Marco Shmerykowsky
2019-Jan-21 18:36 UTC
[Samba] Samba 4 -> Group Policy Drive Map -> Access Denied
<?xml version="1.0" encoding="utf-8"?>
<Drives clsid="{8FDDCC1A-0C3C-43cd-A6B4-71A6DF20DA8C}"><Drive
clsid="{935D1B74-9CB8-4e3c-9914-7DD559B7A417}" name="W:"
status="W:"
image="2" changed="2019-01-21 18:36:07"
uid="{6524E6E3-E107-48CC-9973-406E16B5F34D}" userContext="1"
bypassErrors="1"><Properties action="U"
thisDrive="SHOW" allDrives="SHOW"
userName="" path="\\sce251\test-share"
label="SHARE" persistent="1"
useLetter="1" letter="W"/><Filters/></Drive>
</Drives>
On Mon, January 21, 2019 1:27 pm, Luke Barone via samba
wrote:> OK, remove the Item Level Targeting - that should hit all Domain Users
> anyways.
>
> Can you extract the .XML file that is made from that policy? Go to your
> SYSVOL\<domain>\Policies\<GUID for
Policy>\User\Preferences\Drives, and
> open up "Drives.xml". Copy and paste the contents of that file
into the
> mailing list.
>
> On Mon, Jan 21, 2019 at 10:23 AM Marco Shmerykowsky PE via samba <
> samba at lists.samba.org> wrote:
>
>> user configuration -> Preferences -> Windows Settings -> Drive
Maps
>>
>> Item Level Targeting -> Security Group, Domain Users
>>
>> On 1/21/2019 11:09 AM, Luke Barone via samba wrote:
>> > Where is the policy targeting - the user or the computer?
>> >
>> >
>> > On Mon, Jan 21, 2019 at 7:51 AM Marco Shmerykowsky PE via samba
<
>> > samba at lists.samba.org> wrote:
>> >
>> >> I seem to be having trouble getting group policies
>> >> to map a drive. When I drilled down thru the logs
>> >> I get an "Access Denied" message.
>> >>
>> >> I can navigate to the share via the computer browser
>> >> and map a drive the "old fashion way" with any
issues.
>> >> Files can be read and written.
>> >>
>> >> The group policy doesn't seem to take. Suggestions?
>> >>
>> >> Thank you.
>> >>
>> >> --
>> >> To unsubscribe from this list go to the following URL and read
the
>> >> instructions: https://lists.samba.org/mailman/options/samba
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
Luke Barone
2019-Jan-21 19:11 UTC
[Samba] Samba 4 -> Group Policy Drive Map -> Access Denied
OK, the preference is set correctly. Have you run a "samba-tool ntacl sysvolcheck" on your first domain controller? That will check the permissions. If you have additional domain controllers, ensure you're connecting to the one holding the PDC Emulator role (typically your first DC) in your GPMC. If the sysvolcheck says everything is fine, and you only have one domain controller, then we'll have more troubleshooting to do. On Mon, Jan 21, 2019 at 10:37 AM Marco Shmerykowsky via samba < samba at lists.samba.org> wrote:> <?xml version="1.0" encoding="utf-8"?> > <Drives clsid="{8FDDCC1A-0C3C-43cd-A6B4-71A6DF20DA8C}"><Drive > clsid="{935D1B74-9CB8-4e3c-9914-7DD559B7A417}" name="W:" status="W:" > image="2" changed="2019-01-21 18:36:07" > uid="{6524E6E3-E107-48CC-9973-406E16B5F34D}" userContext="1" > bypassErrors="1"><Properties action="U" thisDrive="SHOW" allDrives="SHOW" > userName="" path="\\sce251\test-share" label="SHARE" persistent="1" > useLetter="1" letter="W"/><Filters/></Drive> > </Drives> > > On Mon, January 21, 2019 1:27 pm, Luke Barone via samba wrote: > > OK, remove the Item Level Targeting - that should hit all Domain Users > > anyways. > > > > Can you extract the .XML file that is made from that policy? Go to your > > SYSVOL\<domain>\Policies\<GUID for Policy>\User\Preferences\Drives, and > > open up "Drives.xml". Copy and paste the contents of that file into the > > mailing list. > > > > On Mon, Jan 21, 2019 at 10:23 AM Marco Shmerykowsky PE via samba < > > samba at lists.samba.org> wrote: > > > >> user configuration -> Preferences -> Windows Settings -> Drive Maps > >> > >> Item Level Targeting -> Security Group, Domain Users > >> > >> On 1/21/2019 11:09 AM, Luke Barone via samba wrote: > >> > Where is the policy targeting - the user or the computer? > >> > > >> > > >> > On Mon, Jan 21, 2019 at 7:51 AM Marco Shmerykowsky PE via samba < > >> > samba at lists.samba.org> wrote: > >> > > >> >> I seem to be having trouble getting group policies > >> >> to map a drive. When I drilled down thru the logs > >> >> I get an "Access Denied" message. > >> >> > >> >> I can navigate to the share via the computer browser > >> >> and map a drive the "old fashion way" with any issues. > >> >> Files can be read and written. > >> >> > >> >> The group policy doesn't seem to take. Suggestions? > >> >> > >> >> Thank you. > >> >> > >> >> -- > >> >> To unsubscribe from this list go to the following URL and read the > >> >> instructions: https://lists.samba.org/mailman/options/samba > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Marco Shmerykowsky PE
2019-Jan-21 19:16 UTC
[Samba] Samba 4 -> Group Policy Drive Map -> Access Denied
Kicks up an error:
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception -
ProvisioningError: DB ACL on GPO directory /var/lib/samb
a/sysvol/sce-internal.sce-engineers.com/Policies/{EEB4B384-6F43-403B-BD24-B0BA7AB04F41}
O:DAG:DAD:PAI(A;OICIIO;0x001f01ff;;;CO)(A
;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICI;0x001200a9;;;ED)
does not m
atch expected value
O:DAG:DAD:PAR(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001f01ff;;;D
A)(A;OICI;0x001f01ff;;;EA)(A;OICI;0x001200a9;;;ED) from GPO object
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 177, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
270, in run
lp)
File
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1836, in checksysvolacl
direct_db_access)
File
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1787, in check_gpos_acl
domainsid, direct_db_access)
File
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1734, in check_dir_acl
raise ProvisioningError('%s ACL on GPO directory %s %s does not
match expected value %s from GPO object' % (acl_type(direct_d
b_access), path, fsacl_sddl, acl))
On 1/21/2019 2:11 PM, Luke Barone via samba wrote:> OK, the preference is set correctly. Have you run a "samba-tool ntacl
> sysvolcheck" on your first domain controller? That will check the
> permissions. If you have additional domain controllers, ensure you're
> connecting to the one holding the PDC Emulator role (typically your first
> DC) in your GPMC.
>
> If the sysvolcheck says everything is fine, and you only have one domain
> controller, then we'll have more troubleshooting to do.
>
> On Mon, Jan 21, 2019 at 10:37 AM Marco Shmerykowsky via samba <
> samba at lists.samba.org> wrote:
>
>> <?xml version="1.0" encoding="utf-8"?>
>> <Drives
clsid="{8FDDCC1A-0C3C-43cd-A6B4-71A6DF20DA8C}"><Drive
>> clsid="{935D1B74-9CB8-4e3c-9914-7DD559B7A417}"
name="W:" status="W:"
>> image="2" changed="2019-01-21 18:36:07"
>> uid="{6524E6E3-E107-48CC-9973-406E16B5F34D}"
userContext="1"
>> bypassErrors="1"><Properties action="U"
thisDrive="SHOW" allDrives="SHOW"
>> userName="" path="\\sce251\test-share"
label="SHARE" persistent="1"
>> useLetter="1"
letter="W"/><Filters/></Drive>
>> </Drives>
>>
>> On Mon, January 21, 2019 1:27 pm, Luke Barone via samba wrote:
>>> OK, remove the Item Level Targeting - that should hit all Domain
Users
>>> anyways.
>>>
>>> Can you extract the .XML file that is made from that policy? Go to
your
>>> SYSVOL\<domain>\Policies\<GUID for
Policy>\User\Preferences\Drives, and
>>> open up "Drives.xml". Copy and paste the contents of that
file into the
>>> mailing list.
>>>
>>> On Mon, Jan 21, 2019 at 10:23 AM Marco Shmerykowsky PE via samba
<
>>> samba at lists.samba.org> wrote:
>>>
>>>> user configuration -> Preferences -> Windows Settings
-> Drive Maps
>>>>
>>>> Item Level Targeting -> Security Group, Domain Users
>>>>
>>>> On 1/21/2019 11:09 AM, Luke Barone via samba wrote:
>>>>> Where is the policy targeting - the user or the computer?
>>>>>
>>>>>
>>>>> On Mon, Jan 21, 2019 at 7:51 AM Marco Shmerykowsky PE via
samba <
>>>>> samba at lists.samba.org> wrote:
>>>>>
>>>>>> I seem to be having trouble getting group policies
>>>>>> to map a drive. When I drilled down thru the logs
>>>>>> I get an "Access Denied" message.
>>>>>>
>>>>>> I can navigate to the share via the computer browser
>>>>>> and map a drive the "old fashion way" with
any issues.
>>>>>> Files can be read and written.
>>>>>>
>>>>>> The group policy doesn't seem to take.
Suggestions?
>>>>>>
>>>>>> Thank you.
>>>>>>
>>>>>> --
>>>>>> To unsubscribe from this list go to the following URL
and read the
>>>>>> instructions:
https://lists.samba.org/mailman/options/samba
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read
the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
Marco Shmerykowsky PE
2019-Jan-21 19:21 UTC
[Samba] Samba 4 -> Group Policy Drive Map -> Access Denied
Thanks. Just ran "samba-tool ntacl sysvolrest" and that seems to have fixed the issue. On 1/21/2019 2:11 PM, Luke Barone via samba wrote:> OK, the preference is set correctly. Have you run a "samba-tool ntacl > sysvolcheck" on your first domain controller? That will check the > permissions. If you have additional domain controllers, ensure you're > connecting to the one holding the PDC Emulator role (typically your first > DC) in your GPMC. > > If the sysvolcheck says everything is fine, and you only have one domain > controller, then we'll have more troubleshooting to do. > > On Mon, Jan 21, 2019 at 10:37 AM Marco Shmerykowsky via samba < > samba at lists.samba.org> wrote: > >> <?xml version="1.0" encoding="utf-8"?> >> <Drives clsid="{8FDDCC1A-0C3C-43cd-A6B4-71A6DF20DA8C}"><Drive >> clsid="{935D1B74-9CB8-4e3c-9914-7DD559B7A417}" name="W:" status="W:" >> image="2" changed="2019-01-21 18:36:07" >> uid="{6524E6E3-E107-48CC-9973-406E16B5F34D}" userContext="1" >> bypassErrors="1"><Properties action="U" thisDrive="SHOW" allDrives="SHOW" >> userName="" path="\\sce251\test-share" label="SHARE" persistent="1" >> useLetter="1" letter="W"/><Filters/></Drive> >> </Drives> >> >> On Mon, January 21, 2019 1:27 pm, Luke Barone via samba wrote: >>> OK, remove the Item Level Targeting - that should hit all Domain Users >>> anyways. >>> >>> Can you extract the .XML file that is made from that policy? Go to your >>> SYSVOL\<domain>\Policies\<GUID for Policy>\User\Preferences\Drives, and >>> open up "Drives.xml". Copy and paste the contents of that file into the >>> mailing list. >>> >>> On Mon, Jan 21, 2019 at 10:23 AM Marco Shmerykowsky PE via samba < >>> samba at lists.samba.org> wrote: >>> >>>> user configuration -> Preferences -> Windows Settings -> Drive Maps >>>> >>>> Item Level Targeting -> Security Group, Domain Users >>>> >>>> On 1/21/2019 11:09 AM, Luke Barone via samba wrote: >>>>> Where is the policy targeting - the user or the computer? >>>>> >>>>> >>>>> On Mon, Jan 21, 2019 at 7:51 AM Marco Shmerykowsky PE via samba < >>>>> samba at lists.samba.org> wrote: >>>>> >>>>>> I seem to be having trouble getting group policies >>>>>> to map a drive. When I drilled down thru the logs >>>>>> I get an "Access Denied" message. >>>>>> >>>>>> I can navigate to the share via the computer browser >>>>>> and map a drive the "old fashion way" with any issues. >>>>>> Files can be read and written. >>>>>> >>>>>> The group policy doesn't seem to take. Suggestions? >>>>>> >>>>>> Thank you. >>>>>> >>>>>> -- >>>>>> To unsubscribe from this list go to the following URL and read the >>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2019-Jan-22 07:38 UTC
[Samba] Samba 4 -> Group Policy Drive Map -> Access Denied
Hai, If you dont mind to share the OS and Samba version you are using? Because we dont see this much:> Thanks. Just ran "samba-tool ntacl sysvolrest" and that seems > to have fixed the issue.Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Marco Shmerykowsky PE via samba > Verzonden: maandag 21 januari 2019 20:21 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Samba 4 -> Group Policy Drive Map -> > Access Denied > > Thanks. Just ran "samba-tool ntacl sysvolrest" and that seems > to have fixed the issue.> > On 1/21/2019 2:11 PM, Luke Barone via samba wrote: > > OK, the preference is set correctly. Have you run a > "samba-tool ntacl > > sysvolcheck" on your first domain controller? That will check the > > permissions. If you have additional domain controllers, > ensure you're > > connecting to the one holding the PDC Emulator role > (typically your first > > DC) in your GPMC. > > > > If the sysvolcheck says everything is fine, and you only > have one domain > > controller, then we'll have more troubleshooting to do. > > > > On Mon, Jan 21, 2019 at 10:37 AM Marco Shmerykowsky via samba < > > samba at lists.samba.org> wrote: > > > >> <?xml version="1.0" encoding="utf-8"?> > >> <Drives clsid="{8FDDCC1A-0C3C-43cd-A6B4-71A6DF20DA8C}"><Drive > >> clsid="{935D1B74-9CB8-4e3c-9914-7DD559B7A417}" name="W:" > status="W:" > >> image="2" changed="2019-01-21 18:36:07" > >> uid="{6524E6E3-E107-48CC-9973-406E16B5F34D}" userContext="1" > >> bypassErrors="1"><Properties action="U" thisDrive="SHOW" > allDrives="SHOW" > >> userName="" path="\\sce251\test-share" label="SHARE" persistent="1" > >> useLetter="1" letter="W"/><Filters/></Drive> > >> </Drives> > >> > >> On Mon, January 21, 2019 1:27 pm, Luke Barone via samba wrote: > >>> OK, remove the Item Level Targeting - that should hit all > Domain Users > >>> anyways. > >>> > >>> Can you extract the .XML file that is made from that > policy? Go to your > >>> SYSVOL\<domain>\Policies\<GUID for > Policy>\User\Preferences\Drives, and > >>> open up "Drives.xml". Copy and paste the contents of that > file into the > >>> mailing list. > >>> > >>> On Mon, Jan 21, 2019 at 10:23 AM Marco Shmerykowsky PE via samba < > >>> samba at lists.samba.org> wrote: > >>> > >>>> user configuration -> Preferences -> Windows Settings -> > Drive Maps > >>>> > >>>> Item Level Targeting -> Security Group, Domain Users > >>>> > >>>> On 1/21/2019 11:09 AM, Luke Barone via samba wrote: > >>>>> Where is the policy targeting - the user or the computer? > >>>>> > >>>>> > >>>>> On Mon, Jan 21, 2019 at 7:51 AM Marco Shmerykowsky PE > via samba < > >>>>> samba at lists.samba.org> wrote: > >>>>> > >>>>>> I seem to be having trouble getting group policies > >>>>>> to map a drive. When I drilled down thru the logs > >>>>>> I get an "Access Denied" message. > >>>>>> > >>>>>> I can navigate to the share via the computer browser > >>>>>> and map a drive the "old fashion way" with any issues. > >>>>>> Files can be read and written. > >>>>>> > >>>>>> The group policy doesn't seem to take. Suggestions? > >>>>>> > >>>>>> Thank you. > >>>>>> > >>>>>> -- > >>>>>> To unsubscribe from this list go to the following URL > and read the > >>>>>> instructions: https://lists.samba.org/mailman/options/samba > >>>> > >>>> -- > >>>> To unsubscribe from this list go to the following URL > and read the > >>>> instructions: https://lists.samba.org/mailman/options/samba > >>> -- > >>> To unsubscribe from this list go to the following URL and read the > >>> instructions: https://lists.samba.org/mailman/options/samba > >> > >> > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >