On 25/05/2021 13:16, Carlos via samba wrote:> HI! > > Good morning Louis :-D > > In Samba ADDC I did not configure (I understood that I didn?t need) > the nsswitch part, but I did it now in DC 1 and DC2, it seems to me > that it solved, even before the ids being the same in DC1 and DC2, now > it remains the same with names, but gpupdate no longer gave an error > and successfully loaded the police \ o / > > But the samba-tool ntacl sysvolreset gave a different error, it was in > a loop with this message "idmap range not specified for domain '*'", > but im smb.conf of an ADDC if the idmap is not configured as I > remember, at least I I never did it and I didn't even see it in the > documentation. > > Is something else wrong now?Yes and no ? You are getting that message because of a bug, you cannot use 'idmap config' lines in a DC smb.conf, but there is a default line and that is being picked up. You could normally ignore the error, but why sysvolreset is looping around the error, I am unsure, have you given all the AD groups a gidNumber ? Rowland
HI
"I am unsure, have you given all the AD groups a gidNumber ?" I dont
understand.....
Afters minutes(1 or 2), i recevived erro:
samba-tool ntacl sysvolreset
...
...
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
set_nt_acl_conn: init_files_struct failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
ERROR(runtime): uncaught exception - (3221225524, 'The object name is
not found.')
? File
"/usr/local/samba/lib/python3.8/site-packages/samba/netcmd/__init__.py",
line 186, in _run
??? return self.run(*args, **kwargs)
? File
"/usr/local/samba/lib/python3.8/site-packages/samba/netcmd/ntacl.py",
line 412, in run
??? provision.setsysvolacl(samdb, netlogon, sysvol,
? File
"/usr/local/samba/lib/python3.8/site-packages/samba/provision/__init__.py",
line 1754, in setsysvolacl
??? set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
use_ntvfs, passdb=s4_passdb)
? File
"/usr/local/samba/lib/python3.8/site-packages/samba/provision/__init__.py",
line 1641, in set_gpos_acl
??? set_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp,
? File
"/usr/local/samba/lib/python3.8/site-packages/samba/provision/__init__.py",
line 1604, in set_dir_acl
??? setntacl(lp, path, acl, domsid, session_info, use_ntvfs=use_ntvfs,
skip_invalid_chown=True, passdb=passdb, service=service)
? File
"/usr/local/samba/lib/python3.8/site-packages/samba/ntacls.py",
line 230, in setntacl
??? smbd.set_nt_acl(
----
More INFO(now):
DC 1
getfacl /usr/local/samba/var/locks/sysvol
getfacl: Removing leading '/' from absolute path names
# file: usr/local/samba/var/locks/sysvol
# owner: root
# group: BUILTIN\\administrators
user::rwx
user:root:rwx
user:BUILTIN\\administrators:rwx
user:BUILTIN\\server\040operators:r-x
user:NT\040AUTHORITY\\system:rwx
user:NT\040AUTHORITY\\authenticated\040users:r-x
group::rwx
group:BUILTIN\\administrators:rwx
group:BUILTIN\\server\040operators:r-x
group:NT\040AUTHORITY\\system:rwx
group:NT\040AUTHORITY\\authenticated\040users:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\\administrators:rwx
default:user:BUILTIN\\server\040operators:r-x
default:user:NT\040AUTHORITY\\system:rwx
default:user:NT\040AUTHORITY\\authenticated\040users:r-x
default:group::---
default:group:BUILTIN\\administrators:rwx
default:group:BUILTIN\\server\040operators:r-x
default:group:NT\040AUTHORITY\\system:rwx
default:group:NT\040AUTHORITY\\authenticated\040users:r-x
default:mask::rwx
default:other::---
DC 2
getfacl /usr/local/samba/var/locks/sysvol
getfacl: Removing leading '/' from absolute path names
# file: usr/local/samba/var/locks/sysvol
# owner: root
# group: BUILTIN\\administrators
user::rwx
user:root:rwx
user:BUILTIN\\administrators:rwx
user:BUILTIN\\server\040operators:r-x
user:NT\040AUTHORITY\\system:rwx
user:NT\040AUTHORITY\\authenticated\040users:r-x
group::rwx
group:BUILTIN\\administrators:rwx
group:BUILTIN\\server\040operators:r-x
group:NT\040AUTHORITY\\system:rwx
group:NT\040AUTHORITY\\authenticated\040users:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\\administrators:rwx
default:user:BUILTIN\\server\040operators:r-x
default:user:NT\040AUTHORITY\\system:rwx
default:user:NT\040AUTHORITY\\authenticated\040users:r-x
default:group::---
default:group:BUILTIN\\administrators:rwx
default:group:BUILTIN\\server\040operators:r-x
default:group:NT\040AUTHORITY\\system:rwx
default:group:NT\040AUTHORITY\\authenticated\040users:r-x
default:mask::rwx
default:other::---
------
GPO with erro Now:
DC1
getfacl
/usr/local/samba/var/locks/sysvol/xxxx.xxxx.com.br/Policies/\{149AD731-C29D-41E7-B1D4-1DECA7DBED58\}/GPT.INI
getfacl: Removing leading '/' from absolute path names
# file:
usr/local/samba/var/locks/sysvol/xxxx.xxxx.com.br/Policies/{149AD731-C29D-41E7-B1D4-1DECA7DBED58}/GPT.INI
# owner: BUILTIN\\administrators
# group: users
user::rwx
user:NT\040AUTHORITY\\system:rwx
user:XXXX\\enterprise\040admins:rwx
user:XXXX\\domain\040admins:rwx
user:NT\040AUTHORITY\\enterprise\040domain\040controllers:r-x
user:XXXX\\domain\040computers:r-x
user:XXXX\\mercado_xxxx:r-x
group::---
group:users:---
group:BUILTIN\\administrators:rwx
group:NT\040AUTHORITY\\system:rwx
group:XXXX\\enterprise\040admins:rwx
group:XXXX\\domain\040admins:rwx
group:NT\040AUTHORITY\\enterprise\040domain\040controllers:r-x
group:XXXX\\domain\040computers:r-x
group:XXXX\\mercado_xxxx:r-x
mask::rwx
other::---
DC 2
getfacl
/usr/local/samba/var/locks/sysvol/xxxx.xxxx.com.br/Policies/\{149AD731-C29D-41E7-B1D4-1DECA7DBED58\}/GPT.INI
getfacl: Removing leading '/' from absolute path names
# file:
usr/local/samba/var/locks/sysvol/xxxx.xxxx.com.br/Policies/{149AD731-C29D-41E7-B1D4-1DECA7DBED58}/GPT.INI
# owner: BUILTIN\\administrators
# group: users
user::rwx
user:NT\040AUTHORITY\\system:rwx
user:XXXX\\enterprise\040admins:rwx
user:XXXX\\domain\040admins:rwx
user:NT\040AUTHORITY\\enterprise\040domain\040controllers:r-x
user:XXXX\\domain\040computers:r-x
user:XXXX\\mercado_xxxx:r-x
group::---
group:users:---
group:BUILTIN\\administrators:rwx
group:NT\040AUTHORITY\\system:rwx
group:XXXX\\enterprise\040admins:rwx
group:XXXX\\domain\040admins:rwx
group:NT\040AUTHORITY\\enterprise\040domain\040controllers:r-x
group:XXXX\\domain\040computers:r-x
group:XXXX\\mercado_xxxx:r-x
mask::rwx
other::---
----
DC1
getent passwd Administrator
XXXX\administrator:*:0:100::/home/XXXX/administrator:/bin/false
DC2
getent passwd Administrator
XXXX\administrator:*:0:100::/home/XXXX/administrator:/bin/false
Regards;
Em 25/05/2021 09:44, Rowland penny via samba escreveu:> On 25/05/2021 13:16, Carlos via samba wrote:
>> HI!
>>
>> Good morning Louis :-D
>>
>> In Samba ADDC I did not configure (I understood that I didn?t need)
>> the nsswitch part, but I did it now in DC 1 and DC2, it seems to me
>> that it solved, even before the ids being the same in DC1 and DC2,
>> now it remains the same with names, but gpupdate no longer gave an
>> error and successfully loaded the police \ o /
>>
>> But the samba-tool ntacl sysvolreset gave a different error, it was
>> in a loop with this message "idmap range not specified for domain
>> '*'", but im smb.conf of an ADDC if the idmap is not
configured as I
>> remember, at least I I never did it and I didn't even see it in the
>> documentation.
>>
>> Is something else wrong now?
>
>
> Yes and no ?
>
> You are getting that message because of a bug, you cannot use 'idmap
> config' lines in a DC smb.conf, but there is a default line and that
> is being picked up. You could normally ignore the error, but why
> sysvolreset is looping around the error, I am unsure, have you given
> all the AD groups a gidNumber ?
>
> Rowland
>
>
>
There still something off here. I cant reproduce your error on my debian 10 DC's with 4.14.4 Post the following. smb.conf hosts resolv.conf nsswitch.conf Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Carlos via samba > Verzonden: dinsdag 25 mei 2021 14:56 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] NT_STATUS_OBJECT_NAME_NOT_FOUND > > HI > > "I am unsure, have you given all the AD groups a gidNumber ?" I dont > understand..... > > > Afters minutes(1 or 2), i recevived erro: > > samba-tool ntacl sysvolreset > > ... > > ... > > idmap range not specified for domain '*' > idmap range not specified for domain '*' > idmap range not specified for domain '*' > idmap range not specified for domain '*' > idmap range not specified for domain '*' > idmap range not specified for domain '*' > set_nt_acl_conn: init_files_struct failed: > NT_STATUS_OBJECT_NAME_NOT_FOUND > ERROR(runtime): uncaught exception - (3221225524, 'The object name is > not found.') > ? File > "/usr/local/samba/lib/python3.8/site-packages/samba/netcmd/__init__.py",> line 186, in _run > ??? return self.run(*args, **kwargs) > ? File > "/usr/local/samba/lib/python3.8/site-packages/samba/netcmd/ntacl.py", > line 412, in run > ??? provision.setsysvolacl(samdb, netlogon, sysvol, > ? File > "/usr/local/samba/lib/python3.8/site-packages/samba/provision/ > __init__.py", > line 1754, in setsysvolacl > ??? set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, > use_ntvfs, passdb=s4_passdb) > ? File > "/usr/local/samba/lib/python3.8/site-packages/samba/provision/ > __init__.py", > line 1641, in set_gpos_acl > ??? set_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp, > ? File > "/usr/local/samba/lib/python3.8/site-packages/samba/provision/ > __init__.py", > line 1604, in set_dir_acl > ??? setntacl(lp, path, acl, domsid, session_info, > use_ntvfs=use_ntvfs, > skip_invalid_chown=True, passdb=passdb, service=service) > ? File > "/usr/local/samba/lib/python3.8/site-packages/samba/ntacls.py", > line 230, in setntacl > ??? smbd.set_nt_acl( > > > ---- > > > More INFO(now): > > > DC 1 > > getfacl /usr/local/samba/var/locks/sysvol > getfacl: Removing leading '/' from absolute path names > # file: usr/local/samba/var/locks/sysvol > # owner: root > # group: BUILTIN\\administrators > user::rwx > user:root:rwx > user:BUILTIN\\administrators:rwx > user:BUILTIN\\server\040operators:r-x > user:NT\040AUTHORITY\\system:rwx > user:NT\040AUTHORITY\\authenticated\040users:r-x > group::rwx > group:BUILTIN\\administrators:rwx > group:BUILTIN\\server\040operators:r-x > group:NT\040AUTHORITY\\system:rwx > group:NT\040AUTHORITY\\authenticated\040users:r-x > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:user:BUILTIN\\administrators:rwx > default:user:BUILTIN\\server\040operators:r-x > default:user:NT\040AUTHORITY\\system:rwx > default:user:NT\040AUTHORITY\\authenticated\040users:r-x > default:group::--- > default:group:BUILTIN\\administrators:rwx > default:group:BUILTIN\\server\040operators:r-x > default:group:NT\040AUTHORITY\\system:rwx > default:group:NT\040AUTHORITY\\authenticated\040users:r-x > default:mask::rwx > default:other::--- > > > DC 2 > > getfacl /usr/local/samba/var/locks/sysvol > getfacl: Removing leading '/' from absolute path names > # file: usr/local/samba/var/locks/sysvol > # owner: root > # group: BUILTIN\\administrators > user::rwx > user:root:rwx > user:BUILTIN\\administrators:rwx > user:BUILTIN\\server\040operators:r-x > user:NT\040AUTHORITY\\system:rwx > user:NT\040AUTHORITY\\authenticated\040users:r-x > group::rwx > group:BUILTIN\\administrators:rwx > group:BUILTIN\\server\040operators:r-x > group:NT\040AUTHORITY\\system:rwx > group:NT\040AUTHORITY\\authenticated\040users:r-x > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:user:BUILTIN\\administrators:rwx > default:user:BUILTIN\\server\040operators:r-x > default:user:NT\040AUTHORITY\\system:rwx > default:user:NT\040AUTHORITY\\authenticated\040users:r-x > default:group::--- > default:group:BUILTIN\\administrators:rwx > default:group:BUILTIN\\server\040operators:r-x > default:group:NT\040AUTHORITY\\system:rwx > default:group:NT\040AUTHORITY\\authenticated\040users:r-x > default:mask::rwx > default:other::--- > > > ------ > > > GPO with erro Now: > > > DC1 > > getfacl > /usr/local/samba/var/locks/sysvol/xxxx.xxxx.com.br/Policies/\{149AD731-C29D-41E7-B1D4-1DECA7DBED58\}/GPT.INI> > getfacl: Removing leading '/' from absolute path names > # file: > usr/local/samba/var/locks/sysvol/xxxx.xxxx.com.br/Policies/{14 > 9AD731-C29D-41E7-B1D4-1DECA7DBED58}/GPT.INI > # owner: BUILTIN\\administrators > # group: users > user::rwx > user:NT\040AUTHORITY\\system:rwx > user:XXXX\\enterprise\040admins:rwx > user:XXXX\\domain\040admins:rwx > user:NT\040AUTHORITY\\enterprise\040domain\040controllers:r-x > user:XXXX\\domain\040computers:r-x > user:XXXX\\mercado_xxxx:r-x > group::--- > group:users:--- > group:BUILTIN\\administrators:rwx > group:NT\040AUTHORITY\\system:rwx > group:XXXX\\enterprise\040admins:rwx > group:XXXX\\domain\040admins:rwx > group:NT\040AUTHORITY\\enterprise\040domain\040controllers:r-x > group:XXXX\\domain\040computers:r-x > group:XXXX\\mercado_xxxx:r-x > mask::rwx > other::--- > > > DC 2 > > getfacl > /usr/local/samba/var/locks/sysvol/xxxx.xxxx.com.br/Policies/\{149AD731-C29D-41E7-B1D4-1DECA7DBED58\}/GPT.INI> > getfacl: Removing leading '/' from absolute path names > # file: > usr/local/samba/var/locks/sysvol/xxxx.xxxx.com.br/Policies/{14 > 9AD731-C29D-41E7-B1D4-1DECA7DBED58}/GPT.INI > # owner: BUILTIN\\administrators > # group: users > user::rwx > user:NT\040AUTHORITY\\system:rwx > user:XXXX\\enterprise\040admins:rwx > user:XXXX\\domain\040admins:rwx > user:NT\040AUTHORITY\\enterprise\040domain\040controllers:r-x > user:XXXX\\domain\040computers:r-x > user:XXXX\\mercado_xxxx:r-x > group::--- > group:users:--- > group:BUILTIN\\administrators:rwx > group:NT\040AUTHORITY\\system:rwx > group:XXXX\\enterprise\040admins:rwx > group:XXXX\\domain\040admins:rwx > group:NT\040AUTHORITY\\enterprise\040domain\040controllers:r-x > group:XXXX\\domain\040computers:r-x > group:XXXX\\mercado_xxxx:r-x > mask::rwx > other::--- > > > ---- > > > DC1 > > getent passwd Administrator > XXXX\administrator:*:0:100::/home/XXXX/administrator:/bin/false > > > DC2 > > getent passwd Administrator > XXXX\administrator:*:0:100::/home/XXXX/administrator:/bin/false > > > Regards; > > > Em 25/05/2021 09:44, Rowland penny via samba escreveu: > > On 25/05/2021 13:16, Carlos via samba wrote: > >> HI! > >> > >> Good morning Louis :-D > >> > >> In Samba ADDC I did not configure (I understood that I > didn?t need) > >> the nsswitch part, but I did it now in DC 1 and DC2, it > seems to me > >> that it solved, even before the ids being the same in DC1 and DC2, > >> now it remains the same with names, but gpupdate no longer gave an > >> error and successfully loaded the police \ o / > >> > >> But the samba-tool ntacl sysvolreset gave a different > error, it was > >> in a loop with this message "idmap range not specified for domain > >> '*'", but im smb.conf of an ADDC if the idmap is not > configured as I > >> remember, at least I I never did it and I didn't even see > it in the > >> documentation. > >> > >> Is something else wrong now? > > > > > > Yes and no ???? > > > > You are getting that message because of a bug, you cannot > use 'idmap > > config' lines in a DC smb.conf, but there is a default line > and that > > is being picked up. You could normally ignore the error, but why > > sysvolreset is looping around the error, I am unsure, have > you given > > all the AD groups a gidNumber ? > > > > Rowland > > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >