Hi, We are having problems with sysvol AD shared folder in a Samba 4.9.13 AD. Has been running smoothly until recently, and we don't know how to fix it. We detected the problem trying to create a new AD GPO, it fails with the message (sorry, we have windows in Spanish, it's not literal translation): "this security identifier cannot be assigned as object owner". If we execute in the linux DC a sysvol check (samba-tool ntacl sysvolcheck), we get this error: [root at mercurio2 ~]# samba-tool ntacl sysvolcheck WARNING: The "server schannel" option is deprecated ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO directory /usr/local/samba/var/locks/sysvol/eadom.ea/Policies/{9F3EF1BC-6E68-46C4-B6EA-48C66AF71C1B} O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match expected value O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object File "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 178, in _run return self.run(*args, **kwargs) File "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/ntacl.py", line 270, in run lp) File "/usr/local/samba/lib64/python2.6/site-packages/samba/provision/__init__.py", line 1846, in checksysvolacl direct_db_access) File "/usr/local/samba/lib64/python2.6/site-packages/samba/provision/__init__.py", line 1797, in check_gpos_acl domainsid, direct_db_access) File "/usr/local/samba/lib64/python2.6/site-packages/samba/provision/__init__.py", line 1744, in check_dir_acl raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl)) [root at mercurio2 ~]# And, if we execute a sysvol acl reset, we get this: [root at mercurio2 ~]# samba-tool ntacl sysvolreset WARNING: The "server schannel" option is deprecated WARNING: The "server schannel" option is deprecated ==============================================================INTERNAL ERROR: Signal 11 in pid 22555 (4.9.13) Please read the Trouble-Shooting section of the Samba HOWTO ==============================================================PANIC (pid 22555): internal error BACKTRACE: 41 stack frames: #0 /usr/local/samba/lib/libsamba-util.so.0(log_stack_trace+0x1f) [0x7f29a686e18a] #1 /usr/local/samba/lib/libsmbconf.so.0(smb_panic_s3+0x6d) [0x7f29974cea47] #2 /usr/local/samba/lib/libsamba-util.so.0(smb_panic+0x28) [0x7f29a686e155] #3 /usr/local/samba/lib/libsamba-util.so.0(+0x20e2f) [0x7f29a686de2f] #4 /usr/local/samba/lib/libsamba-util.so.0(+0x20e44) [0x7f29a686de44] #5 /lib64/libpthread.so.0() [0x3a9620f7e0] #6 /usr/local/samba/lib/vfs/full_audit.so(+0x555d) [0x7f29755d355d] #7 /usr/local/samba/lib/vfs/full_audit.so(+0x5c4c) [0x7f29755d3c4c] #8 /usr/local/samba/lib/vfs/full_audit.so(+0x6359) [0x7f29755d4359] #9 /usr/local/samba/lib/private/libsmbd-base-samba4.so(smb_vfs_call_connect+0x51) [0x7f2995e21f40] #10 /usr/local/samba/lib/private/libsmbd-base-samba4.so(+0x2047be) [0x7f2995e487be] #11 /usr/local/samba/lib/private/libsmbd-base-samba4.so(create_conn_struct_tos+0x91) [0x7f2995e489f3] #12 /usr/local/samba/lib64/python2.6/site-packages/samba/samba3/smbd.so(+0x1e7f) [0x7f299624ae7f] #13 /usr/local/samba/lib64/python2.6/site-packages/samba/samba3/smbd.so(+0x2caa) [0x7f299624bcaa] #14 /usr/lib64/libpython2.6.so.1.0(PyEval_EvalFrameEx+0x5244) [0x3aa36d59d4] #15 /usr/lib64/libpython2.6.so.1.0(PyEval_EvalCodeEx+0x927) [0x3aa36d7647] #16 /usr/lib64/libpython2.6.so.1.0(PyEval_EvalFrameEx+0x5304) [0x3aa36d5a94] #17 /usr/lib64/libpython2.6.so.1.0(PyEval_EvalCodeEx+0x927) [0x3aa36d7647] #18 /usr/lib64/libpython2.6.so.1.0() [0x3aa366ad9d] #19 /usr/lib64/libpython2.6.so.1.0(PyObject_Call+0x53) [0x3aa3643c63] #20 /usr/lib64/libpython2.6.so.1.0(PyEval_EvalFrameEx+0x3cd0) [0x3aa36d4460] #21 /usr/lib64/libpython2.6.so.1.0(PyEval_EvalCodeEx+0x927) [0x3aa36d7647] #22 /usr/lib64/libpython2.6.so.1.0() [0x3aa366aca0] #23 /usr/lib64/libpython2.6.so.1.0(PyObject_Call+0x53) [0x3aa3643c63] #24 /usr/lib64/libpython2.6.so.1.0(PyEval_EvalFrameEx+0x3cd0) [0x3aa36d4460] #25 /usr/lib64/libpython2.6.so.1.0(PyEval_EvalCodeEx+0x927) [0x3aa36d7647] #26 /usr/lib64/libpython2.6.so.1.0() [0x3aa366aca0] #27 /usr/lib64/libpython2.6.so.1.0(PyObject_Call+0x53) [0x3aa3643c63] #28 /usr/lib64/libpython2.6.so.1.0(PyEval_EvalFrameEx+0x3cd0) [0x3aa36d4460] #29 /usr/lib64/libpython2.6.so.1.0(PyEval_EvalCodeEx+0x927) [0x3aa36d7647] #30 /usr/lib64/libpython2.6.so.1.0() [0x3aa366aca0] #31 /usr/lib64/libpython2.6.so.1.0(PyObject_Call+0x53) [0x3aa3643c63] #32 /usr/lib64/libpython2.6.so.1.0(PyEval_EvalFrameEx+0x3cd0) [0x3aa36d4460] #33 /usr/lib64/libpython2.6.so.1.0(PyEval_EvalCodeEx+0x927) [0x3aa36d7647] #34 /usr/lib64/libpython2.6.so.1.0(PyEval_EvalCode+0x32) [0x3aa36d7722] #35 /usr/lib64/libpython2.6.so.1.0() [0x3aa36f1b9c] #36 /usr/lib64/libpython2.6.so.1.0(PyRun_FileExFlags+0x90) [0x3aa36f1c70] #37 /usr/lib64/libpython2.6.so.1.0(PyRun_SimpleFileExFlags+0xdc) [0x3aa36f315c] #38 /usr/lib64/libpython2.6.so.1.0(Py_Main+0xb62) [0x3aa36ff892] #39 /lib64/libc.so.6(__libc_start_main+0x100) [0x3a95e1ed20] #40 python() [0x400649] Can not dump core: corepath not set up [root at mercurio2 ~]# We also tried to use the sysvol repair permissions script (https://github.com/thctlo/samba4/blob/master/samba-check-set-sysvol.sh): [root at mercurio2 ~]# /usr/oper/samba-check-set-sysvol.sh failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert sid S-1-5-32-549 to uid You have new mail in /var/spool/mail/root [root at mercurio2 ~]# Please, do you know how to fix this, or at least were to begin? Thank you Pablo Sanz Fern?ndez
On 11/05/2020 08:31, Pablo Sanz Fern?ndez via samba wrote:> Hi, > > We are having problems with sysvol AD shared folder in a Samba 4.9.13 AD. > > Has been running smoothly until recently, and we don't know how to fix it. We detected the problem trying to create a new AD GPO, it fails with the message (sorry, we have windows in Spanish, it's not literal translation): "this security identifier cannot be assigned as object owner". > > If we execute in the linux DC a sysvol check (samba-tool ntacl sysvolcheck), we get this error: > > [root at mercurio2 ~]# samba-tool ntacl sysvolcheck > O:LAG:DAD:P does not match expected value O:DAG:DAD:PI have stripped that down to the difference, have you given the Domain Admins group a gidNumber attribute ?> > > And, if we execute a sysvol acl reset, we get this: > > [root at mercurio2 ~]# samba-tool ntacl sysvolreset > WARNING: The "server schannel" option is deprecated > WARNING: The "server schannel" option is deprecated > ==============================================================> INTERNAL ERROR: Signal 11 in pid 22555 (4.9.13) > Please read the Trouble-Shooting section of the Samba HOWTO > ==============================================================> PANIC (pid 22555): internal errorIt shouldn't panic> We also tried to use the sysvol repair permissions script (https://github.com/thctlo/samba4/blob/master/samba-check-set-sysvol.sh): > > [root at mercurio2 ~]# /usr/oper/samba-check-set-sysvol.sh > failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND > Could not convert sid S-1-5-32-549 to uidHmm, have you also given 'BUILTIN\Server Operators' a gidNumber ?> Please, do you know how to fix this, or at least were to begin?What OS is this ? 4.9.x is EOL as far as Samba is concerned, so can you upgrade Samba ? your problem may already have been fixed. Rowland
Hi Rowland. It's CentOS 6.10 with Python 2.6.6. I guess then we must update to CentOS 8 and use Python 3? We are worried with the compability of lastest versions of Samba and our Dell EMC Unity storage. We did have to put the smb.conf option "server schannel" to keep it working with the samba AD. Does this smb.conf option still valid, despite the deprecated warning, in the lastest samba versions? Regards, Pablo Sanz Fern?ndez On 11/05/2020 08:31, Pablo Sanz Fern?ndez via samba wrote:> Hi, > > We are having problems with sysvol AD shared folder in a Samba 4.9.13 AD. > > Has been running smoothly until recently, and we don't know how to fix it. We detected the problem trying to create a new AD GPO, it fails with the message (sorry, we have windows in Spanish, it's not literal translation): "this security identifier cannot be assigned as object owner". > > If we execute in the linux DC a sysvol check (samba-tool ntacl sysvolcheck), we get this error: > > [https://lists.samba.org/mailman/listinfo/samba ~]# samba-tool ntacl sysvolcheck > O:LAG:DAD:P does not match expected value O:DAG:DAD:PI have stripped that down to the difference, have you given the Domain Admins group a gidNumber attribute ?> > > And, if we execute a sysvol acl reset, we get this: > > [https://lists.samba.org/mailman/listinfo/samba ~]# samba-tool ntacl sysvolreset > WARNING: The "server schannel" option is deprecated > WARNING: The "server schannel" option is deprecated > ==============================================================> INTERNAL ERROR: Signal 11 in pid 22555 (4.9.13) > Please read the Trouble-Shooting section of the Samba HOWTO > ==============================================================> PANIC (pid 22555): internal errorIt shouldn't panic> We also tried to use the sysvol repair permissions script (https://github.com/thctlo/samba4/blob/master/samba-check-set-sysvol.sh): > > [https://lists.samba.org/mailman/listinfo/samba ~]# /usr/oper/samba-check-set-sysvol.sh > failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND > Could not convert sid S-1-5-32-549 to uidHmm, have you also given 'BUILTIN\Server Operators' a gidNumber ?> Please, do you know how to fix this, or at least were to begin?What OS is this ? 4.9.x is EOL as far as Samba is concerned, so can you upgrade Samba ? your problem may already have been fixed. Rowland
On 11/05/2020 11:09, Pablo Sanz Fern?ndez wrote:> Hi Rowland. > > It's CentOS 6.10 with Python 2.6.6. > > I guess then we must update to CentOS 8 and use Python 3?That is what I would do. As I said, your problem may have been fixed in a later version. What you haven't answered, have you given any of the Windows groups (apart from Domain Users) a gidNumber attribute ?> We are worried with the compability of lastest versions of Samba and our Dell EMC Unity storage. We did have to put the smb.conf option "server schannel" to keep it working with the samba AD. Does this smb.conf option still valid, despite the deprecated warning, in the lastest samba versions?It was deprecated from 4.8.0 , but luckily it hasn't been removed yet. Rowland
Sorry Rowland, didn't read that part. Yes, the 'Domain Admins' group has the gidNumber attribute the value "512", and 'BUILTIN\Server Operators' value "549". Regards, Pablo Sanz Fern?ndez -----Mensaje original----- On 11/05/2020 11:09, Pablo Sanz Fern?ndez wrote:> Hi Rowland. > > It's CentOS 6.10 with Python 2.6.6. > > I guess then we must update to CentOS 8 and use Python 3?That is what I would do. As I said, your problem may have been fixed in a later version. What you haven't answered, have you given any of the Windows groups (apart from Domain Users) a gidNumber attribute ?> We are worried with the compability of lastest versions of Samba and our Dell EMC Unity storage. We did have to put the smb.conf option "server schannel" to keep it working with the samba AD. Does this smb.conf option still valid, despite the deprecated warning, in the lastest samba versions?It was deprecated from 4.8.0 , but luckily it hasn't been removed yet. Rowland On 11/05/2020 11:09, Pablo Sanz Fern?ndez wrote:> Hi Rowland. > > It's CentOS 6.10 with Python 2.6.6. > > I guess then we must update to CentOS 8 and use Python 3?That is what I would do. As I said, your problem may have been fixed in a later version. What you haven't answered, have you given any of the Windows groups (apart from Domain Users) a gidNumber attribute ?