Marco Shmerykowsky
2019-Jan-21 18:36 UTC
[Samba] Samba 4 -> Group Policy Drive Map -> Access Denied
<?xml version="1.0" encoding="utf-8"?> <Drives clsid="{8FDDCC1A-0C3C-43cd-A6B4-71A6DF20DA8C}"><Drive clsid="{935D1B74-9CB8-4e3c-9914-7DD559B7A417}" name="W:" status="W:" image="2" changed="2019-01-21 18:36:07" uid="{6524E6E3-E107-48CC-9973-406E16B5F34D}" userContext="1" bypassErrors="1"><Properties action="U" thisDrive="SHOW" allDrives="SHOW" userName="" path="\\sce251\test-share" label="SHARE" persistent="1" useLetter="1" letter="W"/><Filters/></Drive> </Drives> On Mon, January 21, 2019 1:27 pm, Luke Barone via samba wrote:> OK, remove the Item Level Targeting - that should hit all Domain Users > anyways. > > Can you extract the .XML file that is made from that policy? Go to your > SYSVOL\<domain>\Policies\<GUID for Policy>\User\Preferences\Drives, and > open up "Drives.xml". Copy and paste the contents of that file into the > mailing list. > > On Mon, Jan 21, 2019 at 10:23 AM Marco Shmerykowsky PE via samba < > samba at lists.samba.org> wrote: > >> user configuration -> Preferences -> Windows Settings -> Drive Maps >> >> Item Level Targeting -> Security Group, Domain Users >> >> On 1/21/2019 11:09 AM, Luke Barone via samba wrote: >> > Where is the policy targeting - the user or the computer? >> > >> > >> > On Mon, Jan 21, 2019 at 7:51 AM Marco Shmerykowsky PE via samba < >> > samba at lists.samba.org> wrote: >> > >> >> I seem to be having trouble getting group policies >> >> to map a drive. When I drilled down thru the logs >> >> I get an "Access Denied" message. >> >> >> >> I can navigate to the share via the computer browser >> >> and map a drive the "old fashion way" with any issues. >> >> Files can be read and written. >> >> >> >> The group policy doesn't seem to take. Suggestions? >> >> >> >> Thank you. >> >> >> >> -- >> >> To unsubscribe from this list go to the following URL and read the >> >> instructions: https://lists.samba.org/mailman/options/samba >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Luke Barone
2019-Jan-21 19:11 UTC
[Samba] Samba 4 -> Group Policy Drive Map -> Access Denied
OK, the preference is set correctly. Have you run a "samba-tool ntacl sysvolcheck" on your first domain controller? That will check the permissions. If you have additional domain controllers, ensure you're connecting to the one holding the PDC Emulator role (typically your first DC) in your GPMC. If the sysvolcheck says everything is fine, and you only have one domain controller, then we'll have more troubleshooting to do. On Mon, Jan 21, 2019 at 10:37 AM Marco Shmerykowsky via samba < samba at lists.samba.org> wrote:> <?xml version="1.0" encoding="utf-8"?> > <Drives clsid="{8FDDCC1A-0C3C-43cd-A6B4-71A6DF20DA8C}"><Drive > clsid="{935D1B74-9CB8-4e3c-9914-7DD559B7A417}" name="W:" status="W:" > image="2" changed="2019-01-21 18:36:07" > uid="{6524E6E3-E107-48CC-9973-406E16B5F34D}" userContext="1" > bypassErrors="1"><Properties action="U" thisDrive="SHOW" allDrives="SHOW" > userName="" path="\\sce251\test-share" label="SHARE" persistent="1" > useLetter="1" letter="W"/><Filters/></Drive> > </Drives> > > On Mon, January 21, 2019 1:27 pm, Luke Barone via samba wrote: > > OK, remove the Item Level Targeting - that should hit all Domain Users > > anyways. > > > > Can you extract the .XML file that is made from that policy? Go to your > > SYSVOL\<domain>\Policies\<GUID for Policy>\User\Preferences\Drives, and > > open up "Drives.xml". Copy and paste the contents of that file into the > > mailing list. > > > > On Mon, Jan 21, 2019 at 10:23 AM Marco Shmerykowsky PE via samba < > > samba at lists.samba.org> wrote: > > > >> user configuration -> Preferences -> Windows Settings -> Drive Maps > >> > >> Item Level