Jakob Curdes
2024-Apr-25 16:19 UTC
[Samba] GPO Editor says "Access denied" for Group Policy Objects
Hi Rowland, all, Am 25.04.2024 um 17:24 schrieb Rowland Penny via samba:> On Thu, 25 Apr 2024 16:55:55 +0200 > Jakob Curdes via samba<samba at lists.samba.org> wrote: > >> .. we setup 2 new DCs replacing older DCs and joined them to the >> domain, then decommissioned the old DCs. I now discover that I cannot >> edit the GPO objects anymore. >> "sysvolcheck" shows no errors. I read through some documentation but >> it sounds outdated to me. Any hints where I would start looking? Who >> should normally be the owner of the sysvol directory itself? >> >> What I find strange is that on a domain member, getent group shows me >> all Domain groups, while on the DC these are not shown. >> But that might be totally unrelated. >> >> Any hints? >> > Without more info, Anything would be guess work, but a guess in the > dark would be to ask if you are using rfc2307 attributes and if so, > does Domain Admins have a gidNumber attribute ? > > RowlandYes, we are using rfc2307 attributes, and I do not see a gidNumber attribute in the properties of the "Domain Admins" group. To be honest, I never understood this gid / rfc2307 problem completely, although there are descriptions out there. The group ID of the sysvol entry is "3000000", while on the domain member, the Domain Admin group has the group ID "300512". The relevant portion of the DC config is: [global] netbios name = XXX realm = XXXX.yyyy.ZZ server role = active directory domain controller dns forwarder = X,Y workgroup = ZZ idmap_ldb:use rfc2307 = yes template shell = /bin/bash winbind use default domain = true winbind offline logon = false winbind nss info = rfc2307 winbind enum users = yes winbind enum groups = yes winbind nested groups = Yes server schannel = yes [sysvol] path = /var/lib/samba/sysvol read only = No So what do I need to change? Regards, Jakob
Luis Peromarta
2024-Apr-25 16:27 UTC
[Samba] GPO Editor says "Access denied" for Group Policy Objects
I don?t think you need winbind on a DC as user mapping is done by its own databases. I think you have mixed up member server configs into DC configs. A smb.conf like this should be enough: [global] dns forwarder = 1.1.1.1 netbios name = AAA realm = XXXT server role = active directory domain controller workgroup = MAD idmap_ldb:use rfc2307??= yes #Allow this for free radius to work ntlm auth = mschapv2-and-ntlmv2-only # Disable Netbios ?? ? ? ?disable netbios = yes [sysvol] path = /var/lib/samba/sysvol read only = No [netlogon] path = /var/lib/samba/sysvol/XXXTscripts read only = No See this for details. http://samba.bigbird.es/doku.php?id=samba:idmap-backends LP On Apr 25, 2024 at 17:20 +0100, Jakob Curdes via samba <samba at lists.samba.org>, wrote:> Hi Rowland, all, > > Am 25.04.2024 um 17:24 schrieb Rowland Penny via samba: > > On Thu, 25 Apr 2024 16:55:55 +0200 > > Jakob Curdes via samba<samba at lists.samba.org> wrote: > > > > > .. we setup 2 new DCs replacing older DCs and joined them to the > > > domain, then decommissioned the old DCs. I now discover that I cannot > > > edit the GPO objects anymore. > > > "sysvolcheck" shows no errors. I read through some documentation but > > > it sounds outdated to me. Any hints where I would start looking? Who > > > should normally be the owner of the sysvol directory itself? > > > > > > What I find strange is that on a domain member, getent group shows me > > > all Domain groups, while on the DC these are not shown. > > > But that might be totally unrelated. > > > > > > Any hints? > > > > > Without more info, Anything would be guess work, but a guess in the > > dark would be to ask if you are using rfc2307 attributes and if so, > > does Domain Admins have a gidNumber attribute ? > > > > Rowland > > Yes, we are using rfc2307 attributes, and I do not see a gidNumber > attribute in the properties of the "Domain Admins" group. > To be honest, I never understood this gid / rfc2307 problem completely, > although there are descriptions out there. > > The group ID of the sysvol entry is "3000000", while on the domain > member, the Domain Admin group has the group ID "300512". > > The relevant portion of the DC config is: > > [global] netbios name = XXX realm = XXXX.yyyy.ZZ server role = active > directory domain controller dns forwarder = X,Y workgroup = ZZ > idmap_ldb:use rfc2307 = yes template shell = /bin/bash winbind use > default domain = true winbind offline logon = false winbind nss info > rfc2307 winbind enum users = yes winbind enum groups = yes winbind > nested groups = Yes server schannel = yes [sysvol] path > /var/lib/samba/sysvol read only = No > > So what do I need to change? > > Regards, Jakob > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2024-Apr-25 16:56 UTC
[Samba] GPO Editor says "Access denied" for Group Policy Objects
On Thu, 25 Apr 2024 18:19:20 +0200 Jakob Curdes via samba <samba at lists.samba.org> wrote:> Hi Rowland, all, > > Am 25.04.2024 um 17:24 schrieb Rowland Penny via samba: > > On Thu, 25 Apr 2024 16:55:55 +0200 > > Jakob Curdes via samba<samba at lists.samba.org> wrote: > > > >> .. we setup 2 new DCs replacing older DCs and joined them to the > >> domain, then decommissioned the old DCs. I now discover that I > >> cannot edit the GPO objects anymore. > >> "sysvolcheck" shows no errors. I read through some documentation > >> but it sounds outdated to me. Any hints where I would start > >> looking? Who should normally be the owner of the sysvol directory > >> itself? > >> > >> What I find strange is that on a domain member, getent group shows > >> me all Domain groups, while on the DC these are not shown. > >> But that might be totally unrelated. > >> > >> Any hints? > >> > > Without more info, Anything would be guess work, but a guess in the > > dark would be to ask if you are using rfc2307 attributes and if so, > > does Domain Admins have a gidNumber attribute ? > > > > Rowland > > Yes, we are using rfc2307 attributes, and I do not see a gidNumber > attribute in the properties of the "Domain Admins" group. > To be honest, I never understood this gid / rfc2307 problem > completely, although there are descriptions out there. > > The group ID of the sysvol entry is "3000000", while on the domain > member, the Domain Admin group has the group ID "300512".Hmm, If you are using rfc2307 attributes, how can the group have the ID 3000000 on a DC (which I would expect), but 300512 on a Unix domain member ? Can we see the smb.conf from the Unix domain member ? The thing with AD and sysvol is that Domain Admins must own things in sysvol and normally a Unix group cannot own anything, only Unix users can do this. So, by default on a Samba AD DC, Domain Admins is both a group and a user (this is set in idmap.ldb on the DC, where Domain Admins is classified as ID_TYPE_BOTH). If you give Domain Admins a gidNumber attribute, it breaks this and it just becomes a Unix group and cannot own anything.> > The relevant portion of the DC config is: > > [global] netbios name = XXX realm = XXXX.yyyy.ZZ server role = active > directory domain controller dns forwarder = X,Y workgroup = ZZ > idmap_ldb:use rfc2307 = yes template shell = /bin/bash winbind use > default domain = true winbind offline logon = false winbind nss info > = rfc2307 winbind enum users = yes winbind enum groups = yes winbind > nested groups = Yes server schannel = yes [sysvol] path = > /var/lib/samba/sysvol read only = No > > So what do I need to change?Your email client LOL [global] netbios name = XXX realm = XXXX.yyyy.ZZ server role = active directory domain controller dns forwarder = X,Y workgroup = ZZ idmap_ldb:use rfc2307 = yes template shell = /bin/bash winbind use default domain = true The line above does nothing an a DC winbind offline logon = false The line above is the default winbind nss info = rfc2307 The line above does nothing an a DC winbind enum users = yes winbind enum groups = yes You should only set the two lines above for testing purposes, Samba will work perfectly well without them. winbind nested groups = Yes server schannel = yes The two lines above are defaults [sysvol] path = /var/lib/samba/sysvol read only = No What happened to the 'netlogon' share ? If you removed it, I suggest you put it back.
Reasonably Related Threads
- GPO Editor says "Access denied" for Group Policy Objects
- GPO Editor says "Access denied" for Group Policy Objects
- GPO Editor says "Access denied" for Group Policy Objects
- GPO Editor says "Access denied" for Group Policy Objects
- GPO Editor says "Access denied" for Group Policy Objects