samba - Apr 2024 - GPO Editor says "Access denied" for Group Policy Objects

Hello Rowland, Luis, all,

Am 25.04.2024 um 18:56 schrieb Rowland Penny via samba:
>> The group ID of the sysvol entry is "3000000", while on the
domain
>> member, the Domain Admin group has the group ID "300512".
> Hmm, If you are using rfc2307 attributes, how can the group have the ID
> 3000000 on a DC (which I would expect), but 300512 on a Unix domain
> member ?
> Can we see the smb.conf from the Unix domain member ?
>
> The thing with AD and sysvol is that Domain Admins must own things in
> sysvol and normally a Unix group cannot own anything, only Unix users
> can do this. So, by default on a Samba AD DC, Domain Admins is both a
> group and a user (this is set in idmap.ldb on the DC, where Domain
> Admins is classified as ID_TYPE_BOTH). If you give Domain Admins a
> gidNumber attribute, it breaks this and it just becomes a Unix group
> and cannot own anything.
Yes, I know this, but as we can see this is not the case.

>
>> The relevant portion of the DC config is:
>>
>> [global] netbios name = XXX realm = XXXX.yyyy.ZZ server role = active
>> directory domain controller dns forwarder = X,Y workgroup = ZZ
>> idmap_ldb:use rfc2307 = yes template shell = /bin/bash winbind use
>> default domain = true winbind offline logon = false winbind nss info
>> = rfc2307 winbind enum users = yes winbind enum groups = yes winbind
>> nested groups = Yes server schannel = yes [sysvol] path >>
/var/lib/samba/sysvol read only = No
>>
>> So what do I need to change?
> Your email client LOL
Ah yes I will format the lines better next time :-(

>
> [global]
>   netbios name = XXX
>   realm = XXXX.yyyy.ZZ
>   server role = active directory domain controller
>   dns forwarder = X,Y
>   workgroup = ZZ
>   idmap_ldb:use rfc2307 = yes
>   template shell = /bin/bash
>   winbind use default domain = true
>
> The line above does nothing an a DC
>
>   winbind offline logon = false
>
> The line above is the default
>   
>   winbind nss info = rfc2307
>
> The line above does nothing an a DC
>
>   winbind enum users = yes
>   winbind enum groups = yes
>
> You should only set the two lines above for testing purposes, Samba
> will work perfectly well without them.
>
>   winbind nested groups = Yes
>   server schannel = yes
>
> The two lines above are defaults
>   
> [sysvol]
>   path = /var/lib/samba/sysvol
>   read only = No
>
> What happened to the 'netlogon' share ? If you removed it, I
suggest
> you put it back.
>
No , I just omitted that part. The enum lines are only there for 
testing, I know that it reduces performance.

So I understand I can simplify the dc config, but it is not "wrong" 
(before looking at below member server config).

Here is the domain member server config:

 ?? workgroup = XXXX
 ?? security = ADS
 ?? realm = XXXX.yyyy.ZZ
 ?? winbind refresh tickets = Yes
 ?? dedicated keytab file = /etc/krb5.keytab
 ?? kerberos method = secrets and keytab
 ?? winbind use default domain = no
 ?? winbind enum users = yes
 ?? winbind enum groups = yes
 ?? winbind nested groups?? = Yes
 ?? winbind expand groups?? = 4
 ?? server schannel = yes
 ?? access based share enum = true
    idmap config * : backend = tdb
    idmap config * : range = 3000-7999
    idmap config XXXX : backend = rid
    idmap config XXXX : range = 300000-400000

The "XXXX" stands for our our AD domain, there might be other coming
so
this is why we set an idmap range for that domain.

I suspect that I forgot to set the idmap config on the DC(s) accordingly?

Regards, Jakob Curdes

On Thu, 25 Apr 2024 19:32:26 +0200
Jakob Curdes via samba <samba at lists.samba.org> wrote:
> Hello Rowland, Luis, all,
> 
> Am 25.04.2024 um 18:56 schrieb Rowland Penny via samba:
> 
> >
> > [global]
> >   netbios name = XXX
> >   realm = XXXX.yyyy.ZZ
> >   server role = active directory domain controller
> >   dns forwarder = X,Y
> >   workgroup = ZZ
> >   idmap_ldb:use rfc2307 = yes
> >   template shell = /bin/bash
> >   winbind use default domain = true
> >
> > The line above does nothing an a DC
> >
> >   winbind offline logon = false
> >
> > The line above is the default
> >   
> >   winbind nss info = rfc2307
> >
> > The line above does nothing an a DC
> >
> >   winbind enum users = yes
> >   winbind enum groups = yes
> >
> > You should only set the two lines above for testing purposes, Samba
> > will work perfectly well without them.
> >
> >   winbind nested groups = Yes
> >   server schannel = yes
> >
> > The two lines above are defaults
> >   
> > [sysvol]
> >   path = /var/lib/samba/sysvol
> >   read only = No
> >
> > What happened to the 'netlogon' share ? If you removed it, I
suggest
> > you put it back.
> >
> No , I just omitted that part. The enum lines are only there for 
> testing, I know that it reduces performance.
> 
> So I understand I can simplify the dc config, but it is not
"wrong"
Yes, there is nothing really 'wrong'.
> (before looking at below member server config).
> 
> Here is the domain member server config:
> 
>  ?? workgroup = XXXX
>  ?? security = ADS
>  ?? realm = XXXX.yyyy.ZZ
>  ?? winbind refresh tickets = Yes
>  ?? dedicated keytab file = /etc/krb5.keytab
>  ?? kerberos method = secrets and keytab
>  ?? winbind use default domain = no
>  ?? winbind enum users = yes
>  ?? winbind enum groups = yes
>  ?? winbind nested groups?? = Yes
>  ?? winbind expand groups?? = 4
>  ?? server schannel = yes
>  ?? access based share enum = true
>     idmap config * : backend = tdb
>     idmap config * : range = 3000-7999
>     idmap config XXXX : backend = rid
Are there any other Unix domain members ?
Because this one isn't using any rfc2307 attributes, so, if there are
no other Unix domain members and there are rfc2307 attributes in AD,
then you might as well remove them.
>     idmap config XXXX : range = 300000-400000
> 
> The "XXXX" stands for our our AD domain, there might be other
coming
> so this is why we set an idmap range for that domain.
If you add another AD domain, you will also have to use trusts.
> 
> I suspect that I forgot to set the idmap config on the DC(s)
> accordingly?
Do not set idmap config lines on a Samba DC, they do not work, you must
use the 3000000 numbers or use rfc2307 attributes (uidNumber,
gidNumber, etc)

Have you read this:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Granting_the_SeDiskOperatorPrivilege_Privilege

Rowland