Targeting -> Security Group, Domain Users > >> > >> On 1/21/2019 11:09 AM, Luke Barone via samba wrote: > >> > Where is the policy targeting - the user or the computer? > >> > > >> > > >> > On Mon, Jan 21, 2019 at 7:51 AM Marco Shmerykowsky PE via samba < > >> > samba at lists.samba.org> wrote: > >> > > >> >> I seem to be having trouble getting group policies > >> >> to map a drive. When I drilled down thru the logs > >> >> I get an "Access Denied" message. > >> >> > >> >> I can navigate to the share via the computer browser > >> >> and map a drive the "old fashion way" with any issues. > >> >> Files can be read and written. > >> >> > >> >> The group policy doesn't seem to take. Suggestions? > >> >> > >> >> Thank you. > >> >> > >> >> -- > >> >> To unsubscribe from this list go to the following URL and read the > >> >> instructions: https://lists.samba.org/mailman/options/samba > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Marco Shmerykowsky PE
2019-Jan-21 19:16 UTC
[Samba] Samba 4 -> Group Policy Drive Map -> Access Denied
Kicks up an error: ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO directory /var/lib/samb a/sysvol/sce-internal.sce-engineers.com/Policies/{EEB4B384-6F43-403B-BD24-B0BA7AB04F41} O:DAG:DAD:PAI(A;OICIIO;0x001f01ff;;;CO)(A ;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICI;0x001200a9;;;ED) does not m atch expected value O:DAG:DAD:PAR(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001f01ff;;;D A)(A;OICI;0x001f01ff;;;EA)(A;OICI;0x001200a9;;;ED) from GPO object File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 270, in run lp) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1836, in checksysvolacl direct_db_access) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1787, in check_gpos_acl domainsid, direct_db_access) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1734, in check_dir_acl raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_d b_access), path, fsacl_sddl, acl)) On 1/21/2019 2:11 PM, Luke Barone via samba wrote:> OK, the preference is set correctly. Have you run a "samba-tool ntacl > sysvolcheck" on your first domain controller? That will check the > permissions. If you have additional domain controllers, ensure you're > connecting to the one holding the PDC Emulator role (typically your first > DC) in your GPMC. > > If the sysvolcheck says everything is fine, and you only have one domain > controller, then we'll have more troubleshooting to do. > > On Mon, Jan 21, 2019 at 10:37 AM Marco Shmerykowsky via samba < > samba at lists.samba.org> wrote: > >> <?xml version="1.0" encoding="utf-8"?> >> <Drives clsid="{8FDDCC1A-0C3C-43cd-A6B4-71A6DF20DA8C}"><Drive >> clsid="{935D1B74-9CB8-4e3c-9914-7DD559B7A417}" name="W:" status="W:" >> image="2" changed="2019-01-21 18:36:07" >> uid="{6524E6E3-E107-48CC-9973-406E16B5F34D}" userContext="1" >> bypassErrors="1"><Properties action="U" thisDrive="SHOW" allDrives="SHOW" >> userName="" path="\\sce251\test-share" label="SHARE" persistent="1" >> useLetter="1" letter="W"/><Filters/></Drive> >> </Drives> >> >> On Mon, January 21, 2019 1:27 pm, Luke Barone via samba wrote: >>> OK, remove the Item Level Targeting - that should hit all Domain Users >>> anyways. >>> >>> Can you extract the .XML file that is made from that policy? Go to your >>> SYSVOL\<domain>\Policies\<GUID for Policy>\User\Preferences\Drives, and >>> open up "Drives.xml". Copy and paste the contents of that file into the >>> mailing list. >>> >>> On Mon, Jan 21, 2019 at 10:23 AM Marco Shmerykowsky PE via samba < >>> samba at lists.samba.org> wrote: >>> >>>> user configuration -> Preferences -> Windows Settings -> Drive Maps >>>> >>>> Item Level Targeting -> Security Group, Domain Users >>>> >>>> On 1/21/2019 11:09 AM, Luke Barone via samba wrote: >>>>> Where is the policy targeting - the user or the computer? >>>>> >>>>> >>>>> On Mon, Jan 21, 2019 at 7:51 AM Marco Shmerykowsky PE via samba < >>>>> samba at lists.samba.org> wrote: >>>>> >>>>>> I seem to be having trouble getting group policies >>>>>> to map a drive. When I drilled down thru the logs >>>>>> I get an "Access Denied" message. >>>>>> >>>>>> I can navigate to the share via the computer browser >>>>>> and map a drive the "old fashion way" with any issues. >>>>>> Files can be read and written. >>>>>> >>>>>> The group policy doesn't seem to take. Suggestions? >>>>>> >>>>>> Thank you. >>>>>> >>>>>> -- >>>>>> To unsubscribe from this list go to the following URL and read the >>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba
Marco Shmerykowsky PE
2019-Jan-21 19:21 UTC
[Samba] Samba 4 -> Group Policy Drive Map -> Access Denied
Thanks. Just ran "samba-tool ntacl sysvolrest" and that seems to have fixed the issue. On 1/21/2019 2:11 PM, Luke Barone via samba wrote:> OK, the preference is set correctly. Have you run a "samba-tool ntacl > sysvolcheck" on your first domain controller? That will check the > permissions. If you have additional domain controllers, ensure you're > connecting to the one holding the PDC Emulator role (typically your first > DC) in your GPMC. > > If the sysvolcheck says everything is fine, and you only have one domain > controller, then we'll have more troubleshooting to do. > > On Mon, Jan 21, 2019 at 10:37 AM Marco Shmerykowsky via samba < > samba at lists.samba.org> wrote: > >> <?xml version="1.0" encoding="utf-8"?> >> <Drives clsid="{8FDDCC1A-0C3C-43cd-A6B4-71A6DF20DA8C}"><Drive >> clsid="{935D1B74-9CB8-4e3c-9914-7DD559B7A417}" name="W:" status="W:" >> image="2" changed="2019-01-21 18:36:07" >> uid="{6524E6E3-E107-48CC-9973-406E16B5F34D}" userContext="1" >> bypassErrors="1"><Properties action="U" thisDrive="SHOW" allDrives="SHOW" >> userName="" path="\\sce251\test-share" label="SHARE" persistent="1" >> useLetter="1" letter="W"/><Filters/></Drive> >> </Drives> >> >> On Mon, January 21, 2019 1:27 pm, Luke Barone via samba wrote: >>> OK, remove the Item Level Targeting - that should hit all Domain Users >>> anyways. >>> >>> Can you extract the .XML file that is made from that policy? Go to your >>> SYSVOL\<domain>\Policies\<GUID for Policy>\User\Preferences\Drives, and >>> open up "Drives.xml". Copy and paste the contents of that file into the >>> mailing list. >>> >>> On Mon, Jan 21, 2019 at 10:23 AM Marco Shmerykowsky PE via samba < >>> samba at lists.samba.org> wrote: >>> >>>> user configuration -> Preferences -> Windows Settings -> Drive Maps >>>> >>>> Item Level Targeting -> Security Group, Domain Users >>>> >>>> On 1/21/2019 11:09 AM, Luke Barone via samba wrote: >>>>> Where is the policy targeting - the user or the computer? >>>>> >>>>> >>>>> On Mon, Jan 21, 2019 at 7:51 AM Marco Shmerykowsky PE via samba < >>>>> samba at lists.samba.org> wrote: >>>>> >>>>>> I seem to be having trouble getting group policies >>>>>> to map a drive. When I drilled down thru the logs >>>>>> I get an "Access Denied" message. >>>>>> >>>>>> I can navigate to the share via the computer browser >>>>>> and map a drive the "old fashion way" with any issues. >>>>>> Files can be read and written. >>>>>> >>>>>> The group policy doesn't seem to take. Suggestions? >>>>>> >>>>>> Thank you. >>>>>> >>>>>> -- >>>>>> To unsubscribe from this list go to the following URL and read the >>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2019-Jan-22 07:38 UTC
[Samba] Samba 4 -> Group Policy Drive Map -> Access Denied