> We are worried with the compability of lastest versions of Samba and our Dell EMC Unity storage. We did have to put the smb.conf option "server schannel" to keep it working with the samba AD. Does this smb.conf option still valid, despite the deprecated warning, in the lastest samba versions?It was deprecated from 4.8.0 , but luckily it hasn't been removed yet. Rowland De: Pablo Sanz Fern?ndez Enviado el: lunes, 11 de mayo de 2020 12:09 Para: 'samba at lists.samba.org' <samba at lists.samba.org> CC: 'rpenny at samba.org' <rpenny at samba.org> Asunto: RE: Sysvol GPO ACLs problem Hi Rowland. It's CentOS 6.10 with Python 2.6.6. I guess then we must update to CentOS 8 and use Python 3? We are worried with the compability of lastest versions of Samba and our Dell EMC Unity storage. We did have to put the smb.conf option "server schannel" to keep it working with the samba AD. Does this smb.conf option still valid, despite the deprecated warning, in the lastest samba versions? Regards, Pablo Sanz Fern?ndez On 11/05/2020 08:31, Pablo Sanz Fern?ndez via samba wrote:> Hi, > > We are having problems with sysvol AD shared folder in a Samba 4.9.13 AD. > > Has been running smoothly until recently, and we don't know how to fix it. We detected the problem trying to create a new AD GPO, it fails with the message (sorry, we have windows in Spanish, it's not literal translation): "this security identifier cannot be assigned as object owner". > > If we execute in the linux DC a sysvol check (samba-tool ntacl sysvolcheck), we get this error: > > [https://lists.samba.org/mailman/listinfo/samba ~]# samba-tool ntacl > sysvolcheck O:LAG:DAD:P does not match expected value O:DAG:DAD:PI have stripped that down to the difference, have you given the Domain Admins group a gidNumber attribute ?> > > And, if we execute a sysvol acl reset, we get this: > > [https://lists.samba.org/mailman/listinfo/samba ~]# samba-tool ntacl > sysvolreset > WARNING: The "server schannel" option is deprecated > WARNING: The "server schannel" option is deprecated > ==============================================================> INTERNAL ERROR: Signal 11 in pid 22555 (4.9.13) Please read the > Trouble-Shooting section of the Samba HOWTO > ==============================================================> PANIC (pid 22555): internal errorIt shouldn't panic> We also tried to use the sysvol repair permissions script (https://github.com/thctlo/samba4/blob/master/samba-check-set-sysvol.sh): > > [https://lists.samba.org/mailman/listinfo/samba ~]# > /usr/oper/samba-check-set-sysvol.sh > failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert > sid S-1-5-32-549 to uidHmm, have you also given 'BUILTIN\Server Operators' a gidNumber ?> Please, do you know how to fix this, or at least were to begin?What OS is this ? 4.9.x is EOL as far as Samba is concerned, so can you upgrade Samba ? your problem may already have been fixed. Rowland
On 11/05/2020 12:33, Pablo Sanz Fern?ndez wrote:> Sorry Rowland, didn't read that part. > > Yes, the 'Domain Admins' group has the gidNumber attribute the value "512", and 'BUILTIN\Server Operators' value "549".I can sort of understand why 'Domain Admins' has a gidNumber, but why 'Server operators' ? The only group from the Windows 'Well Known SIDs' that requires a gidNumber attribute is 'Domain Users'. You can give 'Domain Admins' a gidNumber, but there is a problem with doing that, it turns the Windows group into a Unix group ;-) That might sound like it isn't a problem, except that a Windows group can own files and directories and a Unix group cannot, which is where we came in, Domain Admins needs to own things in Sysvol ;-) I create a group (I use the imaginative name of 'Unix Admins'), give this group a gidNumber and make it a member of Domain Admins. Then I use the group wherever I would normally use Domain Admins, except for Sysvol. Rowland
Hi, Hello, I have been investigating and I am afraid that our case is the same as this one: https://lists.samba.org/archive/samba/2017-September/210724.html As you said, we have a problem with the gidNumber inherited from a migration from samba 3.x NT4 to samba 4.x AD. I have followed your prompts, removing the gidNumber from all AD 'BUILTIN' groups, in addition to the 'Administrators' group, with the sole exception of the 'Domain Users' group. Doing so already works the wbinfo command for those groups: [root at mercurio2]# wbinfo --sid-to-uid=S-1-5-32-549 3001417 And also the sysvol permission correction script (samba-check-set-sysvol.sh), but we still can't create or edit GPOs. And if we open the SYSVOL shared folder properties from a windows computer, with the 'Computer Management' MMC, in the Security tab we see, while it keeps open cause it crash: Everyone S-1-22-2-544 S-1-22-2-549 CREATOR OWNER . . . What can we do to solve this? Pablo Sanz Fern?ndez -----Mensaje original----- On 11/05/2020 12:33, Pablo Sanz Fern?ndez wrote:> Sorry Rowland, didn't read that part. > > Yes, the 'Domain Admins' group has the gidNumber attribute the value "512", and 'BUILTIN\Server Operators' value "549".I can sort of understand why 'Domain Admins' has a gidNumber, but why 'Server operators' ? The only group from the Windows 'Well Known SIDs' that requires a gidNumber attribute is 'Domain Users'. You can give 'Domain Admins' a gidNumber, but there is a problem with doing that, it turns the Windows group into a Unix group ;-) That might sound like it isn't a problem, except that a Windows group can own files and directories and a Unix group cannot, which is where we came in, Domain Admins needs to own things in Sysvol ;-) I create a group (I use the imaginative name of 'Unix Admins'), give this group a gidNumber and make it a member of Domain Admins. Then I use the group wherever I would normally use Domain Admins, except for Sysvol. Rowland -----Mensaje original----- On 11/05/2020 11:09, Pablo Sanz Fern?ndez wrote:> Hi Rowland. > > It's CentOS 6.10 with Python 2.6.6. > > I guess then we must update to CentOS 8 and use Python 3?That is what I would do. As I said, your problem may have been fixed in a later version. What you haven't answered, have you given any of the Windows groups (apart from Domain Users) a gidNumber attribute ?> We are worried with the compability of lastest versions of Samba and our Dell EMC Unity storage. We did have to put the smb.conf option "server schannel" to keep it working with the samba AD. Does this smb.conf option still valid, despite the deprecated warning, in the lastest samba versions?It was deprecated from 4.8.0 , but luckily it hasn't been removed yet. Rowland On 11/05/2020 11:09, Pablo Sanz Fern?ndez wrote:> Hi Rowland. > > It's CentOS 6.10 with Python 2.6.6. > > I guess then we must update to CentOS 8 and use Python 3?That is what I would do. As I said, your problem may have been fixed in a later version. What you haven't answered, have you given any of the Windows groups (apart from Domain Users) a gidNumber attribute ?> We are worried with the compability of lastest versions of Samba and our Dell EMC Unity storage. We did have to put the smb.conf option "server schannel" to keep it working with the samba AD. Does this smb.conf option still valid, despite the deprecated warning, in the lastest samba versions?It was deprecated from 4.8.0 , but luckily it hasn't been removed yet. Rowland De: Pablo Sanz Fern?ndez Enviado el: lunes, 11 de mayo de 2020 12:09 Para: 'samba at lists.samba.org' <samba at lists.samba.org> CC: 'rpenny at samba.org' <rpenny at samba.org> Asunto: RE: Sysvol GPO ACLs problem Hi Rowland. It's CentOS 6.10 with Python 2.6.6. I guess then we must update to CentOS 8 and use Python 3? We are worried with the compability of lastest versions of Samba and our Dell EMC Unity storage. We did have to put the smb.conf option "server schannel" to keep it working with the samba AD. Does this smb.conf option still valid, despite the deprecated warning, in the lastest samba versions? Regards, Pablo Sanz Fern?ndez On 11/05/2020 08:31, Pablo Sanz Fern?ndez via samba wrote:> Hi, > > We are having problems with sysvol AD shared folder in a Samba 4.9.13 AD. > > Has been running smoothly until recently, and we don't know how to fix it. We detected the problem trying to create a new AD GPO, it fails with the message (sorry, we have windows in Spanish, it's not literal translation): "this security identifier cannot be assigned as object owner". > > If we execute in the linux DC a sysvol check (samba-tool ntacl sysvolcheck), we get this error: > > [https://lists.samba.org/mailman/listinfo/samba ~]# samba-tool ntacl > sysvolcheck O:LAG:DAD:P does not match expected value O:DAG:DAD:PI have stripped that down to the difference, have you given the Domain Admins group a gidNumber attribute ?> > > And, if we execute a sysvol acl reset, we get this: > > [https://lists.samba.org/mailman/listinfo/samba ~]# samba-tool ntacl > sysvolreset > WARNING: The "server schannel" option is deprecated > WARNING: The "server schannel" option is deprecated > ==============================================================> INTERNAL ERROR: Signal 11 in pid 22555 (4.9.13) Please read the > Trouble-Shooting section of the Samba HOWTO > ==============================================================> PANIC (pid 22555): internal errorIt shouldn't panic> We also tried to use the sysvol repair permissions script (https://github.com/thctlo/samba4/blob/master/samba-check-set-sysvol.sh): > > [https://lists.samba.org/mailman/listinfo/samba ~]# > /usr/oper/samba-check-set-sysvol.sh > failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert > sid S-1-5-32-549 to uidHmm, have you also given 'BUILTIN\Server Operators' a gidNumber ?> Please, do you know how to fix this, or at least were to begin?What OS is this ? 4.9.x is EOL as far as Samba is concerned, so can you upgrade Samba ? your problem may already have been fixed. Rowland
Hai, Which samba version is this exactly because there is a bug on this. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Pablo Sanz Fern?ndez via samba > Verzonden: dinsdag 12 mei 2020 16:29 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Sysvol GPO ACLs problem > > Hi, > > Hello, I have been investigating and I am afraid that our > case is the same as this one: > > https://lists.samba.org/archive/samba/2017-September/210724.html > > As you said, we have a problem with the gidNumber inherited > from a migration from samba 3.x NT4 to samba 4.x AD. I have > followed your prompts, removing the gidNumber from all AD > 'BUILTIN' groups, in addition to the 'Administrators' group, > with the sole exception of the 'Domain Users' group. Doing so > already works the wbinfo command for those groups: > > [root at mercurio2]# wbinfo --sid-to-uid=S-1-5-32-549 > 3001417 > > And also the sysvol permission correction script > (samba-check-set-sysvol.sh), but we still can't create or > edit GPOs. And if we open the SYSVOL shared folder properties > from a windows computer, with the 'Computer Management' MMC, > in the Security tab we see, while it keeps open cause it crash: > > Everyone > S-1-22-2-544 > S-1-22-2-549 > CREATOR OWNER > . > . > . > > What can we do to solve this? > > > > Pablo Sanz Fern?ndez > > -----Mensaje original----- > On 11/05/2020 12:33, Pablo Sanz Fern?ndez wrote: > > Sorry Rowland, didn't read that part. > > > > Yes, the 'Domain Admins' group has the gidNumber attribute > the value "512", and 'BUILTIN\Server Operators' value "549". > > I can sort of understand why 'Domain Admins' has a gidNumber, but why > 'Server operators' ? > > The only group from the Windows 'Well Known SIDs' that requires a > gidNumber attribute is 'Domain Users'. You can give 'Domain Admins' a > gidNumber, but there is a problem with doing that, it turns > the Windows > group into a Unix group ;-) > > That might sound like it isn't a problem, except that a Windows group > can own files and directories and a Unix group cannot, which > is where we > came in, Domain Admins needs to own things in Sysvol ;-) > > I create a group (I use the imaginative name of 'Unix Admins'), give > this group a gidNumber and make it a member of Domain Admins. > Then I use > the group wherever I would normally use Domain Admins, except > for Sysvol. > > Rowland > -----Mensaje original----- > On 11/05/2020 11:09, Pablo Sanz Fern?ndez wrote: > > Hi Rowland. > > > > It's CentOS 6.10 with Python 2.6.6. > > > > I guess then we must update to CentOS 8 and use Python 3? > > That is what I would do. As I said, your problem may have > been fixed in a later version. > > What you haven't answered, have you given any of the Windows > groups (apart from Domain Users) a gidNumber attribute ? > > > We are worried with the compability of lastest versions of > Samba and our Dell EMC Unity storage. We did have to put the > smb.conf option "server schannel" to keep it working with the > samba AD. Does this smb.conf option still valid, despite the > deprecated warning, in the lastest samba versions? > It was deprecated from 4.8.0 , but luckily it hasn't been removed yet. > > Rowland > > On 11/05/2020 11:09, Pablo Sanz Fern?ndez wrote: > > Hi Rowland. > > > > It's CentOS 6.10 with Python 2.6.6. > > > > I guess then we must update to CentOS 8 and use Python 3? > > That is what I would do. As I said, your problem may have > been fixed in a later version. > > What you haven't answered, have you given any of the Windows > groups (apart from Domain Users) a gidNumber attribute ? > > > We are worried with the compability of lastest versions of > Samba and our Dell EMC Unity storage. We did have to put the > smb.conf option "server schannel" to keep it working with the > samba AD. Does this smb.conf option still valid, despite the > deprecated warning, in the lastest samba versions? > It was deprecated from 4.8.0 , but luckily it hasn't been removed yet. > > Rowland > > De: Pablo Sanz Fern?ndez > Enviado el: lunes, 11 de mayo de 2020 12:09 > Para: 'samba at lists.samba.org' <samba at lists.samba.org> > CC: 'rpenny at samba.org' <rpenny at samba.org> > Asunto: RE: Sysvol GPO ACLs problem > > Hi Rowland. > > It's CentOS 6.10 with Python 2.6.6. > > I guess then we must update to CentOS 8 and use Python 3? > > We are worried with the compability of lastest versions of > Samba and our Dell EMC Unity storage. We did have to put the > smb.conf option "server schannel" to keep it working with the > samba AD. Does this smb.conf option still valid, despite the > deprecated warning, in the lastest samba versions? > > Regards, > > Pablo Sanz Fern?ndez > > On 11/05/2020 08:31, Pablo Sanz Fern?ndez via samba wrote: > > Hi, > > > > We are having problems with sysvol AD shared folder in a > Samba 4.9.13 AD. > > > > Has been running smoothly until recently, and we don't know > how to fix it. We detected the problem trying to create a new > AD GPO, it fails with the message (sorry, we have windows in > Spanish, it's not literal translation): "this security > identifier cannot be assigned as object owner". > > > > If we execute in the linux DC a sysvol check (samba-tool > ntacl sysvolcheck), we get this error: > > > > [https://lists.samba.org/mailman/listinfo/samba ~]# > samba-tool ntacl > > sysvolcheck O:LAG:DAD:P does not match expected value O:DAG:DAD:P > I have stripped that down to the difference, have you given > the Domain Admins group a gidNumber attribute ? > > > > > > And, if we execute a sysvol acl reset, we get this: > > > > [https://lists.samba.org/mailman/listinfo/samba ~]# > samba-tool ntacl > > sysvolreset > > WARNING: The "server schannel" option is deprecated > > WARNING: The "server schannel" option is deprecated > > ==============================================================> > INTERNAL ERROR: Signal 11 in pid 22555 (4.9.13) Please read the > > Trouble-Shooting section of the Samba HOWTO > > ==============================================================> > PANIC (pid 22555): internal error > It shouldn't panic > > We also tried to use the sysvol repair permissions script > (https://github.com/thctlo/samba4/blob/master/samba-check-set- > sysvol.sh): > > > > [https://lists.samba.org/mailman/listinfo/samba ~]# > > /usr/oper/samba-check-set-sysvol.sh > > failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could > not convert > > sid S-1-5-32-549 to uid > Hmm, have you also given 'BUILTIN\Server Operators' a gidNumber ? > > Please, do you know how to fix this, or at least were to begin? > > What OS is this ? > > 4.9.x is EOL as far as Samba is concerned, so can you upgrade Samba ? > your problem may already have been fixed. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >