On Fri, 6 Sep 2019, Rowland penny via samba wrote:> On 06/09/2019 17:05, Tom Diehl via samba wrote: >> Hi Louis, >> >> On Fri, 6 Sep 2019, L.P.H. van Belle via samba wrote: >> >>> Hai, >>> >>> Try the script, make backups of you sysvol first. >>> >>> The script shows the correct settings, these are duplicated from a >>> windows 2008R2 server. >>> >>> But here you go, the ms link to verify your settings. >>> https://support.microsoft.com/nl-nl/help/2838154/permissions-for-this-gpo-in-the-sysvol-folder-are-inconsistent-with-th >>> >> >> Thanks for the link. I like pictures. :-) >> >>> >>> But i must also say, start with upgrading you samba-ad-dc's. >> >> I plan to upgrade but I was thinking I should fix the sysvol problems >> before >> making more changes. Are you saying I should upgrade first? Is there a >> compelling reason to upgrade past 4.9.latest at this time? >> >> Regards, >> > Samba has three levels of support for each minor version, spread over 18 > months: > > Fully supported for first six months > > Maintenance fixes for the next six months > > Security fixes only for the last six months > > 4.9.x is in maintenance mode at the moment, but 4.11.0 is fairly imminent > and, when it is released, 4.9.x will drop into security fixes only (4.8.x > will go EOL at this time) > > That is the reason to upgrade to the highest version possible, plus you will > get numerous fixes that have been added to 4.10.xRight I get that. The problem for me is that at this time, anything past 4.9.latest is going to require either switching to a distro I know nothing about (One of the Debian variants but which one?) or figuring out the python3 crap on Centos 7 or wait for Centos 8. Hopefully once Centos 8 is a real thing there will be a list of required packages to build samba like there is with Centos 7. Hence my hesitation with moving past 4.9.x at this time. I expect that will change in the next few weeks. Now if you said there was some bug fix in 4.10 that would get group policy working again, I would most likely bite the bullet and go for it since you are after all one of the samba gods. :-) One question I do have is, is it expected that if I try to run gpresult as administrator that I get an error that says "The user SAMDOM\Administrator does not have RSOP data? Also, In the gpmc if I try to run the "group policy modeling wizard" I get an error that says "The rpc server is unavailable" Is that also expected or do I have other issues? The server services in smb.conf is as follows: server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate If I read this correctly, rpc should be available. Is this correct? TBH, when it comes to windows tools I am never sure what is supposed to work with Samba and what is not. FWIW both DC's are now on 4.8.12. Tomorrow I will upgrade them to 4.9.latest. Regards, -- Tom me at tdiehl.org
On 06/09/2019 20:54, me at tdiehl.org wrote:> On Fri, 6 Sep 2019, Rowland penny via samba wrote: > >> On 06/09/2019 17:05, Tom Diehl via samba wrote: >>> ?Hi Louis, >>> >>> ?On Fri, 6 Sep 2019, L.P.H. van Belle via samba wrote: >>> >>>> ?Hai, >>>> >>>> ?Try the script, make backups of you sysvol first. >>>> >>>> ?The script shows the correct settings, these are duplicated from a >>>> ?windows 2008R2 server. >>>> >>>> ?But here you go, the ms link to verify your settings. >>>> ?https://support.microsoft.com/nl-nl/help/2838154/permissions-for-this-gpo-in-the-sysvol-folder-are-inconsistent-with-th >>>> >>> >>> ?Thanks for the link. I like pictures. :-) >>> >>>> >>>> ?But i must also say, start with upgrading you samba-ad-dc's. >>> >>> ?I plan to upgrade but I was thinking I should fix the sysvol problems >>> ?before >>> ?making more changes. Are you saying I should upgrade first? Is there a >>> ?compelling reason to upgrade past 4.9.latest at this time? >>> >>> ?Regards, >>> >> Samba has three levels of support for each minor version, spread over >> 18 months: >> >> Fully supported for first six months >> >> Maintenance fixes for the next six months >> >> Security fixes only for the last six months >> >> 4.9.x is in maintenance mode at the moment, but 4.11.0 is fairly >> imminent and, when it is released, 4.9.x will drop into security >> fixes only (4.8.x will go EOL at this time) >> >> That is the reason to upgrade to the highest version possible, plus >> you will get numerous fixes that have been added to 4.10.x > > Right I get that. The problem for me is that at this time, anything past > 4.9.latest is going to require either switching to a distro I know > nothing about > (One of the Debian variants but which one?) or figuring out the > python3 crap on > Centos 7 or wait for Centos 8. Hopefully once Centos 8 is a real thing > there will be a list of required packages to build samba like there is > with Centos 7. Hence my hesitation with moving past 4.9.x at this time. > I expect that will change in the next few weeks. > > Now if you said there was some bug fix in 4.10 that would get group > policy working > again, I would most likely bite the bullet and go for it since you are > after all > one of the samba gods. :-)First time anybodies called me that ;-)> > One question I do have is, is it expected that if I try to run > gpresult as administrator > that I get an error that says "The user SAMDOM\Administrator does not > have RSOP data?Louis is the Windows expert here, but I think that is just because Administrator hasn't logged into the system.> > Also, In the gpmc if I try to run the "group policy modeling wizard" I > get an error that says > "The rpc server is unavailable" Is that also expected or do I have > other issues?Sort of, it doesn't happen all the time and not for everyone, but normally just pressing 'OK' is enough.> > The server services in smb.conf is as follows: > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > winbindd, ntp_signd, kcc, dnsupdate > If I read this correctly, rpc should be available. Is this correct?Yes, but I don't think Samba is the problem, well, not in that way. I think Windows checks for the RPC server in a way that Samba doesn't understand, or Samba replies in a way that Windows doesn't understand, but either way, once you have got pas that message box, it usually works.> > TBH, when it comes to windows tools I am never sure what is supposed > to work with Samba > and what is not.Not by yourself there, I prefer the Command line.> > > FWIW both DC's are now on 4.8.12. Tomorrow I will upgrade them to > 4.9.latest. > > Regards,Rowland> >
Hi Roland, On Fri, 6 Sep 2019, Rowland penny via samba wrote:> On 06/09/2019 20:54, me at tdiehl.org wrote: >> On Fri, 6 Sep 2019, Rowland penny via samba wrote: >> >>> On 06/09/2019 17:05, Tom Diehl via samba wrote: >>>> ?Hi Louis, >>>> >>>> ?On Fri, 6 Sep 2019, L.P.H. van Belle via samba wrote: >>>> >>>>> ?Hai, >>>>> >>>>> ?Try the script, make backups of you sysvol first. >>>>> >>>>> ?The script shows the correct settings, these are duplicated from a >>>>> ?windows 2008R2 server. >>>>> >>>>> ?But here you go, the ms link to verify your settings. >>>>> ?https://support.microsoft.com/nl-nl/help/2838154/permissions-for-this-gpo-in-the-sysvol-folder-are-inconsistent-with-th >>>>> >>>> >>>> ?Thanks for the link. I like pictures. :-) >>>> >>>>> >>>>> ?But i must also say, start with upgrading you samba-ad-dc's. >>>> >>>> ?I plan to upgrade but I was thinking I should fix the sysvol problems >>>> ?before >>>> ?making more changes. Are you saying I should upgrade first? Is there a >>>> ?compelling reason to upgrade past 4.9.latest at this time? >>>> >>>> ?Regards, >>>> >>> Samba has three levels of support for each minor version, spread over 18 >>> months: >>> >>> Fully supported for first six months >>> >>> Maintenance fixes for the next six months >>> >>> Security fixes only for the last six months >>> >>> 4.9.x is in maintenance mode at the moment, but 4.11.0 is fairly imminent >>> and, when it is released, 4.9.x will drop into security fixes only (4.8.x >>> will go EOL at this time) >>> >>> That is the reason to upgrade to the highest version possible, plus you >>> will get numerous fixes that have been added to 4.10.x >> >> Right I get that. The problem for me is that at this time, anything past >> 4.9.latest is going to require either switching to a distro I know nothing >> about >> (One of the Debian variants but which one?) or figuring out the python3 >> crap on >> Centos 7 or wait for Centos 8. Hopefully once Centos 8 is a real thing >> there will be a list of required packages to build samba like there is >> with Centos 7. Hence my hesitation with moving past 4.9.x at this time. >> I expect that will change in the next few weeks. >> >> Now if you said there was some bug fix in 4.10 that would get group policy >> working >> again, I would most likely bite the bullet and go for it since you are >> after all >> one of the samba gods. :-) > First time anybodies called me that ;-) >> >> One question I do have is, is it expected that if I try to run gpresult as >> administrator >> that I get an error that says "The user SAMDOM\Administrator does not have >> RSOP data? > Louis is the Windows expert here, but I think that is just because > Administrator hasn't logged into the system. >> >> Also, In the gpmc if I try to run the "group policy modeling wizard" I get >> an error that says >> "The rpc server is unavailable" Is that also expected or do I have other >> issues? > Sort of, it doesn't happen all the time and not for everyone, but normally > just pressing 'OK' is enough. >> >> The server services in smb.conf is as follows: >> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, >> winbindd, ntp_signd, kcc, dnsupdate >> If I read this correctly, rpc should be available. Is this correct? > > Yes, but I don't think Samba is the problem, well, not in that way. I think > Windows checks for the RPC server in a way that Samba doesn't understand, or > Samba replies in a way that Windows doesn't understand, but either way, once > you have got pas that message box, it usually works.Unfortunately, it will not let me get past the message box. If I click OK it exits.>> TBH, when it comes to windows tools I am never sure what is supposed to >> work with Samba and what does not. > Not by yourself there, I prefer the Command line.So do I. The problem I have is what is the command line equivelent of adsi edit? If it is ldb search/edit/delete, how does one figure out the correct incantation to add/delete/modify things. For instance, I have the following record: # record 4009 dn: CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=com objectClass: top objectClass: site cn: Default-First-Site-Name instanceType: 4 whenCreated: 20061005105708.0Z whenChanged: 20061005105708.0Z uSNCreated: 3742 showInAdvancedViewOnly: TRUE name: Default-First-Site-Name objectGUID: 206ddbbb-14cf-4f37-bb66-1f2d07bac717 systemFlags: 1107296256 objectCategory: CN=Site,CN=Schema,CN=Configuration,DC=mydomain,DC=com uSNChanged: 10210 msExchServerSiteBL: CN=PHT1,CN=Servers,CN=Exchange Administrative Group (FYDIB OHF23SPDLT),CN=Administrative Groups,CN=MYDOMAIN,CN=Microsoft Exchange,CN=Servi ces,CN=Configuration,DC=mydomain,DC=com distinguishedName: CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pht ool,DC=com Is there a documant that explains all of this in a manor that mear mortals can understand? The above server no longer exists. It died before I could remove it gracefully so I am left with a mess that I think the only way to clean it up is to remove the remaining records by hand. I normally would not care that these orphaned records are there except that when I run samba-tool dbcheck --cross-ncs --fix I get 316 errors and none of them get repaired. Most if not all appear to be related to the dead server. For the record adsi edit will only let me look at the records. If I try to delete/modify anything, I get an error that says "Operation Failed error code 0x202c. the server does not support the requested critical extensions" In case it is useful in fixing the problem the following is a sample of the output of samba-tool dbcheck --cross-ncs --fix: WARNING: no target object found for GUID component for cross-partition link otherWellKnownObjects in object CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=mydomain,DC=com - B:32:A7D2016C83F003458132789EEB127B84:<GUID=5dc1e7ca-2cbc-4318-b250-b7d9126e02f6>;<SID=S-1-5-21-619667644-1604242038-736796184-1619>;CN=Exchange Servers,OU=Microsoft Exchange Security Groups,DC=mydomain,DC=com Not removing dangling one-way cross-partition link (we might be mid-replication) ... Fix nTSecurityDescriptor on CN=57428d75-bef7-43e1-938b-2e749f5a8d56,CN=Operations,CN=DomainUpdates,CN=System,DC=mydomain,DC=com? [y/N/all/none] y Fixed attribute 'nTSecurityDescriptor' of 'CN=57428d75-bef7-43e1-938b-2e749f5a8d56,CN=Operations,CN=DomainUpdates,CN=System,DC=mydomain,DC=com' ... Fix nTSecurityDescriptor on CN=RpcServices,CN=System,DC=mydomain,DC=com? [YES] Fixed attribute 'nTSecurityDescriptor' of 'CN=RpcServices,CN=System,DC=mydomain,DC=com' Checked 9880 objects (316 errors) As you can see it says that it is fixing things but if I run it again, I get the same results. Suggestions? Regards, -- Tom me at tdiehl.org
Hai Tom, A bit late in reaction here but what i suggest. Your on Centos, that fine, primary goal for you is get latest packages. And these days like i do the Debian packages are is also someone doing centos/RH packages. See subject "[Samba] Samba 4.10.8 and 4.9.13 for rhel7/centos7 rpms"> So do I. The problem I have is what is the command line equivelent of adsi edit? > If it is ldb search/edit/delete, how does one figure out the correct > incantation to add/delete/modify things. > > For instance, I have the following record: > > # record 4009 > dn: CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=com > objectClass: top > objectClass: site > cn: Default-First-Site-Name > instanceType: 4 > whenCreated: 20061005105708.0Z > whenChanged: 20061005105708.0Z > uSNCreated: 3742 > showInAdvancedViewOnly: TRUE > name: Default-First-Site-Name > objectGUID: 206ddbbb-14cf-4f37-bb66-1f2d07bac717 > systemFlags: 1107296256 > objectCategory: CN=Site,CN=Schema,CN=Configuration,DC=mydomain,DC=com > uSNChanged: 10210 > msExchServerSiteBL: CN=PHT1,CN=Servers,CN=Exchange Administrative Group (FYDIB > OHF23SPDLT),CN=Administrative Groups,CN=MYDOMAIN,CN=Microsoft Exchange,CN=Servi > ces,CN=Configuration,DC=mydomain,DC=com > distinguishedName: CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pht > ool,DC=com > > Is there a documant that explains all of this in a manor that mear mortals can > understand?Yes, https://docs.microsoft.com/ ( ;-) sorry ... )> The above server no longer exists. It died before I could remove it gracefully > so I am left with a mess that I think the only way to clean it up is to > remove the remaining records by hand. >Try running : samba-tool domain tombstones expunge> > > I normally would not care that these orphaned records are there except that > when I run samba-tool dbcheck --cross-ncs --fix I get 316 errors and none of > them get repaired. Most if not all appear to be related to the dead server. > For the record adsi edit will only let me look at the records. If I try to > delete/modify anything, I get an error that says "Operation Failed error code > 0x202c. the server does not support the requested critical extensions" > > In case it is useful in fixing the problem the following is a sample of the output > of samba-tool dbcheck --cross-ncs --fix: > > WARNING: no target object found for GUID component for cross-partition link otherWellKnownObjects in object CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=mydomain,DC=com - > B:32:A7D2016C83F003458132789EEB127B84:<GUID=5dc1e7ca-2cbc-4318-b250-b7d9126e02f6>;<SID=S-1-5-21-619667644-1604242038-736796184-1619>;CN=Exchange Servers,OU=Microsoft Exchange Security > Groups,DC=mydomain,DC=com > Not removing dangling one-way cross-partition link (we might be mid-replication) > > ... > > Fix nTSecurityDescriptor on CN=57428d75-bef7-43e1-938b-2e749f5a8d56,CN=Operations,CN=DomainUpdates,CN=System,DC=mydomain,DC=com? [y/N/all/none] y > Fixed attribute 'nTSecurityDescriptor' of 'CN=57428d75-bef7-43e1-938b-2e749f5a8d56,CN=Operations,CN=DomainUpdates,CN=System,DC=mydomain,DC=com' > > ... > > Fix nTSecurityDescriptor on CN=RpcServices,CN=System,DC=mydomain,DC=com? [YES] > Fixed attribute 'nTSecurityDescriptor' of 'CN=RpcServices,CN=System,DC=mydomain,DC=com' > > Checked 9880 objects (316 errors) > > As you can see it says that it is fixing things but if I run it again, I get the same results. > > Suggestions?A few, First, i saying ignore these errors and upgrade to latest 4.10. Then run samba-tool domain tombstones expunge again and samba-tool dbcheck --cross-nc --fix After you upgraded. ( use upgrade steps, 4.8 -> 4.9 -> 4.10 ) If you dont want to upgrade that far, then you could try to remove the faulty records with the windows tools. Clean up AD-DC data and cleanup the AD-DNS data. If you use the windows tools, enable advanced view. And its a pain but you must go and check every level/folder record ... Etcetra. And i know, if you repaet this a few times, you know where to look. Then stop/start samba and check again with samba-tool dbcheck. If there are records you removed and your getting these back, then mail the list again. I see these are related links to MS Exchange servers. It might be that, your schema is extended and your not able to remove that extended part. But i cant tell that, i just dont know. Last, use for example Apache studio and search manualy through ldap : https://directory.apache.org/studio/ ! Do note, here, remove the wrong things and you might get more problems. So make very very sure you have good backups before you start. Greetz, Louis