Hai, If you dont mind to share the OS and Samba version you are using? Because we dont see this much:> Thanks. Just ran "samba-tool ntacl sysvolrest" and that seems > to have fixed the issue.Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Marco Shmerykowsky PE via samba > Verzonden: maandag 21 januari 2019 20:21 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Samba 4 -> Group Policy Drive Map -> > Access Denied > > Thanks. Just ran "samba-tool ntacl sysvolrest" and that seems > to have fixed the issue.> > On 1/21/2019 2:11 PM, Luke Barone via samba wrote: > > OK, the preference is set correctly. Have you run a > "samba-tool ntacl > > sysvolcheck" on your first domain controller? That will check the > > permissions. If you have additional domain controllers, > ensure you're > > connecting to the one holding the PDC Emulator role > (typically your first > > DC) in your GPMC. > > > > If the sysvolcheck says everything is fine, and you only > have one domain > > controller, then we'll have more troubleshooting to do. > > > > On Mon, Jan 21, 2019 at 10:37 AM Marco Shmerykowsky via samba < > > samba at lists.samba.org> wrote: > > > >> <?xml version="1.0" encoding="utf-8"?> > >> <Drives clsid="{8FDDCC1A-0C3C-43cd-A6B4-71A6DF20DA8C}"><Drive > >> clsid="{935D1B74-9CB8-4e3c-9914-7DD559B7A417}" name="W:" > status="W:" > >> image="2" changed="2019-01-21 18:36:07" > >> uid="{6524E6E3-E107-48CC-9973-406E16B5F34D}" userContext="1" > >> bypassErrors="1"><Properties action="U" thisDrive="SHOW" > allDrives="SHOW" > >> userName="" path="\\sce251\test-share" label="SHARE" persistent="1" > >> useLetter="1" letter="W"/><Filters/></Drive> > >> </Drives> > >> > >> On Mon, January 21, 2019 1:27 pm, Luke Barone via samba wrote: > >>> OK, remove the Item Level Targeting - that should hit all > Domain Users > >>> anyways. > >>> > >>> Can you extract the .XML file that is made from that > policy? Go to your > >>> SYSVOL\<domain>\Policies\<GUID for > Policy>\User\Preferences\Drives, and > >>> open up "Drives.xml". Copy and paste the contents of that > file into the > >>> mailing list. > >>> > >>> On Mon, Jan 21, 2019 at 10:23 AM Marco Shmerykowsky PE via samba < > >>> samba at lists.samba.org> wrote: > >>> > >>>> user configuration -> Preferences -> Windows Settings -> > Drive Maps > >>>> > >>>> Item Level Targeting -> Security Group, Domain Users > >>>> > >>>> On 1/21/2019 11:09 AM, Luke Barone via samba wrote: > >>>>> Where is the policy targeting - the user or the computer? > >>>>> > >>>>> > >>>>> On Mon, Jan 21, 2019 at 7:51 AM Marco Shmerykowsky PE > via samba < > >>>>> samba at lists.samba.org> wrote: > >>>>> > >>>>>> I seem to be having trouble getting group policies > >>>>>> to map a drive. When I drilled down thru the logs > >>>>>> I get an "Access Denied" message. > >>>>>> > >>>>>> I can navigate to the share via the computer browser > >>>>>> and map a drive the "old fashion way" with any issues. > >>>>>> Files can be read and written. > >>>>>> > >>>>>> The group policy doesn't seem to take. Suggestions? > >>>>>> > >>>>>> Thank you. > >>>>>> > >>>>>> -- > >>>>>> To unsubscribe from this list go to the following URL > and read the > >>>>>> instructions: https://lists.samba.org/mailman/options/samba > >>>> > >>>> -- > >>>> To unsubscribe from this list go to the following URL > and read the > >>>> instructions: https://lists.samba.org/mailman/options/samba > >>> -- > >>> To unsubscribe from this list go to the following URL and read the > >>> instructions: https://lists.samba.org/mailman/options/samba > >> > >> > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Possibly Parallel Threads
- Samba 4 -> Group Policy Drive Map -> Access Denied
- Samba 4 -> Group Policy Drive Map -> Access Denied
- Samba 4 -> Group Policy Drive Map -> Access Denied
- Computer Management - Share Security - No Read Access
- Windows 10 Client - Samba 3 Server - NT4 Style PDC