Rowland Penny
2024-Apr-25 16:56 UTC
[Samba] GPO Editor says "Access denied" for Group Policy Objects
On Thu, 25 Apr 2024 18:19:20 +0200 Jakob Curdes via samba <samba at lists.samba.org> wrote:> Hi Rowland, all, > > Am 25.04.2024 um 17:24 schrieb Rowland Penny via samba: > > On Thu, 25 Apr 2024 16:55:55 +0200 > > Jakob Curdes via samba<samba at lists.samba.org> wrote: > > > >> .. we setup 2 new DCs replacing older DCs and joined them to the > >> domain, then decommissioned the old DCs. I now discover that I > >> cannot edit the GPO objects anymore. > >> "sysvolcheck" shows no errors. I read through some documentation > >> but it sounds outdated to me. Any hints where I would start > >> looking? Who should normally be the owner of the sysvol directory > >> itself? > >> > >> What I find strange is that on a domain member, getent group shows > >> me all Domain groups, while on the DC these are not shown. > >> But that might be totally unrelated. > >> > >> Any hints? > >> > > Without more info, Anything would be guess work, but a guess in the > > dark would be to ask if you are using rfc2307 attributes and if so, > > does Domain Admins have a gidNumber attribute ? > > > > Rowland > > Yes, we are using rfc2307 attributes, and I do not see a gidNumber > attribute in the properties of the "Domain Admins" group. > To be honest, I never understood this gid / rfc2307 problem > completely, although there are descriptions out there. > > The group ID of the sysvol entry is "3000000", while on the domain > member, the Domain Admin group has the group ID "300512".Hmm, If you are using rfc2307 attributes, how can the group have the ID 3000000 on a DC (which I would expect), but 300512 on a Unix domain member ? Can we see the smb.conf from the Unix domain member ? The thing with AD and sysvol is that Domain Admins must own things in sysvol and normally a Unix group cannot own anything, only Unix users can do this. So, by default on a Samba AD DC, Domain Admins is both a group and a user (this is set in idmap.ldb on the DC, where Domain Admins is classified as ID_TYPE_BOTH). If you give Domain Admins a gidNumber attribute, it breaks this and it just becomes a Unix group and cannot own anything.> > The relevant portion of the DC config is: > > [global] netbios name = XXX realm = XXXX.yyyy.ZZ server role = active > directory domain controller dns forwarder = X,Y workgroup = ZZ > idmap_ldb:use rfc2307 = yes template shell = /bin/bash winbind use > default domain = true winbind offline logon = false winbind nss info > = rfc2307 winbind enum users = yes winbind enum groups = yes winbind > nested groups = Yes server schannel = yes [sysvol] path = > /var/lib/samba/sysvol read only = No > > So what do I need to change?Your email client LOL [global] netbios name = XXX realm = XXXX.yyyy.ZZ server role = active directory domain controller dns forwarder = X,Y workgroup = ZZ idmap_ldb:use rfc2307 = yes template shell = /bin/bash winbind use default domain = true The line above does nothing an a DC winbind offline logon = false The line above is the default winbind nss info = rfc2307 The line above does nothing an a DC winbind enum users = yes winbind enum groups = yes You should only set the two lines above for testing purposes, Samba will work perfectly well without them. winbind nested groups = Yes server schannel = yes The two lines above are defaults [sysvol] path = /var/lib/samba/sysvol read only = No What happened to the 'netlogon' share ? If you removed it, I suggest you put it back.
Jakob Curdes
2024-Apr-25 17:32 UTC
[Samba] GPO Editor says "Access denied" for Group Policy Objects
Hello Rowland, Luis, all, Am 25.04.2024 um 18:56 schrieb Rowland Penny via samba:>> The group ID of the sysvol entry is "3000000", while on the domain >> member, the Domain Admin group has the group ID "300512". > Hmm, If you are using rfc2307 attributes, how can the group have the ID > 3000000 on a DC (which I would expect), but 300512 on a Unix domain > member ? > Can we see the smb.conf from the Unix domain member ? > > The thing with AD and sysvol is that Domain Admins must own things in > sysvol and normally a Unix group cannot own anything, only Unix users > can do this. So, by default on a Samba AD DC, Domain Admins is both a > group and a user (this is set in idmap.ldb on the DC, where Domain > Admins is classified as ID_TYPE_BOTH). If you give Domain Admins a > gidNumber attribute, it breaks this and it just becomes a Unix group > and cannot own anything.Yes, I know this, but as we can see this is not the case.> >> The relevant portion of the DC config is: >> >> [global] netbios name = XXX realm = XXXX.yyyy.ZZ server role = active >> directory domain controller dns forwarder = X,Y workgroup = ZZ >> idmap_ldb:use rfc2307 = yes template shell = /bin/bash winbind use >> default domain = true winbind offline logon = false winbind nss info >> = rfc2307 winbind enum users = yes winbind enum groups = yes winbind >> nested groups = Yes server schannel = yes [sysvol] path >> /var/lib/samba/sysvol read only = No >> >> So what do I need to change? > Your email client LOLAh yes I will format the lines better next time :-(> > [global] > netbios name = XXX > realm = XXXX.yyyy.ZZ > server role = active directory domain controller > dns forwarder = X,Y > workgroup = ZZ > idmap_ldb:use rfc2307 = yes > template shell = /bin/bash > winbind use default domain = true > > The line above does nothing an a DC > > winbind offline logon = false > > The line above is the default > > winbind nss info = rfc2307 > > The line above does nothing an a DC > > winbind enum users = yes > winbind enum groups = yes > > You should only set the two lines above for testing purposes, Samba > will work perfectly well without them. > > winbind nested groups = Yes > server schannel = yes > > The two lines above are defaults > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > What happened to the 'netlogon' share ? If you removed it, I suggest > you put it back. >No , I just omitted that part. The enum lines are only there for testing, I know that it reduces performance. So I understand I can simplify the dc config, but it is not "wrong" (before looking at below member server config). Here is the domain member server config: ?? workgroup = XXXX ?? security = ADS ?? realm = XXXX.yyyy.ZZ ?? winbind refresh tickets = Yes ?? dedicated keytab file = /etc/krb5.keytab ?? kerberos method = secrets and keytab ?? winbind use default domain = no ?? winbind enum users = yes ?? winbind enum groups = yes ?? winbind nested groups?? = Yes ?? winbind expand groups?? = 4 ?? server schannel = yes ?? access based share enum = true idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config XXXX : backend = rid idmap config XXXX : range = 300000-400000 The "XXXX" stands for our our AD domain, there might be other coming so this is why we set an idmap range for that domain. I suspect that I forgot to set the idmap config on the DC(s) accordingly? Regards, Jakob Curdes
Reasonably Related Threads
- GPO Editor says "Access denied" for Group Policy Objects
- GPO Editor says "Access denied" for Group Policy Objects
- GPO Editor says "Access denied" for Group Policy Objects
- GPO Editor says "Access denied" for Group Policy Objects
- GPO Editor says "Access denied" for Group Policy Objects