samba - Apr 2024 - GPO Editor says "Access denied" for Group Policy Objects

On Thu, 25 Apr 2024 19:32:26 +0200
Jakob Curdes via samba <samba at lists.samba.org> wrote:
> Hello Rowland, Luis, all,
> 
> Am 25.04.2024 um 18:56 schrieb Rowland Penny via samba:
> 
> >
> > [global]
> >   netbios name = XXX
> >   realm = XXXX.yyyy.ZZ
> >   server role = active directory domain controller
> >   dns forwarder = X,Y
> >   workgroup = ZZ
> >   idmap_ldb:use rfc2307 = yes
> >   template shell = /bin/bash
> >   winbind use default domain = true
> >
> > The line above does nothing an a DC
> >
> >   winbind offline logon = false
> >
> > The line above is the default
> >   
> >   winbind nss info = rfc2307
> >
> > The line above does nothing an a DC
> >
> >   winbind enum users = yes
> >   winbind enum groups = yes
> >
> > You should only set the two lines above for testing purposes, Samba
> > will work perfectly well without them.
> >
> >   winbind nested groups = Yes
> >   server schannel = yes
> >
> > The two lines above are defaults
> >   
> > [sysvol]
> >   path = /var/lib/samba/sysvol
> >   read only = No
> >
> > What happened to the 'netlogon' share ? If you removed it, I
suggest
> > you put it back.
> >
> No , I just omitted that part. The enum lines are only there for 
> testing, I know that it reduces performance.
> 
> So I understand I can simplify the dc config, but it is not
"wrong"
Yes, there is nothing really 'wrong'.
> (before looking at below member server config).
> 
> Here is the domain member server config:
> 
>  ?? workgroup = XXXX
>  ?? security = ADS
>  ?? realm = XXXX.yyyy.ZZ
>  ?? winbind refresh tickets = Yes
>  ?? dedicated keytab file = /etc/krb5.keytab
>  ?? kerberos method = secrets and keytab
>  ?? winbind use default domain = no
>  ?? winbind enum users = yes
>  ?? winbind enum groups = yes
>  ?? winbind nested groups?? = Yes
>  ?? winbind expand groups?? = 4
>  ?? server schannel = yes
>  ?? access based share enum = true
>     idmap config * : backend = tdb
>     idmap config * : range = 3000-7999
>     idmap config XXXX : backend = rid
Are there any other Unix domain members ?
Because this one isn't using any rfc2307 attributes, so, if there are
no other Unix domain members and there are rfc2307 attributes in AD,
then you might as well remove them.
>     idmap config XXXX : range = 300000-400000
> 
> The "XXXX" stands for our our AD domain, there might be other
coming
> so this is why we set an idmap range for that domain.
If you add another AD domain, you will also have to use trusts.
> 
> I suspect that I forgot to set the idmap config on the DC(s)
> accordingly?
Do not set idmap config lines on a Samba DC, they do not work, you must
use the 3000000 numbers or use rfc2307 attributes (uidNumber,
gidNumber, etc)

Have you read this:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Granting_the_SeDiskOperatorPrivilege_Privilege

Rowland

Am 25.04.2024 um 19:59 schrieb Rowland Penny via samba:
> I suspect that I forgot to set the idmap config on the DC(s)
> accordingly?
> Do not set idmap config lines on a Samba DC, they do not work, you must
> use the 3000000 numbers or use rfc2307 attributes (uidNumber,
> gidNumber, etc)
>
> Have you read this:
>
>
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Granting_the_SeDiskOperatorPrivilege_Privilege
>
Yes, but rereading it and the mail thread I think I will try to sanitize 
my configs and then go through that page again. But I would like to do 
this with hands-on to the domain as it is in production, so this will 
have to wait until next week.

I will try to heed your hints and get back with a result.

Thank you and best regards, Jakob