localhost > 200.xxx.xxx.160 dc3.campus.sertao.ifrs.edu.br dc3 > 200.xxx.xxx.151 puppet.sertao.ifrs.edu.br puppet > > # The following lines are desirable for IPv6 capable hosts > ::1 localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > > root at dc3:/etc/samba/scripts# cat /etc/resolv.conf > domain campus.sertao.ifrs.edu.br > search campus.sertao.ifrs.edu.br > nameserver 200.xxx.xxx.160 > > smb.conf > # Global parameters > [global] > netbios name = DC3 > realm = CAMPUS.SERTAO.IFRS.EDU.BR > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > winbindd, ntp_signd, kcc, dnsupdate > workgroup = CAMPUS > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > ldap server require strong auth = no > #log file = /var/log/samba/log.%m > #log level = 10 > ntlm auth = yes > #ntlm auth = mschapv2-and-ntlmv2-only > > [netlogon] > path = /var/lib/samba/sysvol/campus.sertao.ifrs.edu.br/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > krb5.conf > [libdefaults] > default_realm = CAMPUS.SERTAO.IFRS.EDU.BR > dns_lookup_realm = false > dns_lookup_kdc = true > > root at dc3:/etc/samba/scripts# ls -lah /etc/krb5.conf > -rw-r--r-- 1 root bind 106 nov 16 2017 /etc/krb5.conf > > sysvol permissions: > root at dc3:/var/lib/samba# ls -lah > total 1,4M > drwxr-xr-x 8 root root 4,0K jul 30 10:03 . > drwxr-xr-x 32 root root 4,0K jul 3 09:27 .. > -rw------- 1 root root 412K nov 8 2017 account_policy.tdb > -rw------- 1 root root 696 nov 8 2017 group_mapping.tdb > drwxr-x--- 2 root ntp 4,0K jul 30 10:03 ntp_signd > drwxr-xr-x 10 root root 4,0K nov 8 2017 printers > drwxr-xr-x 8 root root 4,0K jul 30 10:12 private > -rw------- 1 root root 516K nov 23 2017 registry.tdb > -rw------- 1 root root 412K jul 30 09:29 share_info.tdb > drwxrwx---+ 3 root 3000000 4,0K jul 30 09:37 sysvol > drwxrwx--T 2 root sambashare 4,0K nov 8 2017 usershares > -rw------- 1 root root 32K jul 30 10:11 winbindd_cache.tdb > drwxr-x--- 2 root winbindd_priv 4,0K jul 30 10:03 winbindd_privileged > > samba-tool ntacl sysvolreset (sysvolcheck appears an error, but I believe > that is normal) > root at dc3:/var/lib/samba# samba-tool ntacl sysvolcheck > ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - > ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/ > campus.sertao.ifrs.edu.br/Policies/{BE145C6B-F6FA-4772-8EE3-9C2816FF29E6} > <http://campus.sertao.ifrs.edu.br/Policies/%7BBE145C6B-F6FA-4772-8EE3-9C2816FF29E6%7D> > O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) > does not match expected value > O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) > from GPO object > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line > 176, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 270, > in run > lp) > File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", > line 1723, in checksysvolacl > direct_db_access) > File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", > line 1674, in check_gpos_acl > domainsid, direct_db_access) > File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", > line 1621, in check_dir_acl > raise ProvisioningError('%s ACL on GPO directory %s %s does not match > expected value %s from GPO object' % (acl_type(direct_db_access), path, > fsacl_sddl, acl)) > > samba-tool ntacl sysvolreset OK > > samba-tool dbcheck --cross-ncs --reset-well-known-acls --fix --yes OK > > samba_dnsupdate --verbose --all-names OK > > Louis script (samba-check-set-sysvol.sh) for sysvol check return this > output: > > root at dc3:/etc/samba/scripts# ./samba-check-set-sysvol.sh > > The sysvol ACLS info..... > > Please check your share rights for sysvol from within windows. > If these are incorrect, correct them and run this script again. > Set your sysvol SHARE permissions as followed. > EVERYONE: READ > Authenticated Users: FULL CONTROL > (BUILTIN or NTDOM)\Administrators: FULL CONTROL > (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL > User/Group system is added compaired to a win2008R2 sysvol, you need this > for some GPO settings. > > Set your sysvol FOLDER permissions as followed. > Authenticated Users: Read & Exec, Show folder content, Read > (BUILTIN or NTDOM)\Administrators: FULL CONTROL > (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL > > https://wiki.samba.org/index.php/Sysvolreset > > I also checked the link above and made the suggested changes, but even > then the initial gpoupdate error still occurs. > > Any idea? > > -- > Elias Pereira >-- Elias Pereira
Hai Elias,
Lucky you, im in a good mood and im "still" at work ;-) ..
# Add
[sysvol]
acl_xattr:ignore system acls = yes
path = /var/lib/samba/sysvol
read only = No
Did you set the parameter: APPLY_CHANGES_DIRECT="no"
To yes, if not do it.
Restart samba-ad-dc.
Then, goto you GPO editor in windows, and klik every GPO object once.
Some might complain about rights, that ok, windows will fix that.
Should fix it.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Elias Pereira via samba
> Verzonden: maandag 30 juli 2018 16:17
> Aan: samba
> Onderwerp: [Samba] gpupdate /force not applied
>
> The principle was not made any changes to occur this problem.
>
> We infra have dc3 and dc4 ADDC.
>
> root at dc3:/etc/samba# samba -V
> Version 4.7.7-Debian (van-blle apt)
>
> Result of gpupdate /force in a joined computer client:
>
> C:\>gpupdate /force
> > Updating Policy...
> > User policy could not be updated successfully. The
> following errors were
> > encountered:
> > The processing of Group Policy failed. Windows could not
> determine if the
> > user and computer accounts are in the same forest. Ensure
> the user domain
> > name matches the name of a trusted domain that resides in
> the same forest
> > as the computer account.
> > Computer Policy update has completed successfully.
> > To diagnose the failure, review the event log or run GPRESULT /H
> > GPReport.html from the command line to access information
> about Group
> > Policy results.
>
>
> root at dc3:/etc/samba/scripts# cat /etc/hosts
> 127.0.0.1 localhost
> 200.xxx.xxx.160 dc3.campus.sertao.ifrs.edu.br dc3
> 200.xxx.xxx.151 puppet.sertao.ifrs.edu.br puppet
>
> # The following lines are desirable for IPv6 capable hosts
> ::1 localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> root at dc3:/etc/samba/scripts# cat /etc/resolv.conf
> domain campus.sertao.ifrs.edu.br
> search campus.sertao.ifrs.edu.br
> nameserver 200.xxx.xxx.160
>
> smb.conf
> # Global parameters
> [global]
> netbios name = DC3
> realm = CAMPUS.SERTAO.IFRS.EDU.BR
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap,
> kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
> workgroup = CAMPUS
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
> ldap server require strong auth = no
> #log file = /var/log/samba/log.%m
> #log level = 10
> ntlm auth = yes
> #ntlm auth = mschapv2-and-ntlmv2-only
>
> [netlogon]
> path = /var/lib/samba/sysvol/campus.sertao.ifrs.edu.br/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> krb5.conf
> [libdefaults]
> default_realm = CAMPUS.SERTAO.IFRS.EDU.BR
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> root at dc3:/etc/samba/scripts# ls -lah /etc/krb5.conf
> -rw-r--r-- 1 root bind 106 nov 16 2017 /etc/krb5.conf
>
> sysvol permissions:
> root at dc3:/var/lib/samba# ls -lah
> total 1,4M
> drwxr-xr-x 8 root root 4,0K jul 30 10:03 .
> drwxr-xr-x 32 root root 4,0K jul 3 09:27 ..
> -rw------- 1 root root 412K nov 8 2017 account_policy.tdb
> -rw------- 1 root root 696 nov 8 2017 group_mapping.tdb
> drwxr-x--- 2 root ntp 4,0K jul 30 10:03 ntp_signd
> drwxr-xr-x 10 root root 4,0K nov 8 2017 printers
> drwxr-xr-x 8 root root 4,0K jul 30 10:12 private
> -rw------- 1 root root 516K nov 23 2017 registry.tdb
> -rw------- 1 root root 412K jul 30 09:29 share_info.tdb
> drwxrwx---+ 3 root 3000000 4,0K jul 30 09:37 sysvol
> drwxrwx--T 2 root sambashare 4,0K nov 8 2017 usershares
> -rw------- 1 root root 32K jul 30 10:11 winbindd_cache.tdb
> drwxr-x--- 2 root winbindd_priv 4,0K jul 30 10:03
> winbindd_privileged
>
> samba-tool ntacl sysvolreset (sysvolcheck appears an error,
> but I believe
> that is normal)
> root at dc3:/var/lib/samba# samba-tool ntacl sysvolcheck
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
> exception -
> ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/
> campus.sertao.ifrs.edu.br/Policies/{BE145C6B-F6FA-4772-8EE3-9C
> 2816FF29E6}
> O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;
> OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f0
> 1ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> does not match expected value
> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;
> OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f0
> 1ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> from GPO object
> File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 176, in _run
> return self.run(*args, **kwargs)
> File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
270,
> in run
> lp)
> File
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line
> 1723, in checksysvolacl
> direct_db_access)
> File
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line
> 1674, in check_gpos_acl
> domainsid, direct_db_access)
> File
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line
> 1621, in check_dir_acl
> raise ProvisioningError('%s ACL on GPO directory %s %s
> does not match
> expected value %s from GPO object' %
> (acl_type(direct_db_access), path,
> fsacl_sddl, acl))
>
> samba-tool ntacl sysvolreset OK
>
> samba-tool dbcheck --cross-ncs --reset-well-known-acls --fix --yes OK
>
> samba_dnsupdate --verbose --all-names OK
>
> Louis script (samba-check-set-sysvol.sh) for sysvol check return this
> output:
>
> root at dc3:/etc/samba/scripts# ./samba-check-set-sysvol.sh
>
> The sysvol ACLS info.....
>
> Please check your share rights for sysvol from within windows.
> If these are incorrect, correct them and run this script again.
> Set your sysvol SHARE permissions as followed.
> EVERYONE: READ
> Authenticated Users: FULL CONTROL
> (BUILTIN or NTDOM)\Administrators: FULL CONTROL
> (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL
> User/Group system is added compaired to a win2008R2 sysvol,
> you need this
> for some GPO settings.
>
> Set your sysvol FOLDER permissions as followed.
> Authenticated Users: Read & Exec, Show folder content, Read
> (BUILTIN or NTDOM)\Administrators: FULL CONTROL
> (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL
>
> https://wiki.samba.org/index.php/Sysvolreset
>
> I also checked the link above and made the suggested changes,
> but even then
> the initial gpoupdate error still occurs.
>
> Any idea?
>
> --
> Elias Pereira
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
hello Louis, thanks for the quick reply!! :) I had set up a trust relationship between our domain and another configured domain on our network, and at first it seems that this is what caused the GPO problem. I removed the trust and it all worked again. In internal tests that I had done, everything worked normal. Of course this is different when we put it into production. :) I know the trust is not 100%, but would you have any way to analyze these issues and have a troubleshooting of it? On Mon, Jul 30, 2018 at 12:19 PM L.P.H. van Belle via samba < samba at lists.samba.org> wrote:> Hai Elias, > > Lucky you, im in a good mood and im "still" at work ;-) .. > > # Add > [sysvol] > acl_xattr:ignore system acls = yes > path = /var/lib/samba/sysvol > read only = No > > Did you set the parameter: APPLY_CHANGES_DIRECT="no" > To yes, if not do it. > > Restart samba-ad-dc. > > Then, goto you GPO editor in windows, and klik every GPO object once. > Some might complain about rights, that ok, windows will fix that. > > Should fix it. > > Greetz, > > Louis > > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > > Elias Pereira via samba > > Verzonden: maandag 30 juli 2018 16:17 > > Aan: samba > > Onderwerp: [Samba] gpupdate /force not applied > > > > The principle was not made any changes to occur this problem. > > > > We infra have dc3 and dc4 ADDC. > > > > root at dc3:/etc/samba# samba -V > > Version 4.7.7-Debian (van-blle apt) > > > > Result of gpupdate /force in a joined computer client: > > > > C:\>gpupdate /force > > > Updating Policy... > > > User policy could not be updated successfully. The > > following errors were > > > encountered: > > > The processing of Group Policy failed. Windows could not > > determine if the > > > user and computer accounts are in the same forest. Ensure > > the user domain > > > name matches the name of a trusted domain that resides in > > the same forest > > > as the computer account. > > > Computer Policy update has completed successfully. > > > To diagnose the failure, review the event log or run GPRESULT /H > > > GPReport.html from the command line to access information > > about Group > > > Policy results. > > > > > > root at dc3:/etc/samba/scripts# cat /etc/hosts > > 127.0.0.1 localhost > > 200.xxx.xxx.160 dc3.campus.sertao.ifrs.edu.br dc3 > > 200.xxx.xxx.151 puppet.sertao.ifrs.edu.br puppet > > > > # The following lines are desirable for IPv6 capable hosts > > ::1 localhost ip6-localhost ip6-loopback > > ff02::1 ip6-allnodes > > ff02::2 ip6-allrouters > > > > root at dc3:/etc/samba/scripts# cat /etc/resolv.conf > > domain campus.sertao.ifrs.edu.br > > search campus.sertao.ifrs.edu.br > > nameserver 200.xxx.xxx.160 > > > > smb.conf > > # Global parameters > > [global] > > netbios name = DC3 > > realm = CAMPUS.SERTAO.IFRS.EDU.BR > > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, > > kdc, drepl, > > winbindd, ntp_signd, kcc, dnsupdate > > workgroup = CAMPUS > > server role = active directory domain controller > > idmap_ldb:use rfc2307 = yes > > ldap server require strong auth = no > > #log file = /var/log/samba/log.%m > > #log level = 10 > > ntlm auth = yes > > #ntlm auth = mschapv2-and-ntlmv2-only > > > > [netlogon] > > path = /var/lib/samba/sysvol/campus.sertao.ifrs.edu.br/scripts > > read only = No > > > > [sysvol] > > path = /var/lib/samba/sysvol > > read only = No > > > > krb5.conf > > [libdefaults] > > default_realm = CAMPUS.SERTAO.IFRS.EDU.BR > > dns_lookup_realm = false > > dns_lookup_kdc = true > > > > root at dc3:/etc/samba/scripts# ls -lah /etc/krb5.conf > > -rw-r--r-- 1 root bind 106 nov 16 2017 /etc/krb5.conf > > > > sysvol permissions: > > root at dc3:/var/lib/samba# ls -lah > > total 1,4M > > drwxr-xr-x 8 root root 4,0K jul 30 10:03 . > > drwxr-xr-x 32 root root 4,0K jul 3 09:27 .. > > -rw------- 1 root root 412K nov 8 2017 account_policy.tdb > > -rw------- 1 root root 696 nov 8 2017 group_mapping.tdb > > drwxr-x--- 2 root ntp 4,0K jul 30 10:03 ntp_signd > > drwxr-xr-x 10 root root 4,0K nov 8 2017 printers > > drwxr-xr-x 8 root root 4,0K jul 30 10:12 private > > -rw------- 1 root root 516K nov 23 2017 registry.tdb > > -rw------- 1 root root 412K jul 30 09:29 share_info.tdb > > drwxrwx---+ 3 root 3000000 4,0K jul 30 09:37 sysvol > > drwxrwx--T 2 root sambashare 4,0K nov 8 2017 usershares > > -rw------- 1 root root 32K jul 30 10:11 winbindd_cache.tdb > > drwxr-x--- 2 root winbindd_priv 4,0K jul 30 10:03 > > winbindd_privileged > > > > samba-tool ntacl sysvolreset (sysvolcheck appears an error, > > but I believe > > that is normal) > > root at dc3:/var/lib/samba# samba-tool ntacl sysvolcheck > > ERROR(<class 'samba.provision.ProvisioningError'>): uncaught > > exception - > > ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/ > > campus.sertao.ifrs.edu.br/Policies/{BE145C6B-F6FA-4772-8EE3-9C > <http://campus.sertao.ifrs.edu.br/Policies/%7BBE145C6B-F6FA-4772-8EE3-9C> > > 2816FF29E6} > > O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A; > > OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f0 > > 1ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) > > does not match expected value > > O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A; > > OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f0 > > 1ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) > > from GPO object > > File > > "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line > > 176, in _run > > return self.run(*args, **kwargs) > > File > > "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 270, > > in run > > lp) > > File > > "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line > > 1723, in checksysvolacl > > direct_db_access) > > File > > "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line > > 1674, in check_gpos_acl > > domainsid, direct_db_access) > > File > > "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line > > 1621, in check_dir_acl > > raise ProvisioningError('%s ACL on GPO directory %s %s > > does not match > > expected value %s from GPO object' % > > (acl_type(direct_db_access), path, > > fsacl_sddl, acl)) > > > > samba-tool ntacl sysvolreset OK > > > > samba-tool dbcheck --cross-ncs --reset-well-known-acls --fix --yes OK > > > > samba_dnsupdate --verbose --all-names OK > > > > Louis script (samba-check-set-sysvol.sh) for sysvol check return this > > output: > > > > root at dc3:/etc/samba/scripts# ./samba-check-set-sysvol.sh > > > > The sysvol ACLS info..... > > > > Please check your share rights for sysvol from within windows. > > If these are incorrect, correct them and run this script again. > > Set your sysvol SHARE permissions as followed. > > EVERYONE: READ > > Authenticated Users: FULL CONTROL > > (BUILTIN or NTDOM)\Administrators: FULL CONTROL > > (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL > > User/Group system is added compaired to a win2008R2 sysvol, > > you need this > > for some GPO settings. > > > > Set your sysvol FOLDER permissions as followed. > > Authenticated Users: Read & Exec, Show folder content, Read > > (BUILTIN or NTDOM)\Administrators: FULL CONTROL > > (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL > > > > https://wiki.samba.org/index.php/Sysvolreset > > > > I also checked the link above and made the suggested changes, > > but even then > > the initial gpoupdate error still occurs. > > > > Any idea? > > > > -- > > Elias Pereira > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Elias Pereira
On Mon, 2018-07-30 at 12:17 -0300, Elias Pereira via samba wrote:> I had set up a trust relationship between our domain and another configured > domain on our network, and at first it seems that this is what caused the > GPO problem. I removed the trust and it all worked again. > > In internal tests that I had done, everything worked normal. Of course this > is different when we put it into production. :) > > I know the trust is not 100%, but would you have any way to analyze these > issues and have a troubleshooting of it?Have you seen: https://bugzilla.samba.org/show_bug.cgi?id=11517 I don't think it helps you get out of your pickle, but it might help coordination. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba