samba - Apr 2024 - GPO Editor says "Access denied" for Group Policy Objects

Hi Rowland, all,

Am 25.04.2024 um 17:24 schrieb Rowland Penny via samba:
> On Thu, 25 Apr 2024 16:55:55 +0200
> Jakob Curdes via samba<samba at lists.samba.org>  wrote:
>
>> .. we setup 2 new DCs replacing older DCs and joined them to the
>> domain, then decommissioned the old DCs. I now discover that I cannot
>> edit the GPO objects anymore.
>> "sysvolcheck" shows no errors. I read through some
documentation but
>> it sounds outdated to me. Any hints where I would start looking? Who
>> should normally be the owner of the sysvol directory itself?
>>
>> What I find strange is that on a domain member, getent group shows me
>> all Domain groups, while on the DC these are not shown.
>> But that might be totally unrelated.
>>
>> Any hints?
>>
> Without more info, Anything would be guess work, but a guess in the
> dark would be to ask if you are using rfc2307 attributes and if so,
> does Domain Admins have a gidNumber attribute ?
>
> Rowland
Yes, we are using rfc2307 attributes, and I do not see a gidNumber 
attribute in the properties of the "Domain Admins" group.
To be honest, I never understood this gid / rfc2307 problem completely, 
although there are descriptions out there.

The group ID of the sysvol entry is "3000000", while on the domain 
member, the Domain Admin group has the group ID "300512".

The relevant portion of the DC config is:

[global] netbios name = XXX realm = XXXX.yyyy.ZZ server role = active 
directory domain controller dns forwarder = X,Y workgroup = ZZ 
idmap_ldb:use rfc2307 = yes template shell = /bin/bash winbind use 
default domain = true winbind offline logon = false winbind nss info = 
rfc2307 winbind enum users = yes winbind enum groups = yes winbind 
nested groups = Yes server schannel = yes [sysvol] path = 
/var/lib/samba/sysvol read only = No

So what do I need to change?

Regards, Jakob

I don?t think you need winbind on a DC as user mapping is done by its own
databases. I think you have mixed up member server configs into DC configs.

A smb.conf like this should be enough:

[global]
	dns forwarder = 1.1.1.1
	netbios name = AAA
	realm = XXXT
	server role = active directory domain controller
	workgroup = MAD
	idmap_ldb:use rfc2307??= yes

#Allow this for free radius to work
	ntlm auth = mschapv2-and-ntlmv2-only

# Disable Netbios
?? ? ? ?disable netbios = yes

[sysvol]
	path = /var/lib/samba/sysvol
	read only = No

[netlogon]
	path = /var/lib/samba/sysvol/XXXTscripts
	read only = No


See this for details.

http://samba.bigbird.es/doku.php?id=samba:idmap-backends




LP
On Apr 25, 2024 at 17:20 +0100, Jakob Curdes via samba <samba at
lists.samba.org>, wrote:
> Hi Rowland, all,
>
> Am 25.04.2024 um 17:24 schrieb Rowland Penny via samba:
> > On Thu, 25 Apr 2024 16:55:55 +0200
> > Jakob Curdes via samba<samba at lists.samba.org> wrote:
> >
> > > .. we setup 2 new DCs replacing older DCs and joined them to the
> > > domain, then decommissioned the old DCs. I now discover that I
cannot
> > > edit the GPO objects anymore.
> > > "sysvolcheck" shows no errors. I read through some
documentation but
> > > it sounds outdated to me. Any hints where I would start looking?
Who
> > > should normally be the owner of the sysvol directory itself?
> > >
> > > What I find strange is that on a domain member, getent group
shows me
> > > all Domain groups, while on the DC these are not shown.
> > > But that might be totally unrelated.
> > >
> > > Any hints?
> > >
> > Without more info, Anything would be guess work, but a guess in the
> > dark would be to ask if you are using rfc2307 attributes and if so,
> > does Domain Admins have a gidNumber attribute ?
> >
> > Rowland
>
> Yes, we are using rfc2307 attributes, and I do not see a gidNumber
> attribute in the properties of the "Domain Admins" group.
> To be honest, I never understood this gid / rfc2307 problem completely,
> although there are descriptions out there.
>
> The group ID of the sysvol entry is "3000000", while on the
domain
> member, the Domain Admin group has the group ID "300512".
>
> The relevant portion of the DC config is:
>
> [global] netbios name = XXX realm = XXXX.yyyy.ZZ server role = active
> directory domain controller dns forwarder = X,Y workgroup = ZZ
> idmap_ldb:use rfc2307 = yes template shell = /bin/bash winbind use
> default domain = true winbind offline logon = false winbind nss info >
rfc2307 winbind enum users = yes winbind enum groups = yes winbind
> nested groups = Yes server schannel = yes [sysvol] path >
/var/lib/samba/sysvol read only = No
>
> So what do I need to change?
>
> Regards, Jakob
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

On Thu, 25 Apr 2024 18:19:20 +0200
Jakob Curdes via samba <samba at lists.samba.org> wrote:
> Hi Rowland, all,
> 
> Am 25.04.2024 um 17:24 schrieb Rowland Penny via samba:
> > On Thu, 25 Apr 2024 16:55:55 +0200
> > Jakob Curdes via samba<samba at lists.samba.org>  wrote:
> >
> >> .. we setup 2 new DCs replacing older DCs and joined them to the
> >> domain, then decommissioned the old DCs. I now discover that I
> >> cannot edit the GPO objects anymore.
> >> "sysvolcheck" shows no errors. I read through some
documentation
> >> but it sounds outdated to me. Any hints where I would start
> >> looking? Who should normally be the owner of the sysvol directory
> >> itself?
> >>
> >> What I find strange is that on a domain member, getent group shows
> >> me all Domain groups, while on the DC these are not shown.
> >> But that might be totally unrelated.
> >>
> >> Any hints?
> >>
> > Without more info, Anything would be guess work, but a guess in the
> > dark would be to ask if you are using rfc2307 attributes and if so,
> > does Domain Admins have a gidNumber attribute ?
> >
> > Rowland
> 
> Yes, we are using rfc2307 attributes, and I do not see a gidNumber 
> attribute in the properties of the "Domain Admins" group.
> To be honest, I never understood this gid / rfc2307 problem
> completely, although there are descriptions out there.
> 
> The group ID of the sysvol entry is "3000000", while on the
domain
> member, the Domain Admin group has the group ID "300512".
Hmm, If you are using rfc2307 attributes, how can the group have the ID
3000000 on a DC (which I would expect), but 300512 on a Unix domain
member ?
Can we see the smb.conf from the Unix domain member ?

The thing with AD and sysvol is that Domain Admins must own things in
sysvol and normally a Unix group cannot own anything, only Unix users
can do this. So, by default on a Samba AD DC, Domain Admins is both a
group and a user (this is set in idmap.ldb on the DC, where Domain
Admins is classified as ID_TYPE_BOTH). If you give Domain Admins a
gidNumber attribute, it breaks this and it just becomes a Unix group
and cannot own anything.
> 
> The relevant portion of the DC config is:
> 
> [global] netbios name = XXX realm = XXXX.yyyy.ZZ server role = active 
> directory domain controller dns forwarder = X,Y workgroup = ZZ 
> idmap_ldb:use rfc2307 = yes template shell = /bin/bash winbind use 
> default domain = true winbind offline logon = false winbind nss info
> = rfc2307 winbind enum users = yes winbind enum groups = yes winbind 
> nested groups = Yes server schannel = yes [sysvol] path = 
> /var/lib/samba/sysvol read only = No
> 
> So what do I need to change?
Your email client LOL

[global]
 netbios name = XXX
 realm = XXXX.yyyy.ZZ 
 server role = active directory domain controller 
 dns forwarder = X,Y 
 workgroup = ZZ 
 idmap_ldb:use rfc2307 = yes 
 template shell = /bin/bash 
 winbind use default domain = true

The line above does nothing an a DC

 winbind offline logon = false 

The line above is the default
 
 winbind nss info = rfc2307

The line above does nothing an a DC

 winbind enum users = yes 
 winbind enum groups = yes

You should only set the two lines above for testing purposes, Samba
will work perfectly well without them.

 winbind nested groups = Yes 
 server schannel = yes 

The two lines above are defaults
 
[sysvol]
 path = /var/lib/samba/sysvol
 read only = No

What happened to the 'netlogon' share ? If you removed it, I suggest
you put it back.