samba - Apr 2024 - GPO Editor says "Access denied" for Group Policy Objects

On Thu, 25 Apr 2024 18:19:20 +0200
Jakob Curdes via samba <samba at lists.samba.org> wrote:
> Hi Rowland, all,
> 
> Am 25.04.2024 um 17:24 schrieb Rowland Penny via samba:
> > On Thu, 25 Apr 2024 16:55:55 +0200
> > Jakob Curdes via samba<samba at lists.samba.org>  wrote:
> >
> >> .. we setup 2 new DCs replacing older DCs and joined them to the
> >> domain, then decommissioned the old DCs. I now discover that I
> >> cannot edit the GPO objects anymore.
> >> "sysvolcheck" shows no errors. I read through some
documentation
> >> but it sounds outdated to me. Any hints where I would start
> >> looking? Who should normally be the owner of the sysvol directory
> >> itself?
> >>
> >> What I find strange is that on a domain member, getent group shows
> >> me all Domain groups, while on the DC these are not shown.
> >> But that might be totally unrelated.
> >>
> >> Any hints?
> >>
> > Without more info, Anything would be guess work, but a guess in the
> > dark would be to ask if you are using rfc2307 attributes and if so,
> > does Domain Admins have a gidNumber attribute ?
> >
> > Rowland
> 
> Yes, we are using rfc2307 attributes, and I do not see a gidNumber 
> attribute in the properties of the "Domain Admins" group.
> To be honest, I never understood this gid / rfc2307 problem
> completely, although there are descriptions out there.
> 
> The group ID of the sysvol entry is "3000000", while on the
domain
> member, the Domain Admin group has the group ID "300512".
Hmm, If you are using rfc2307 attributes, how can the group have the ID
3000000 on a DC (which I would expect), but 300512 on a Unix domain
member ?
Can we see the smb.conf from the Unix domain member ?

The thing with AD and sysvol is that Domain Admins must own things in
sysvol and normally a Unix group cannot own anything, only Unix users
can do this. So, by default on a Samba AD DC, Domain Admins is both a
group and a user (this is set in idmap.ldb on the DC, where Domain
Admins is classified as ID_TYPE_BOTH). If you give Domain Admins a
gidNumber attribute, it breaks this and it just becomes a Unix group
and cannot own anything.
> 
> The relevant portion of the DC config is:
> 
> [global] netbios name = XXX realm = XXXX.yyyy.ZZ server role = active 
> directory domain controller dns forwarder = X,Y workgroup = ZZ 
> idmap_ldb:use rfc2307 = yes template shell = /bin/bash winbind use 
> default domain = true winbind offline logon = false winbind nss info
> = rfc2307 winbind enum users = yes winbind enum groups = yes winbind 
> nested groups = Yes server schannel = yes [sysvol] path = 
> /var/lib/samba/sysvol read only = No
> 
> So what do I need to change?
Your email client LOL

[global]
 netbios name = XXX
 realm = XXXX.yyyy.ZZ 
 server role = active directory domain controller 
 dns forwarder = X,Y 
 workgroup = ZZ 
 idmap_ldb:use rfc2307 = yes 
 template shell = /bin/bash 
 winbind use default domain = true

The line above does nothing an a DC

 winbind offline logon = false 

The line above is the default
 
 winbind nss info = rfc2307

The line above does nothing an a DC

 winbind enum users = yes 
 winbind enum groups = yes

You should only set the two lines above for testing purposes, Samba
will work perfectly well without them.

 winbind nested groups = Yes 
 server schannel = yes 

The two lines above are defaults
 
[sysvol]
 path = /var/lib/samba/sysvol
 read only = No

What happened to the 'netlogon' share ? If you removed it, I suggest
you put it back.

Hello Rowland, Luis, all,

Am 25.04.2024 um 18:56 schrieb Rowland Penny via samba:
>> The group ID of the sysvol entry is "3000000", while on the
domain
>> member, the Domain Admin group has the group ID "300512".
> Hmm, If you are using rfc2307 attributes, how can the group have the ID
> 3000000 on a DC (which I would expect), but 300512 on a Unix domain
> member ?
> Can we see the smb.conf from the Unix domain member ?
>
> The thing with AD and sysvol is that Domain Admins must own things in
> sysvol and normally a Unix group cannot own anything, only Unix users
> can do this. So, by default on a Samba AD DC, Domain Admins is both a
> group and a user (this is set in idmap.ldb on the DC, where Domain
> Admins is classified as ID_TYPE_BOTH). If you give Domain Admins a
> gidNumber attribute, it breaks this and it just becomes a Unix group
> and cannot own anything.
Yes, I know this, but as we can see this is not the case.

>
>> The relevant portion of the DC config is:
>>
>> [global] netbios name = XXX realm = XXXX.yyyy.ZZ server role = active
>> directory domain controller dns forwarder = X,Y workgroup = ZZ
>> idmap_ldb:use rfc2307 = yes template shell = /bin/bash winbind use
>> default domain = true winbind offline logon = false winbind nss info
>> = rfc2307 winbind enum users = yes winbind enum groups = yes winbind
>> nested groups = Yes server schannel = yes [sysvol] path >>
/var/lib/samba/sysvol read only = No
>>
>> So what do I need to change?
> Your email client LOL
Ah yes I will format the lines better next time :-(

>
> [global]
>   netbios name = XXX
>   realm = XXXX.yyyy.ZZ
>   server role = active directory domain controller
>   dns forwarder = X,Y
>   workgroup = ZZ
>   idmap_ldb:use rfc2307 = yes
>   template shell = /bin/bash
>   winbind use default domain = true
>
> The line above does nothing an a DC
>
>   winbind offline logon = false
>
> The line above is the default
>   
>   winbind nss info = rfc2307
>
> The line above does nothing an a DC
>
>   winbind enum users = yes
>   winbind enum groups = yes
>
> You should only set the two lines above for testing purposes, Samba
> will work perfectly well without them.
>
>   winbind nested groups = Yes
>   server schannel = yes
>
> The two lines above are defaults
>   
> [sysvol]
>   path = /var/lib/samba/sysvol
>   read only = No
>
> What happened to the 'netlogon' share ? If you removed it, I
suggest
> you put it back.
>
No , I just omitted that part. The enum lines are only there for 
testing, I know that it reduces performance.

So I understand I can simplify the dc config, but it is not "wrong" 
(before looking at below member server config).

Here is the domain member server config:

 ?? workgroup = XXXX
 ?? security = ADS
 ?? realm = XXXX.yyyy.ZZ
 ?? winbind refresh tickets = Yes
 ?? dedicated keytab file = /etc/krb5.keytab
 ?? kerberos method = secrets and keytab
 ?? winbind use default domain = no
 ?? winbind enum users = yes
 ?? winbind enum groups = yes
 ?? winbind nested groups?? = Yes
 ?? winbind expand groups?? = 4
 ?? server schannel = yes
 ?? access based share enum = true
    idmap config * : backend = tdb
    idmap config * : range = 3000-7999
    idmap config XXXX : backend = rid
    idmap config XXXX : range = 300000-400000

The "XXXX" stands for our our AD domain, there might be other coming
so
this is why we set an idmap range for that domain.

I suspect that I forgot to set the idmap config on the DC(s) accordingly?

Regards, Jakob Curdes