samba - Oct 2020 - Samba Sysvol and GPO Issues

Hi Rowland.

I'm using CentOS 8.2.2004

The Samba is compiled from sources, it's the only DC and I'm not using
it
as a fileserver.

# Global parameters
[global]
        dns forwarder = 10.30.251.70
        netbios name = SAMBA4-01
        realm = LARRY.LAN
        server role = active directory domain controller
        workgroup = LARRY
        idmap_ldb:use rfc2307 = yes

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/larry.lan/scripts
        read only = No

Thanks!


El mar., 13 oct. 2020 a las 15:48, Rowland penny via samba (<
samba at lists.samba.org>) escribi?:
> On 13/10/2020 19:24, Franco Suarez via samba wrote:
> > Hi Samba Team!
> >
> > It's me again I'm having some issues with gpo's and sysvol
access.
> Strange as it might seem, I do not remember you :-)
> >
> > I've installed samba 4.12.7. using idmap_ldb:use rfc2307
> Yes, but what on and how ?
> >
> > When I tried to create a gpo using the rsat tools I got a Permission
> Denied
> > error.
> >
> > Among other things, I have run:
> > samba-tool ntacl sysvolreset
> >
> > Also I added to smb.conf
> > acl_xattr:ignore system acls = yes
> > in sysvol and netlogon sections.
> > I tried to add 777 permissions to sysvol directory  and used the
github
> > script "samba-check-set-sysvol.sh"
> >
> > but the problem persists.
> >
> > I got this error
> > ==> log.smbd <=> > [2020/10/13 14:56:20.544071,  0]
> > ../../source3/smbd/service.c:183(chdir_current_service)
> >    chdir_current_service: vfs_ChDir(/var/samba/locks/locks/sysvol)
> failed:
> > Permission denied. Current token: uid=3000020, gid=3000004, 12 groups:
> > 3000020 3000004 3000005 3000021 3000008 100 3000014 3000015 3000003
> 3000000
> > 3000009 3000016
>
> It doesn't look like you have modified anything in AD, but that is just
> about all I can tell about you domain from what you have posted.
>
> What OS ?
>
> Are you using the OS Samba packages, third party packages or have you
> compiled Samba yourself ?
>
> Is this the only DC and are you using it as a fileserver ? (not
> recommended)
>
> Please post your smb.conf
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 13/10/2020 19:57, Franco Suarez wrote:
> Hi Rowland.
>
> I'm using CentOS 8.2.2004
>
> The Samba is compiled from sources, it's the only DC and I'm not
using
> it as a fileserver.
>
> # Global parameters
> [global]
> ? ? ? ? dns forwarder = 10.30.251.70
> ? ? ? ? netbios name = SAMBA4-01
> ? ? ? ? realm = LARRY.LAN
> ? ? ? ? server role = active directory domain controller
> ? ? ? ? workgroup = LARRY
> ? ? ? ? idmap_ldb:use rfc2307 = yes
>
> [sysvol]
> ? ? ? ? path = /usr/local/samba/var/locks/sysvol
> ? ? ? ? read only = No
>
> [netlogon]
> ? ? ? ? path = /usr/local/samba/var/locks/sysvol/larry.lan/scripts
> ? ? ? ? read only = No
>
> Thanks!
>
>
There doesn't appear to anything wrong there, so the first thing that 
comes to mind is Selinux.

Rowland

Selinux is disabled.

I don't know.

The GUID and UID in sysvol directories are numbers like 3000004:30000010.

Is it normal?

Thanks!


El mar., 13 oct. 2020 a las 16:10, Rowland penny via samba (<
samba at lists.samba.org>) escribi?:
> On 13/10/2020 19:57, Franco Suarez wrote:
> > Hi Rowland.
> >
> > I'm using CentOS 8.2.2004
> >
> > The Samba is compiled from sources, it's the only DC and I'm
not using
> > it as a fileserver.
> >
> > # Global parameters
> > [global]
> >         dns forwarder = 10.30.251.70
> >         netbios name = SAMBA4-01
> >         realm = LARRY.LAN
> >         server role = active directory domain controller
> >         workgroup = LARRY
> >         idmap_ldb:use rfc2307 = yes
> >
> > [sysvol]
> >         path = /usr/local/samba/var/locks/sysvol
> >         read only = No
> >
> > [netlogon]
> >         path = /usr/local/samba/var/locks/sysvol/larry.lan/scripts
> >         read only = No
> >
> > Thanks!
> >
> >
> There doesn't appear to anything wrong there, so the first thing that
> comes to mind is Selinux.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>