Can't create/update Group Policy in Samba 4.6.5

classic Classic list List threaded Threaded
19 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Can't create/update Group Policy in Samba 4.6.5

Samba - General mailing list
Hi,

I'm using Samba 4.6.5 and I have installed as follows:

wget -c https://download.samba.org/pub/samba/stable/samba-4.6.5.tar.gz

tar -xzvf samba-4.6.5.tar.gz

cd samba-4.6.5

./configure --enable-debug --enable-selftest

make

make install

It seems that is working properly, however I can't create or update GPO
with Windows Group Policy Management tool.

When I try, "Denied Access" message appear.

I'm using an user that is member of "Domain Admins", "Domain Computers",
"Domain Controllers", "Group Policy Creators Owners" and "Domain Users".

When I run "samba-tool ntacl sysvolreset" command, appear the following
errors:

root@dc1:/usr/local/samba/bin# ./samba-tool ntacl sysvolreset
open: error=2 (No such file or directory)
ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error')
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", line
239, in run
    lp, use_ntvfs=use_ntvfs)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1609, in setsysvolacl
    set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
use_ntvfs, passdb=s4_passdb)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1502, in set_gpos_acl
    use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb,
service=SYSVOL_SERVICE)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py", line
162, in setntacl
    smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP |
security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)


I have verified that permissions on my files in
"/usr/local/samba/var/locks/" are like this:

ls -l /usr/local/samba/var/locks/
total 1384
-rw------- 1 root staff 421888 Mai 15 21:57 account_policy.tdb
-rw------- 1 root staff 528384 Mai 15 21:57 registry.tdb
-rw------- 1 root staff 421888 Mai 15 21:57 share_info.tdb
drwxr-sr-x 3 root 30056   4096 Jul  1 19:40 sysvol
-rw------- 1 root staff  32768 Jul  1 19:45 winbindd_cache.tdb
drwxr-s--- 2 root staff   4096 Jul  1 19:45 winbindd_privileged

Following are my  fstab and smb.conf files:

/etc/fstab
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
/dev/mapper/disk2--vg-root /           ext4    errors=remount-ro 0       1
UUID=400ad8c2-9c4c-4a08-883b-3aaddcb24850 /boot           ext2
defaults        0       2
/dev/mapper/disk2--vg-swap_1 none      swap    sw              0       0
/dev/sr0     /media/cdrom0   udf,iso9660 user,noauto     0       0
######################################################################

/usr/local/samba/etc/smb.conf

# Global parameters
[global]
 workgroup = EMPRESA
 realm = EMPREA.COM.BR
 netbios name = DC1
 server role = active directory domain controller
 dns forwarder = 192.168.0.5
 idmap_ldb:use rfc2307 = yes
 ldap server require strong auth = no

[netlogon]
 path = /usr/local/samba/var/locks/sysvol/empresa.com.br/scripts
 read only = No

[sysvol]
 path = /usr/local/samba/var/locks/sysvol
 read only = No
 acl_xattr:ignore system acls = yes
##################################################

Some tests with attr:

root@dc1:~# touch testando.txt
root@dc1:~# setfattr -n user.test -v test testando.txt
root@dc1:~# setfattr -n security.test -v test2 testando.txt

root@dc1:~# getfattr -d testando.txt
# file: testando.txt
user.test="test"

root@dc1:~# getfattr -n security.test -d testando.txt
# file: testando.txt
security.test="test2"

Anybody have an idea how solve this problem?


Regards,

Márcio Bacci
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Can't create/update Group Policy in Samba 4.6.5

Samba - General mailing list
On Sun, 2 Jul 2017 11:30:32 -0300
Marcio Demetrio Bacci via samba <[hidden email]> wrote:

> Hi,
>
> I'm using Samba 4.6.5 and I have installed as follows:
>
> wget -c https://download.samba.org/pub/samba/stable/samba-4.6.5.tar.gz
>
> tar -xzvf samba-4.6.5.tar.gz
>
> cd samba-4.6.5
>
> ./configure --enable-debug --enable-selftest

Why ? you only need './configure' , unless you are going to run the
tests.

>
> make
>
> make install
>
> It seems that is working properly, however I can't create or update
> GPO with Windows Group Policy Management tool.
>
> When I try, "Denied Access" message appear.
>
> I'm using an user that is member of "Domain Admins", "Domain
> Computers", "Domain Controllers", "Group Policy Creators Owners" and
> "Domain Users".
>
> When I run "samba-tool ntacl sysvolreset" command, appear the
> following errors:
>
> root@dc1:/usr/local/samba/bin# ./samba-tool ntacl sysvolreset

Why are you running samba-tool like that, haven't you set up your PATH
correctly, if you run (in a terminal):

echo $PATH

it should return your path and that should start like this:

/usr/local/samba/bin:/usr/local/samba/sbin:

If your PATH is set correctly, you should be able to run samba-tool
from anywhere, from /root for instance.

> I have verified that permissions on my files in
> "/usr/local/samba/var/locks/" are like this:
>
> ls -l /usr/local/samba/var/locks/
> total 1384
> -rw------- 1 root staff 421888 Mai 15 21:57 account_policy.tdb
> -rw------- 1 root staff 528384 Mai 15 21:57 registry.tdb
> -rw------- 1 root staff 421888 Mai 15 21:57 share_info.tdb
> drwxr-sr-x 3 root 30056   4096 Jul  1 19:40 sysvol
> -rw------- 1 root staff  32768 Jul  1 19:45 winbindd_cache.tdb
> drwxr-s--- 2 root staff   4096 Jul  1 19:45 winbindd_privileged

Who is '30056' ?
Have you given 'Administrator' a uidNumber ?
Have you given 'Domain Admins' the 'SeDiskOperatorPrivilege' ?

> /usr/local/samba/etc/smb.conf
>
> [sysvol]
>  path = /usr/local/samba/var/locks/sysvol
>  read only = No
>  acl_xattr:ignore system acls = yes

You should remove the above line, it isn't required.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Can't create/update Group Policy in Samba 4.6.5

Samba - General mailing list
Am 2017-07-02 um 17:26 schrieb Rowland Penny via samba:

>> [sysvol]
>>   path = /usr/local/samba/var/locks/sysvol
>>   read only = No
>>   acl_xattr:ignore system acls = yes
>
> You should remove the above line, it isn't required.

Louis recommended that one to me a few weeks ago.
Could you explain?


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Can't create/update Group Policy in Samba 4.6.5

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hi Rowland

Now, I set up my PATH adding /usr/local/samba/bin:/usr/local/samba/sbin:

echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/samba/bin:/usr/local/samba/sbin


 ls -l /usr/local/samba/var/locks/
> total 1384
> -rw------- 1 root staff 421888 Mai 15 21:57 account_policy.tdb
> -rw------- 1 root staff 528384 Mai 15 21:57 registry.tdb
> -rw------- 1 root staff 421888 Mai 15 21:57 share_info.tdb
> drwxr-sr-x 3 root 30056   4096 Jul  1 19:40 sysvol
> -rw------- 1 root staff  32768 Jul  1 19:45 winbindd_cache.tdb
> drwxr-s--- 2 root staff   4096 Jul  1 19:45 winbindd_privileged

1) Who is '30056' ? 30056 is the Administrator user.
2) Have you given 'Administrator' a uidNumber ? Yes, I set up Unix
Attribute to Administrator and "Domain Admins", "Domain Controllers" and
others groups.
3) Have you given 'Domain Admins' the 'SeDiskOperatorPrivilege' ? No. Is
necessary?

Now, I excluded "acl_xattr:ignore system acls = yes" line in the
"/usr/local/samba/etc/smb.conf"

I have executed "chown root:root -R /usr/local/samba/var/locks" command,
and now I can create and update GPOs, but I don't know if is correct? What
is the better way to correct files permissions on sysvol?

The "samba-tool ntacl sysvolreset" command continues display errors:
open: error=2 (No such file or directory)
ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error')
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", line
239, in run
    lp, use_ntvfs=use_ntvfs)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1609, in setsysvolacl
    set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
use_ntvfs, passdb=s4_passdb)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1502, in set_gpos_acl
    use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb,
service=SYSVOL_SERVICE)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py", line
162, in setntacl
    smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP |
security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)

I have created Wsus GPO and I typed "gpupdate /force" in prompt of the
Winsows Stations a error appears.

"Group Policy was not processed. Windows can not apply the registry-based
policy settings to the Group Policy object
LDAP://CN=User, CN={31B2F340-016D-11D2-945F-00C04FB984F9}, CN=policies,
CN=System,DC=empresa,DC=com,DC=br. The Group Policy settings will not be
resolved until this event is resolved."

How could I solve this problem?

Regards,

Márcio Bacci



2017-07-02 12:26 GMT-03:00 Rowland Penny via samba <[hidden email]>:

> On Sun, 2 Jul 2017 11:30:32 -0300
> Marcio Demetrio Bacci via samba <[hidden email]> wrote:
>
> > Hi,
> >
> > I'm using Samba 4.6.5 and I have installed as follows:
> >
> > wget -c https://download.samba.org/pub/samba/stable/samba-4.6.5.tar.gz
> >
> > tar -xzvf samba-4.6.5.tar.gz
> >
> > cd samba-4.6.5
> >
> > ./configure --enable-debug --enable-selftest
>
> Why ? you only need './configure' , unless you are going to run the
> tests.
>
> >
> > make
> >
> > make install
> >
> > It seems that is working properly, however I can't create or update
> > GPO with Windows Group Policy Management tool.
> >
> > When I try, "Denied Access" message appear.
> >
> > I'm using an user that is member of "Domain Admins", "Domain
> > Computers", "Domain Controllers", "Group Policy Creators Owners" and
> > "Domain Users".
> >
> > When I run "samba-tool ntacl sysvolreset" command, appear the
> > following errors:
> >
> > root@dc1:/usr/local/samba/bin# ./samba-tool ntacl sysvolreset
>
> Why are you running samba-tool like that, haven't you set up your PATH
> correctly, if you run (in a terminal):
>
> echo $PATH
>
> it should return your path and that should start like this:
>
> /usr/local/samba/bin:/usr/local/samba/sbin:
>
> If your PATH is set correctly, you should be able to run samba-tool
> from anywhere, from /root for instance.
>
> > I have verified that permissions on my files in
> > "/usr/local/samba/var/locks/" are like this:
> >
> > ls -l /usr/local/samba/var/locks/
> > total 1384
> > -rw------- 1 root staff 421888 Mai 15 21:57 account_policy.tdb
> > -rw------- 1 root staff 528384 Mai 15 21:57 registry.tdb
> > -rw------- 1 root staff 421888 Mai 15 21:57 share_info.tdb
> > drwxr-sr-x 3 root 30056   4096 Jul  1 19:40 sysvol
> > -rw------- 1 root staff  32768 Jul  1 19:45 winbindd_cache.tdb
> > drwxr-s--- 2 root staff   4096 Jul  1 19:45 winbindd_privileged
>
> Who is '30056' ?
> Have you given 'Administrator' a uidNumber ?
> Have you given 'Domain Admins' the 'SeDiskOperatorPrivilege' ?
>
> > /usr/local/samba/etc/smb.conf
> >
> > [sysvol]
> >  path = /usr/local/samba/var/locks/sysvol
> >  read only = No
> >  acl_xattr:ignore system acls = yes
>
> You should remove the above line, it isn't required.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Can't create/update Group Policy in Samba 4.6.5

Samba - General mailing list
In reply to this post by Samba - General mailing list
> 1) Who is '30056' ? 30056 is the Administrator user.
Administrator should remain as ID0.

> 2) Have you given 'Administrator' a uidNumber ? Yes, I set up Unix
> Attribute to Administrator and "Domain Admins", "Domain Controllers" > > and others groups.
Don't do it. Administrator is a special case.

> 3) Have you given 'Domain Admins' the 'SeDiskOperatorPrivilege' ? No. Is
> necessary?
Yes.

You should follow this Samba Wiki guide:

Setting up Samba as an Active Directory Domain Controller
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Can't create/update Group Policy in Samba 4.6.5

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hi Miguel,

Can I remove Unix Attributes of the Administrator user  and other
administrator groups (set up NIS Domain to "none") ?

I have given SeDiskOperatorPrivilege to "Domain Admins" group.

*net rpc rights grant "EMPRESA\Domain Admins" SeDiskOperatorPrivilege -U
"EMPRESA\administrator"*
Enter EMPRESA\administrator's password:
Successfully granted rights.

I have executed this following commands, but OS and Server are empty:

*smbclient //localhost/netlogon -UAdministrator -c 'ls'*
Enter EMPRESA\Administrator's password:
Domain=[EMPRESA] OS=[] Server=[]
  .                                   D        0  Mon May 15 19:09:10 2017
  ..                                  D        0  Sun Jul  2 17:07:24 2017

                39189944 blocks of size 1024. 34372144 blocks available


*smbclient -L localhost -U%*
Domain=[EMPRESA] OS=[] Server=[]

        Sharename       Type      Comment
        ---------       ----      -------
        netlogon        Disk
        sysvol          Disk
        IPC$            IPC       IPC Service (Samba 4.6.5)
Domain=[EMPRESA] OS=[] Server=[]

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------

Regards,

Márcio Bacci


2017-07-02 19:31 GMT-03:00 Miguel Medalha via samba <[hidden email]>:

> > 1) Who is '30056' ? 30056 is the Administrator user.
> Administrator should remain as ID0.
>
> > 2) Have you given 'Administrator' a uidNumber ? Yes, I set up Unix
> > Attribute to Administrator and "Domain Admins", "Domain Controllers" > >
> and others groups.
> Don't do it. Administrator is a special case.
>
> > 3) Have you given 'Domain Admins' the 'SeDiskOperatorPrivilege' ? No. Is
> > necessary?
> Yes.
>
> You should follow this Samba Wiki guide:
>
> Setting up Samba as an Active Directory Domain Controller
> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_
> Active_Directory_Domain_Controller
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Can't create/update Group Policy in Samba 4.6.5

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Sun, 2 Jul 2017 18:52:36 -0300
Marcio Demetrio Bacci <[hidden email]> wrote:

> Hi Rowland
>
> Now, I set up my PATH
> adding /usr/local/samba/bin:/usr/local/samba/sbin:
>
> echo $PATH
> /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/samba/bin:/usr/local/samba/sbin
>

Wrong way round, it should START with:
/usr/local/samba/bin:/usr/local/samba/sbin

>
>  ls -l /usr/local/samba/var/locks/
> > total 1384
> > -rw------- 1 root staff 421888 Mai 15 21:57 account_policy.tdb
> > -rw------- 1 root staff 528384 Mai 15 21:57 registry.tdb
> > -rw------- 1 root staff 421888 Mai 15 21:57 share_info.tdb
> > drwxr-sr-x 3 root 30056   4096 Jul  1 19:40 sysvol
> > -rw------- 1 root staff  32768 Jul  1 19:45 winbindd_cache.tdb
> > drwxr-s--- 2 root staff   4096 Jul  1 19:45 winbindd_privileged
>
> 1) Who is '30056' ? 30056 is the Administrator user.
> 2) Have you given 'Administrator' a uidNumber ? Yes, I set up Unix
> Attribute to Administrator and "Domain Admins", "Domain Controllers"
> and others groups.

You should remove them, you have, in my opinion, borked your AD.
The only groups you should give a gidNumber to are 'Domain Users' &
'Domain Admins'
 
> 3) Have you given 'Domain Admins' the 'SeDiskOperatorPrivilege' ? No.
> Is necessary?

Yes

>
> Now, I excluded "acl_xattr:ignore system acls = yes" line in the
> "/usr/local/samba/etc/smb.conf"

I do not use this line, but, after doing what I tell
people to do and reading the manpage for 'vfs_acl_xattr' (a case of not
practising what I preach), I now think that a) it doesn't have anything
to do with your problem and b)It is probably a good idea to have it. So
you can put it back, sorry ;-)

>
> I have executed "chown root:root -R /usr/local/samba/var/locks"
> command, and now I can create and update GPOs, but I don't know if is
> correct? What is the better way to correct files permissions on
> sysvol?
>
> The "samba-tool ntacl sysvolreset" command continues display errors:
> open: error=2 (No such file or directory)
> ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined
> error') File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 176, in _run
>     return self.run(*args, **kwargs)
>   File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
> line 239, in run
>     lp, use_ntvfs=use_ntvfs)
>   File
> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> line 1609, in setsysvolacl
>     set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
> use_ntvfs, passdb=s4_passdb)
>   File
> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> line 1502, in set_gpos_acl
>     use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb,
> service=SYSVOL_SERVICE)
>   File
> "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py", line
> 162, in setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER |
> security.SECINFO_GROUP | security.SECINFO_DACL |
> security.SECINFO_SACL, sd, service=service)
>

The best is to not use sysvolreset or sysvolcheck and do everything
from windows.

> I have created Wsus GPO and I typed "gpupdate /force" in prompt of the
> Winsows Stations a error appears.
>
> "Group Policy was not processed. Windows can not apply the
> registry-based policy settings to the Group Policy object
> LDAP://CN=User, CN={31B2F340-016D-11D2-945F-00C04FB984F9},
> CN=policies, CN=System,DC=empresa,DC=com,DC=br. The Group Policy
> settings will not be resolved until this event is resolved."
>
> How could I solve this problem?
>

By doing what I have suggested above.


Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Can't create/update Group Policy in Samba 4.6.5

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hai,

In reponse to the why i recommend that.

Since this is a "windows" only share, i recomment to set it up for that usage, with results in better matching for windows rights.
Resulting in better working policies.
The current POSIX rights did not match to my needs and resulted in inconsistant policies.
This is why i use these for profiles and sysvol.

And this is my setup order:

setup the sysvol share with : acl_xattr:ignore system acls = yes

Setup SeDiskOperatorPrivilege. For sysvol, setup 2 ! Groups.
net rpc rights grant "SAMDOM\Domain Admins" SeDiskOperatorPrivilege -U "SAMDOM\administrator"
net rpc rights grant "SAMDOM\Group Policy Creator Owners" SeDiskOperatorPrivilege -U "SAMDOM\administrator"
  And use the default windows group for extra users: "Group Policy Creator Owners"

Setup Share rights, (you must re-apply them if you use "ignore system acls" )

Setup Security rights, but since your using, "ignore system acls" the default sysvol rights are now ok.
But check if creator group also on the security rights.

Check from with GPO manament tools, you wil get some messages about rights to fix, do that.
And dont run samba-tools sysvolreset, if you do, then you wil have to repeat above again.

Now you GPO should work as normal.

Try it out and report your result.


Greetz,

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Stefan G. Weichinger via samba
> Verzonden: zondag 2 juli 2017 20:41
> Aan: [hidden email]
> Onderwerp: Re: [Samba] Can't create/update Group Policy in Samba 4.6.5
>
> Am 2017-07-02 um 17:26 schrieb Rowland Penny via samba:
>
> >> [sysvol]
> >>   path = /usr/local/samba/var/locks/sysvol
> >>   read only = No
> >>   acl_xattr:ignore system acls = yes
> >
> > You should remove the above line, it isn't required.
>
> Louis recommended that one to me a few weeks ago.
> Could you explain?
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Can't create/update Group Policy in Samba 4.6.5

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hai Marcio,

> Can I remove Unix Attributes of the Administrator user  and
> other administrator groups (set up NIS Domain to "none") ?
Yes, GID on Domain Admins, is not a problem, but UID on Administrator is a big problem.
So yes, user Administrator remove all unix tab settings. ( Dont forget to run : net cache flush )
And dubble check with : id Administrator.

A tip. For example, ( part of smb.conf member with AD backend. )
    ## map id's outside to domain to tdb files.
    idmap config * :backend = tdb
    idmap config * :range = 2000-9999

    ## map ids from the domain  the range may not overlap !
    idmap config NTDOM : backend = ad
    idmap config NTDOM : schema_mode = rfc2307
    idmap config NTDOM : range = 10000-3999999
    idmap config NTDOM : unix_nss_info = yes

id username shows:
uid=10002(username) gid=10000(domain users) groups=10000(domain users),27(sudo),116(lpadmin),10004(servers-ssh),2001
Now there is one error in that line.  (the last GID 2001 )

After running net cache flush:
uid=10002(username) gid=10000(domain users) groups=10000(domain users),27(sudo),116(lpadmin),10004(servers-ssh),2001(BUILTIN\users)
*(sample of member with AD backend setup)

And this is correct: 2001(BUILTIN\users)


I have assigned all my (domain) windows "default groups" an GID, but im using these on multiple servers.
( These defaults groups are "domain" users/guests/computers/admins. )
! Think RID/AD, where you need the same id (GID) on every server. Most important.

Tip, is no problem on a member to change RID to AD if needed, just change the backend, restart samba and winbind
! WATCH OUT FOR YOUR RIGTHS ON THE SERVERS!!! You will loose these if UID/GIDS change.
Run: net cache flush.  
!! AGAIN YOU NEED TO REAPPLY ALL RIGHTS ON THE FILE SERVER AFTER CHANGING RID <> AD BACKENDS.

Note, This does not apply for all setups, but users with multiple server should think about this.


Greetz,

Louis




> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Marcio Demetrio Bacci via samba
> Verzonden: maandag 3 juli 2017 2:04
> Aan: Miguel Medalha; [hidden email]
> Onderwerp: Re: [Samba] Can't create/update Group Policy in Samba 4.6.5
>
> Hi Miguel,
>



>
> I have given SeDiskOperatorPrivilege to "Domain Admins" group.
>
> *net rpc rights grant "EMPRESA\Domain Admins"
> SeDiskOperatorPrivilege -U
> "EMPRESA\administrator"*
> Enter EMPRESA\administrator's password:
> Successfully granted rights.
>
> I have executed this following commands, but OS and Server are empty:
>
> *smbclient //localhost/netlogon -UAdministrator -c 'ls'*
> Enter EMPRESA\Administrator's password:
> Domain=[EMPRESA] OS=[] Server=[]
>   .                                   D        0  Mon May 15
> 19:09:10 2017
>   ..                                  D        0  Sun Jul  2
> 17:07:24 2017
>
>                 39189944 blocks of size 1024. 34372144 blocks
> available
>
>
> *smbclient -L localhost -U%*
> Domain=[EMPRESA] OS=[] Server=[]
>
>         Sharename       Type      Comment
>         ---------       ----      -------
>         netlogon        Disk
>         sysvol          Disk
>         IPC$            IPC       IPC Service (Samba 4.6.5)
> Domain=[EMPRESA] OS=[] Server=[]
>
>         Server               Comment
>         ---------            -------
>
>         Workgroup            Master
>         ---------            -------
>
> Regards,
>
> Márcio Bacci
>
>
> 2017-07-02 19:31 GMT-03:00 Miguel Medalha via samba
> <[hidden email]>:
>
> > > 1) Who is '30056' ? 30056 is the Administrator user.
> > Administrator should remain as ID0.
> >
> > > 2) Have you given 'Administrator' a uidNumber ? Yes, I
> set up Unix
> > > Attribute to Administrator and "Domain Admins", "Domain
> Controllers"
> > > > >
> > and others groups.
> > Don't do it. Administrator is a special case.
> >
> > > 3) Have you given 'Domain Admins' the 'SeDiskOperatorPrivilege' ?
> > > No. Is necessary?
> > Yes.
> >
> > You should follow this Samba Wiki guide:
> >
> > Setting up Samba as an Active Directory Domain Controller
> > https://wiki.samba.org/index.php/Setting_up_Samba_as_an_
> > Active_Directory_Domain_Controller
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Can't create/update Group Policy in Samba 4.6.5

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hai, the steps are (basily) good, only this one can be better.
 
>To solve, I executed the following commands:
>Chown 10060: 30028 -R sysvol
>Chmod 775 -R sysvol
 
If you use acl_xattr:ignore system acls = yes on the sysvol share, you must configur the share from withing windows.  (* or use smbcalcs , but i never used it. )
 
This is what i see:
 
ls -al  sysvol
total 24
drwxrwx---+ 3 root root                   4096 Nov 17  2016 .
drwxrwxr-x+ 5 root BUILTIN\administrators 4096 Apr 21 13:22 ..
drwxrwx---+ 5 root BUILTIN\administrators 4096 Feb 29  2016  internal.domain.tld

You notice the + behind the drwx.. ,  to see that use : getfacl /var/lib/samba/sysvol

getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol
# owner: root
# group: root
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:BUILTIN\134administrators:rwx
group:BUILTIN\134server\040operators:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134server\040operators:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---
the numbers are explained a bit below. ( see security tab )
Take notice that : "NTDOM\Domain Admins" is member of BUILDIN\Administrators.
( above is not the samba default but a same setup as on a window 2008R2 server. )
 
A good tip to restore the defaults with samba-tool without errors.
 
move you domain folder out of the /var/lib/samba/sysvol folder.
mv /var/lib/samba/sysvol/intern.domain.tld to_somewhere else.
run samba-tool ntacl sysvolreset
 
Since there is not domain folder and policies folder, you dont get errors.
test with samba-tool ntacl sysvolcheck, if you dont have errors, backup these settings.
 
getfacl -R /var/lib/samba/sysvol > sysvol.permissions.acl
(and a restore option : setfacl --restore=sysvol.permissions.acl )
 
Now move you domain folder back.
 
Next, login with a user account that has domain admin rights. ( is member of )
goto the GPO editor, en klik on every GPO object. You will get some messages about incorrect rights, and if it wants to fix it, thats ok.
( forgot the artical but you can find this one on MS support, minor thing, wont affect you GPOs)
 
Last.
open de computer manager, connect to the DC, goto the security tab.
Sysvol security rights should be.
DOMAIN\Server Operators ( or BUILDIN\Server Operators )
Creator Owner
Authenticated Users
SYSTEM
DOMAIN\Administrators  ( or BUILDIN\Administrators )

DOMAIN\Administrators contains : "Domain Admins",Adminstrator and "Enterprise Admins" 
And the "DOMAIN\Adminstrators" is in the Buildin OU.  ( could also be BUILDIN\Administrators )

And same for "DOMAIN\Users"  (could also be BUILDIN\Users) contains: Authenticated Users, Domain Users, INTERACTIVE)
ignore the DOMAIN\ and BUILDIN differences here. both are correct.
And if you done everything right, now you should be able to use the newAdmin and/or NTDOM\Administrator user to setup you GPO.
 
 
Greetz,
 
Louis
 

Van: Marcio Demetrio Bacci [mailto:[hidden email]]
Verzonden: dinsdag 4 juli 2017 14:00
Aan: L.P.H. van Belle
Onderwerp: Re: [Samba] Can't create/update Group Policy in Samba 4.6.5



Hi


 
 
 

I have re-applied "acl_xattr:ignore system acls = yes", and followed all the guidelines, including those of the link: https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller 

When I have removed the Unix attributes from the "Administrator" user the permissions on the sysvol folder were broken.

To solve, I executed the following commands:

Chown 10060: 30028 -R sysvol
Chmod 775 -R sysvol

(Where 10060 is my user and 30028 is Domain Admins group)

root@dc1:/usr/local/samba/var/locks# ls -l
total 1392
-rw-------  1 root  root  421888 Mai 15 21:57 account_policy.tdb
-rw-------  1 root  root  528384 Mai 15 21:57 registry.tdb
-rw-------  1 root  root  421888 Mai 15 21:57 share_info.tdb
drwxrwxr-x  3 10060 30028   4096 Jul  4 01:15 sysvol
-rw-------  1 root  root   32768 Jul  4 08:34 winbindd_cache.tdb
drwxr-s---  2 root  root    4096 Jul  4 01:17 winbindd_privileged

Then I have performed a "net cache flush" command and restarted the Samba 4 service.

Now I can create and edit the GPOs normally.

Are the above procedures correct? Is there any problem?


Regards,


Márcio Bacci





2017-07-03 4:29 GMT-03:00 L.P.H. van Belle via samba <[hidden email]>:
Hai,

In reponse to the why i recommend that.

Since this is a "windows" only share, i recomment to set it up for that usage, with results in better matching for windows rights.
Resulting in better working policies.
The current POSIX rights did not match to my needs and resulted in inconsistant policies.
This is why i use these for profiles and sysvol.

And this is my setup order:

setup the sysvol share with : acl_xattr:ignore system acls = yes

Setup SeDiskOperatorPrivilege. For sysvol, setup 2 ! Groups.
net rpc rights grant "SAMDOM\Domain Admins" SeDiskOperatorPrivilege -U "SAMDOM\administrator"
net rpc rights grant "SAMDOM\Group Policy Creator Owners" SeDiskOperatorPrivilege -U "SAMDOM\administrator"
  And use the default windows group for extra users: "Group Policy Creator Owners"

Setup Share rights, (you must re-apply them if you use "ignore system acls" )

Setup Security rights, but since your using, "ignore system acls" the default sysvol rights are now ok.
But check if creator group also on the security rights.

Check from with GPO manament tools, you wil get some messages about rights to fix, do that.
And dont run samba-tools sysvolreset, if you do, then you wil have to repeat above again.

Now you GPO should work as normal.

Try it out and report your result.


Greetz,

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Stefan G. Weichinger via samba
> Verzonden: zondag 2 juli 2017 20:41
> Aan: [hidden email]
> Onderwerp: Re: [Samba] Can't create/update Group Policy in Samba 4.6.5
>
> Am 2017-07-02 um 17:26 schrieb Rowland Penny via samba:
>
> >> [sysvol]
> >>   path = /usr/local/samba/var/locks/sysvol
> >>   read only = No
> >>   acl_xattr:ignore system acls = yes
> >
> > You should remove the above line, it isn't required.
>
> Louis recommended that one to me a few weeks ago.
> Could you explain?
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Can't create/update Group Policy in Samba 4.6.5

Samba - General mailing list
Hi Louis


I have moved "empresa.com.br" folder to /root. After I run samba-tool ntacl
sysvolreset, but some errors appear:

samba-tool ntacl sysvolreset
open: error=2 (No such file or directory)
ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error')
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", line
239, in run
    lp, use_ntvfs=use_ntvfs)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1609, in setsysvolacl
    set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
use_ntvfs, passdb=s4_passdb)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1502, in set_gpos_acl
    use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb,
service=SYSVOL_SERVICE)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py", line
162, in setntacl
    smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP |
security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)



samba-tool ntacl sysvolcheck
ERROR(<type 'exceptions.TypeError'>): uncaught exception - (2, 'No such
file or directory')
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", line
270, in run
    lp)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1714, in checksysvolacl
    fsacl = getntacl(lp, dir_path, direct_db_access=direct_db_access,
service=SYSVOL_SERVICE)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py", line
81, in getntacl
    xattr.XATTR_NTACL_NAME)


My sysvol folder is empty.

What is the problem?

Regards,

Márcio Bacci



2017-07-04 10:25 GMT-03:00 L.P.H. van Belle via samba <[hidden email]
>:

> Hai, the steps are (basily) good, only this one can be better.
>
> >To solve, I executed the following commands:
> >Chown 10060: 30028 -R sysvol
> >Chmod 775 -R sysvol
>
> If you use acl_xattr:ignore system acls = yes on the sysvol share, you
> must configur the share from withing windows.  (* or use smbcalcs , but i
> never used it. )
>
> This is what i see:
>
> ls -al  sysvol
> total 24
> drwxrwx---+ 3 root root                   4096 Nov 17  2016 .
> drwxrwxr-x+ 5 root BUILTIN\administrators 4096 Apr 21 13:22 ..
> drwxrwx---+ 5 root BUILTIN\administrators 4096 Feb 29  2016
> internal.domain.tld
>
> You notice the + behind the drwx.. ,  to see that use : getfacl
> /var/lib/samba/sysvol
>
> getfacl: Removing leading '/' from absolute path names
> # file: var/lib/samba/sysvol
> # owner: root
> # group: root
> user::rwx
> user:root:rwx
> user:3000000:rwx
> user:3000001:r-x
> user:3000002:rwx
> user:3000003:r-x
> group::rwx
> group:BUILTIN\134administrators:rwx
> group:BUILTIN\134server\040operators:r-x
> group:3000002:rwx
> group:3000003:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:3000000:rwx
> default:user:3000001:r-x
> default:user:3000002:rwx
> default:user:3000003:r-x
> default:group::---
> default:group:BUILTIN\134administrators:rwx
> default:group:BUILTIN\134server\040operators:r-x
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:mask::rwx
> default:other::---
> the numbers are explained a bit below. ( see security tab )
> Take notice that : "NTDOM\Domain Admins" is member of
> BUILDIN\Administrators.
> ( above is not the samba default but a same setup as on a window 2008R2
> server. )
>
> A good tip to restore the defaults with samba-tool without errors.
>
> move you domain folder out of the /var/lib/samba/sysvol folder.
> mv /var/lib/samba/sysvol/intern.domain.tld to_somewhere else.
> run samba-tool ntacl sysvolreset
>
> Since there is not domain folder and policies folder, you dont get errors.
> test with samba-tool ntacl sysvolcheck, if you dont have errors, backup
> these settings.
>
> getfacl -R /var/lib/samba/sysvol > sysvol.permissions.acl
> (and a restore option : setfacl --restore=sysvol.permissions.acl )
>
> Now move you domain folder back.
>
> Next, login with a user account that has domain admin rights. ( is member
> of )
> goto the GPO editor, en klik on every GPO object. You will get some
> messages about incorrect rights, and if it wants to fix it, thats ok.
> ( forgot the artical but you can find this one on MS support, minor thing,
> wont affect you GPOs)
>
> Last.
> open de computer manager, connect to the DC, goto the security tab.
> Sysvol security rights should be.
> DOMAIN\Server Operators ( or BUILDIN\Server Operators )
> Creator Owner
> Authenticated Users
> SYSTEM
> DOMAIN\Administrators  ( or BUILDIN\Administrators )
>
> DOMAIN\Administrators contains : "Domain Admins",Adminstrator and
> "Enterprise Admins"
> And the "DOMAIN\Adminstrators" is in the Buildin OU.  ( could also be
> BUILDIN\Administrators )
>
> And same for "DOMAIN\Users"  (could also be BUILDIN\Users) contains:
> Authenticated Users, Domain Users, INTERACTIVE)
> ignore the DOMAIN\ and BUILDIN differences here. both are correct.
> And if you done everything right, now you should be able to use the
> newAdmin and/or NTDOM\Administrator user to setup you GPO.
>
>
> Greetz,
>
> Louis
>
>
> Van: Marcio Demetrio Bacci [mailto:[hidden email]]
> Verzonden: dinsdag 4 juli 2017 14:00
> Aan: L.P.H. van Belle
> Onderwerp: Re: [Samba] Can't create/update Group Policy in Samba 4.6.5
>
>
>
> Hi
>
>
>
>
>
>
> I have re-applied "acl_xattr:ignore system acls = yes", and followed all
> the guidelines, including those of the link: https://wiki.samba.org/index.
> php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
>
> When I have removed the Unix attributes from the "Administrator" user the
> permissions on the sysvol folder were broken.
>
> To solve, I executed the following commands:
>
> Chown 10060: 30028 -R sysvol
> Chmod 775 -R sysvol
>
> (Where 10060 is my user and 30028 is Domain Admins group)
>
> root@dc1:/usr/local/samba/var/locks# ls -l
> total 1392
> -rw-------  1 root  root  421888 Mai 15 21:57 account_policy.tdb
> -rw-------  1 root  root  528384 Mai 15 21:57 registry.tdb
> -rw-------  1 root  root  421888 Mai 15 21:57 share_info.tdb
> drwxrwxr-x  3 10060 30028   4096 Jul  4 01:15 sysvol
> -rw-------  1 root  root   32768 Jul  4 08:34 winbindd_cache.tdb
> drwxr-s---  2 root  root    4096 Jul  4 01:17 winbindd_privileged
>
> Then I have performed a "net cache flush" command and restarted the Samba
> 4 service.
>
> Now I can create and edit the GPOs normally.
>
> Are the above procedures correct? Is there any problem?
>
>
> Regards,
>
>
> Márcio Bacci
>
>
>
>
>
> 2017-07-03 4:29 GMT-03:00 L.P.H. van Belle via samba <
> [hidden email]>:
> Hai,
>
> In reponse to the why i recommend that.
>
> Since this is a "windows" only share, i recomment to set it up for that
> usage, with results in better matching for windows rights.
> Resulting in better working policies.
> The current POSIX rights did not match to my needs and resulted in
> inconsistant policies.
> This is why i use these for profiles and sysvol.
>
> And this is my setup order:
>
> setup the sysvol share with : acl_xattr:ignore system acls = yes
>
> Setup SeDiskOperatorPrivilege. For sysvol, setup 2 ! Groups.
> net rpc rights grant "SAMDOM\Domain Admins" SeDiskOperatorPrivilege -U
> "SAMDOM\administrator"
> net rpc rights grant "SAMDOM\Group Policy Creator Owners"
> SeDiskOperatorPrivilege -U "SAMDOM\administrator"
>   And use the default windows group for extra users: "Group Policy Creator
> Owners"
>
> Setup Share rights, (you must re-apply them if you use "ignore system
> acls" )
>
> Setup Security rights, but since your using, "ignore system acls" the
> default sysvol rights are now ok.
> But check if creator group also on the security rights.
>
> Check from with GPO manament tools, you wil get some messages about rights
> to fix, do that.
> And dont run samba-tools sysvolreset, if you do, then you wil have to
> repeat above again.
>
> Now you GPO should work as normal.
>
> Try it out and report your result.
>
>
> Greetz,
>
> Louis
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:[hidden email]] Namens
> > Stefan G. Weichinger via samba
> > Verzonden: zondag 2 juli 2017 20:41
> > Aan: [hidden email]
> > Onderwerp: Re: [Samba] Can't create/update Group Policy in Samba 4.6.5
> >
> > Am 2017-07-02 um 17:26 schrieb Rowland Penny via samba:
> >
> > >> [sysvol]
> > >>   path = /usr/local/samba/var/locks/sysvol
> > >>   read only = No
> > >>   acl_xattr:ignore system acls = yes
> > >
> > > You should remove the above line, it isn't required.
> >
> > Louis recommended that one to me a few weeks ago.
> > Could you explain?
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Can't create/update Group Policy in Samba 4.6.5

Samba - General mailing list
On Tue, 4 Jul 2017 16:04:20 -0300
Marcio Demetrio Bacci via samba <[hidden email]> wrote:

> Hi Louis
>
>
> I have moved "empresa.com.br" folder to /root. After I run samba-tool
> ntacl sysvolreset, but some errors appear:

Please put it back.

Also which DC is this on, your first DC or the second one ? and if it is
the second one, have you followed the wiki page I pointed you to, on
your other post ?

Or to put it another way, do both of your DCs sysvol directories (and
sub-directories) match and have you synced idmap.ldb from the first DC
to the second DC.

I know what Louis told you to do, but you should only give 'Domain
Users' a gidNumber attribute, you can also give 'Domain Admins' a
gidNumber, but I personally think it is better to create a group called
'Unix Admins', make this group a member of 'Domain Admins' and then
give this new group a gidNumber. Now use this group when setting
permissions from Windows. My reasoning behind this: 'Domain Admins'
needs to own policies in sysvol, it cannot do this if it has a
gidNumber attribute.
Do not give any other user or group from the well known sids a
uidNumber or gidNumber, see here for the well known sids:

https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Can't create/update Group Policy in Samba 4.6.5

Samba - General mailing list
Sorry, my error, you need an "empty domain" directory in sysvol then reset.
Then copy the rights, re-apply them .. Etc.


And good point Rowland.
Greetz,

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Rowland Penny via samba
> Verzonden: dinsdag 4 juli 2017 21:51
> Aan: [hidden email]
> Onderwerp: Re: [Samba] Can't create/update Group Policy in Samba 4.6.5
>
> On Tue, 4 Jul 2017 16:04:20 -0300
> Marcio Demetrio Bacci via samba <[hidden email]> wrote:
>
> > Hi Louis
> >
> >
> > I have moved "empresa.com.br" folder to /root. After I run
> samba-tool
> > ntacl sysvolreset, but some errors appear:
>
> Please put it back.
>
> Also which DC is this on, your first DC or the second one ?
> and if it is the second one, have you followed the wiki page
> I pointed you to, on your other post ?
>
> Or to put it another way, do both of your DCs sysvol directories (and
> sub-directories) match and have you synced idmap.ldb from the
> first DC to the second DC.
>
> I know what Louis told you to do, but you should only give
> 'Domain Users' a gidNumber attribute, you can also give
> 'Domain Admins' a gidNumber, but I personally think it is
> better to create a group called 'Unix Admins', make this
> group a member of 'Domain Admins' and then give this new
> group a gidNumber. Now use this group when setting
> permissions from Windows. My reasoning behind this: 'Domain Admins'
> needs to own policies in sysvol, it cannot do this if it has
> a gidNumber attribute.
> Do not give any other user or group from the well known sids
> a uidNumber or gidNumber, see here for the well known sids:
>
> https://support.microsoft.com/en-us/help/243330/well-known-sec
> urity-identifiers-in-windows-operating-systems
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Can't create/update Group Policy in Samba 4.6.5

Samba - General mailing list
Hi,

My DC doesn't know domains users and groups by name, only by uid/gid.

Ex: chmod mike:'EMPRESA\unix_admins' test
chown: invalid group mike:EMPRESA\\unix_admins

if run with GID work properly
chmod mike:30059 test
drwxr-xr-x 2 root 30059 4096 Jul  6 00:17 test

There is unix_admins group
wbinfo --gid-info 30059
EMPRESA\unix_admins:x:30059:

In File Server Domain Member "chown" command by users and groups names is OK
chmod mike:'EMPRESA\unix_admins' test
drwxr-xr-x 2 root unix_admins 4096 Jul  6 00:19 test

I have performed the following steps:

1) cd /usr/local/samba/var/locks/sysvol
2) mv empresa.com.br /root
3) mkdir empresa.com.br
4) samba-tool ntacl sysvolreset
5) getfacl -R /usr/local/samba/var/locks/sysvol > sysvol.permissions.acl
6) rmdir empresa.com.br
7) mv /root/empresa.com.br .
8) setfacl --restore=sysvol.permissions.acl
9) samba-tool ntacl sysvolcheck

10) I went the GPO editor and fix incorrect rights.

11) I have opened computer manager, connected to the DC, went to the
security tab.
I have set up Sysvol security rights:
DOMAIN\Server Operators
Creator Owner
Authenticated Users
SYSTEM
DOMAIN\Administrators

Note 1: I have changed sysvol folder owner to "unix_admins" too by MS
Windows properties but, when I checked in DC terminal, didn't change (to be
continued the same user and group).

Note 2: I have already removed "Unix Attributes" of the
BUILTIN\Administrators, Group Policy creator Owner and others by Windows
RSAT Tools - Active Directory Users and Computers (changed  Domain NIS  to
None), but UID/GID remain (keep).

For Example: the GID 3000275 still is of the BUILTIN\Administrators.

Other notes:

output of "samba-tool ntacl sysvolreset" command:
open: error=2 (No such file or directory)
ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error')
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", line
239, in run
    lp, use_ntvfs=use_ntvfs)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1609, in setsysvolacl
    set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
use_ntvfs, passdb=s4_passdb)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1502, in set_gpos_acl
    use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb,
service=SYSVOL_SERVICE)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py", line
162, in setntacl
    smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP |
security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)


The command above (despite the mistakes) reset owner and group to root and
3000275 (BUILTIN\Administrators) respectively.
ls -l
drwxr-xr-x 2 root 3000275 4096 Jul  6 00:50 empresa.com.br


output of "samba-tool ntacl sysvolcheck" command:
ERROR(<type 'exceptions.TypeError'>): uncaught exception - (2, 'No such
file or directory')
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", line
270, in run
    lp)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1714, in checksysvolacl
    fsacl = getntacl(lp, dir_path, direct_db_access=direct_db_access,
service=SYSVOL_SERVICE)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py", line
81, in getntacl
    xattr.XATTR_NTACL_NAME)

I'm already getting create and edit my GPOs, but I have many doubts:

1) Is there another way to remove UID / GID from the users and groups ?

2) Why GID number of the BUILT\Administrators and other users and groups
still continue ?

3) Is normal DC does not identify user and group by name, but only by UID /
GID number ?

4) What are the problems with "samba-tool ntacl sysvolreset" and
"samba-tool ntacl sysvolcheck" ?

5) When I change the users and groups from the sysvol folder by MS Windows
should I not reflect on the DC terminal?

I would really like to solve these problems!

Regards,

Márcio Bacci

2017-07-05 3:07 GMT-03:00 L.P.H. van Belle via samba <[hidden email]>
:

> Sorry, my error, you need an "empty domain" directory in sysvol then reset.
> Then copy the rights, re-apply them .. Etc.
>
>
> And good point Rowland.
> Greetz,
>
> Louis
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:[hidden email]] Namens
> > Rowland Penny via samba
> > Verzonden: dinsdag 4 juli 2017 21:51
> > Aan: [hidden email]
> > Onderwerp: Re: [Samba] Can't create/update Group Policy in Samba 4.6.5
> >
> > On Tue, 4 Jul 2017 16:04:20 -0300
> > Marcio Demetrio Bacci via samba <[hidden email]> wrote:
> >
> > > Hi Louis
> > >
> > >
> > > I have moved "empresa.com.br" folder to /root. After I run
> > samba-tool
> > > ntacl sysvolreset, but some errors appear:
> >
> > Please put it back.
> >
> > Also which DC is this on, your first DC or the second one ?
> > and if it is the second one, have you followed the wiki page
> > I pointed you to, on your other post ?
> >
> > Or to put it another way, do both of your DCs sysvol directories (and
> > sub-directories) match and have you synced idmap.ldb from the
> > first DC to the second DC.
> >
> > I know what Louis told you to do, but you should only give
> > 'Domain Users' a gidNumber attribute, you can also give
> > 'Domain Admins' a gidNumber, but I personally think it is
> > better to create a group called 'Unix Admins', make this
> > group a member of 'Domain Admins' and then give this new
> > group a gidNumber. Now use this group when setting
> > permissions from Windows. My reasoning behind this: 'Domain Admins'
> > needs to own policies in sysvol, it cannot do this if it has
> > a gidNumber attribute.
> > Do not give any other user or group from the well known sids
> > a uidNumber or gidNumber, see here for the well known sids:
> >
> > https://support.microsoft.com/en-us/help/243330/well-known-sec
> > urity-identifiers-in-windows-operating-systems
> >
> > Rowland
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Can't create/update Group Policy in Samba 4.6.5

Samba - General mailing list
* Sorry, is not "chmod mike:'EMPRESA\unix_admins' test".  I wanted to say
"chown mike:'EMPRESA\unix_admins' test"

I'm tired!

2017-07-06 2:14 GMT-03:00 Marcio Demetrio Bacci <[hidden email]>:

> Hi,
>
> My DC doesn't know domains users and groups by name, only by uid/gid.
>
> Ex: chmod mike:'EMPRESA\unix_admins' test
> chown: invalid group mike:EMPRESA\\unix_admins
>
> if run with GID work properly
> chmod mike:30059 test
> drwxr-xr-x 2 root 30059 4096 Jul  6 00:17 test
>
> There is unix_admins group
> wbinfo --gid-info 30059
> EMPRESA\unix_admins:x:30059:
>
> In File Server Domain Member "chown" command by users and groups names is
> OK
> chmod mike:'EMPRESA\unix_admins' test
> drwxr-xr-x 2 root unix_admins 4096 Jul  6 00:19 test
>
> I have performed the following steps:
>
> 1) cd /usr/local/samba/var/locks/sysvol
> 2) mv empresa.com.br /root
> 3) mkdir empresa.com.br
> 4) samba-tool ntacl sysvolreset
> 5) getfacl -R /usr/local/samba/var/locks/sysvol > sysvol.permissions.acl
> 6) rmdir empresa.com.br
> 7) mv /root/empresa.com.br .
> 8) setfacl --restore=sysvol.permissions.acl
> 9) samba-tool ntacl sysvolcheck
>
> 10) I went the GPO editor and fix incorrect rights.
>
> 11) I have opened computer manager, connected to the DC, went to the
> security tab.
> I have set up Sysvol security rights:
> DOMAIN\Server Operators
> Creator Owner
> Authenticated Users
> SYSTEM
> DOMAIN\Administrators
>
> Note 1: I have changed sysvol folder owner to "unix_admins" too by MS
> Windows properties but, when I checked in DC terminal, didn't change (to be
> continued the same user and group).
>
> Note 2: I have already removed "Unix Attributes" of the
> BUILTIN\Administrators, Group Policy creator Owner and others by Windows
> RSAT Tools - Active Directory Users and Computers (changed  Domain NIS  to
> None), but UID/GID remain (keep).
>
> For Example: the GID 3000275 still is of the BUILTIN\Administrators.
>
> Other notes:
>
> output of "samba-tool ntacl sysvolreset" command:
> open: error=2 (No such file or directory)
> ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error')
>   File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 176, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
> line 239, in run
>     lp, use_ntvfs=use_ntvfs)
>   File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> line 1609, in setsysvolacl
>     set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
> use_ntvfs, passdb=s4_passdb)
>   File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> line 1502, in set_gpos_acl
>     use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb,
> service=SYSVOL_SERVICE)
>   File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py",
> line 162, in setntacl
>     smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP
> | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)
>
>
> The command above (despite the mistakes) reset owner and group to root and
> 3000275 (BUILTIN\Administrators) respectively.
> ls -l
> drwxr-xr-x 2 root 3000275 4096 Jul  6 00:50 empresa.com.br
>
>
> output of "samba-tool ntacl sysvolcheck" command:
> ERROR(<type 'exceptions.TypeError'>): uncaught exception - (2, 'No such
> file or directory')
>   File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 176, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
> line 270, in run
>     lp)
>   File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> line 1714, in checksysvolacl
>     fsacl = getntacl(lp, dir_path, direct_db_access=direct_db_access,
> service=SYSVOL_SERVICE)
>   File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py",
> line 81, in getntacl
>     xattr.XATTR_NTACL_NAME)
>
> I'm already getting create and edit my GPOs, but I have many doubts:
>
> 1) Is there another way to remove UID / GID from the users and groups ?
>
> 2) Why GID number of the BUILT\Administrators and other users and groups
> still continue ?
>
> 3) Is normal DC does not identify user and group by name, but only by UID
> / GID number ?
>
> 4) What are the problems with "samba-tool ntacl sysvolreset" and
> "samba-tool ntacl sysvolcheck" ?
>
> 5) When I change the users and groups from the sysvol folder by MS Windows
> should I not reflect on the DC terminal?
>
> I would really like to solve these problems!
>
> Regards,
>
> Márcio Bacci
>
> 2017-07-05 3:07 GMT-03:00 L.P.H. van Belle via samba <
> [hidden email]>:
>
>> Sorry, my error, you need an "empty domain" directory in sysvol then
>> reset.
>> Then copy the rights, re-apply them .. Etc.
>>
>>
>> And good point Rowland.
>> Greetz,
>>
>> Louis
>>
>>
>> > -----Oorspronkelijk bericht-----
>> > Van: samba [mailto:[hidden email]] Namens
>> > Rowland Penny via samba
>> > Verzonden: dinsdag 4 juli 2017 21:51
>> > Aan: [hidden email]
>> > Onderwerp: Re: [Samba] Can't create/update Group Policy in Samba 4.6.5
>> >
>> > On Tue, 4 Jul 2017 16:04:20 -0300
>> > Marcio Demetrio Bacci via samba <[hidden email]> wrote:
>> >
>> > > Hi Louis
>> > >
>> > >
>> > > I have moved "empresa.com.br" folder to /root. After I run
>> > samba-tool
>> > > ntacl sysvolreset, but some errors appear:
>> >
>> > Please put it back.
>> >
>> > Also which DC is this on, your first DC or the second one ?
>> > and if it is the second one, have you followed the wiki page
>> > I pointed you to, on your other post ?
>> >
>> > Or to put it another way, do both of your DCs sysvol directories (and
>> > sub-directories) match and have you synced idmap.ldb from the
>> > first DC to the second DC.
>> >
>> > I know what Louis told you to do, but you should only give
>> > 'Domain Users' a gidNumber attribute, you can also give
>> > 'Domain Admins' a gidNumber, but I personally think it is
>> > better to create a group called 'Unix Admins', make this
>> > group a member of 'Domain Admins' and then give this new
>> > group a gidNumber. Now use this group when setting
>> > permissions from Windows. My reasoning behind this: 'Domain Admins'
>> > needs to own policies in sysvol, it cannot do this if it has
>> > a gidNumber attribute.
>> > Do not give any other user or group from the well known sids
>> > a uidNumber or gidNumber, see here for the well known sids:
>> >
>> > https://support.microsoft.com/en-us/help/243330/well-known-sec
>> > urity-identifiers-in-windows-operating-systems
>> >
>> > Rowland
>> >
>> > --
>> > To unsubscribe from this list go to the following URL and read the
>> > instructions:  https://lists.samba.org/mailman/options/samba
>> >
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Can't create/update Group Policy in Samba 4.6.5

Samba - General mailing list
Hai Marcio,
 
Now, this looks good.
Normaly i switch step 10 and 11.
 
After you remove the uid/gid, run : net cache flush
 
> I'm already getting create and edit my GPOs, but I have many doubts:
remove you doubts, setup some gpo's and test. You wil see everything works.  
> 1) Is there another way to remove UID / GID from the users and groups ?
net cache flush >
> 2) Why GID number of the BUILT\Administrators and other users and groups still continue ?
id's are still in idmap and these are default groups in the AD.
 
>
> 3) Is normal DC does not identify user and group by name, but only by UID / GID number ?
I dont understand this question to be exact, but try to forget chmod/chown, getfacl and setfacl is what you need.
>
> 4) What are the problems with "samba-tool ntacl sysvolreset" and "samba-tool ntacl sysvolcheck" ?
Few small bugs, but you can safely ignore this. solution her is simple, dont run samba-tool ntacl sysvolreset  and samba-tool ntacl sysvolcheck
after you did setup the rights from within windows.
>
> 5) When I change the users and groups from the sysvol folder by MS Windows should I not reflect on the DC terminal?


hm, i dont understand this question.
 
 
>The command above (despite the mistakes) reset owner and group to root and 3000275 (BUILTIN\Administrators) respectively.
>ls -l
>drwxr-xr-x 2 root 3000275 4096 Jul  6 00:50 empresa.com.br
 
Now, this isnt right, you changed with chown, not setfacl.
 
look this is my line
drwxrwx---+ 5 root BUILTIN\administrators 4096 Feb 29  2016 xxxxxxx.bazuin.nl

and getfacl /home/samba/sysvol/

getfacl: Removing leading '/' from absolute path names
# file: home/samba/sysvol/
# owner: root
# group: root
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:BUILTIN\134administrators:rwx
group:BUILTIN\134server\040operators:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134server\040operators:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---

i suggest, to make sure, redo you 3 steps outlined below, in this order.
8, 11, 10 .
 
Then when thats done, dont touch the sysvol folders from console.
 
but you getting there, its always hard in the beginning..  ;-)
 
 
Greetz,
 
Louis

Van: Marcio Demetrio Bacci [mailto:[hidden email]]
Verzonden: donderdag 6 juli 2017 7:19
Aan: L.P.H. van Belle; [hidden email]
Onderwerp: Re: [Samba] Can't create/update Group Policy in Samba 4.6.5



* Sorry, is not "chmod mike:'EMPRESA\unix_admins' test".  I wanted to say "chown mike:'EMPRESA\unix_admins' test"


I'm tired!  


2017-07-06 2:14 GMT-03:00 Marcio Demetrio Bacci <[hidden email]>:
Hi,

My DC doesn't know domains users and groups by name, only by uid/gid.

Ex: chmod mike:'EMPRESA\unix_admins' test
chown: invalid group mike:EMPRESA\\unix_admins

if run with GID work properly
chmod mike:30059 test
drwxr-xr-x 2 root 30059 4096 Jul  6 00:17 test

There is unix_admins group
wbinfo --gid-info 30059
EMPRESA\unix_admins:x:30059:

In File Server Domain Member "chown" command by users and groups names is OK
chmod mike:'EMPRESA\unix_admins' test
drwxr-xr-x 2 root unix_admins 4096 Jul  6 00:19 test

I have performed the following steps:

1) cd /usr/local/samba/var/locks/sysvol
2) mv empresa.com.br /root
3) mkdir empresa.com.br
4) samba-tool ntacl sysvolreset
5) getfacl -R /usr/local/samba/var/locks/sysvol > sysvol.permissions.acl
6) rmdir empresa.com.br
7) mv /root/empresa.com.br .
8) setfacl --restore=sysvol.permissions.acl
9) samba-tool ntacl sysvolcheck

10) I went the GPO editor and fix incorrect rights.

11) I have opened computer manager, connected to the DC, went to the security tab.
I have set up Sysvol security rights:
DOMAIN\Server Operators
Creator Owner
Authenticated Users
SYSTEM
DOMAIN\Administrators 
 

Note 1: I have changed sysvol folder owner to "unix_admins" too by MS Windows properties but, when I checked in DC terminal, didn't change (to be continued the same user and group).

Note 2: I have already removed "Unix Attributes" of the BUILTIN\Administrators, Group Policy creator Owner and others by Windows RSAT Tools - Active Directory Users and Computers (changed  Domain NIS  to None), but UID/GID remain (keep).

For Example: the GID 3000275 still is of the BUILTIN\Administrators.

Other notes:

output of "samba-tool ntacl sysvolreset" command:
open: error=2 (No such file or directory)
ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error')
  File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", line 239, in run
    lp, use_ntvfs=use_ntvfs)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1609, in setsysvolacl
    set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1502, in set_gpos_acl
    use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=SYSVOL_SERVICE)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py", line 162, in setntacl
    smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)


The command above (despite the mistakes) reset owner and group to root and 3000275 (BUILTIN\Administrators) respectively.
ls -l
drwxr-xr-x 2 root 3000275 4096 Jul  6 00:50 empresa.com.br


output of "samba-tool ntacl sysvolcheck" command:
ERROR(<type 'exceptions.TypeError'>): uncaught exception - (2, 'No such file or directory')
  File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", line 270, in run
    lp)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1714, in checksysvolacl
    fsacl = getntacl(lp, dir_path, direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py", line 81, in getntacl
    xattr.XATTR_NTACL_NAME)

I'm already getting create and edit my GPOs, but I have many doubts:

1) Is there another way to remove UID / GID from the users and groups ?

2) Why GID number of the BUILT\Administrators and other users and groups still continue ?

3) Is normal DC does not identify user and group by name, but only by UID / GID number ?

4) What are the problems with "samba-tool ntacl sysvolreset" and "samba-tool ntacl sysvolcheck" ?

5) When I change the users and groups from the sysvol folder by MS Windows should I not reflect on the DC terminal?

I would really like to solve these problems!

Regards,

Márcio Bacci


2017-07-05 3:07 GMT-03:00 L.P.H. van Belle via samba <[hidden email]>:
Sorry, my error, you need an "empty domain" directory in sysvol then reset.
Then copy the rights, re-apply them .. Etc.


And good point Rowland.
Greetz,

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Rowland Penny via samba
> Verzonden: dinsdag 4 juli 2017 21:51
> Aan: [hidden email]
> Onderwerp: Re: [Samba] Can't create/update Group Policy in Samba 4.6.5
>
> On Tue, 4 Jul 2017 16:04:20 -0300
> Marcio Demetrio Bacci via samba <[hidden email]> wrote:
>
> > Hi Louis
> >
> >
> > I have moved "empresa.com.br" folder to /root. After I run
> samba-tool
> > ntacl sysvolreset, but some errors appear:
>
> Please put it back.
>
> Also which DC is this on, your first DC or the second one ?
> and if it is the second one, have you followed the wiki page
> I pointed you to, on your other post ?
>
> Or to put it another way, do both of your DCs sysvol directories (and
> sub-directories) match and have you synced idmap.ldb from the
> first DC to the second DC.
>
> I know what Louis told you to do, but you should only give
> 'Domain Users' a gidNumber attribute, you can also give
> 'Domain Admins' a gidNumber, but I personally think it is
> better to create a group called 'Unix Admins', make this
> group a member of 'Domain Admins' and then give this new
> group a gidNumber. Now use this group when setting
> permissions from Windows. My reasoning behind this: 'Domain Admins'
> needs to own policies in sysvol, it cannot do this if it has
> a gidNumber attribute.
> Do not give any other user or group from the well known sids
> a uidNumber or gidNumber, see here for the well known sids:
>
> https://support.microsoft.com/en-us/help/243330/well-known-sec
> urity-identifiers-in-windows-operating-systems
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba









--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Can't create/update Group Policy in Samba 4.6.5

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Thu, 6 Jul 2017 02:14:42 -0300
Marcio Demetrio Bacci via samba <[hidden email]> wrote:

> Hi,
>
> My DC doesn't know domains users and groups by name, only by uid/gid.

Sounds like you haven't set up the libnss_winbind.so links
or /etc/nsswitch.conf

>
> Ex: chmod mike:'EMPRESA\unix_admins' test
> chown: invalid group mike:EMPRESA\\unix_admins
>
> if run with GID work properly
> chmod mike:30059 test
> drwxr-xr-x 2 root 30059 4096 Jul  6 00:17 test

Where is 30059 coming from ?
As standard I would expect numbers in the '3000000' range.

>
> There is unix_admins group
> wbinfo --gid-info 30059
> EMPRESA\unix_admins:x:30059:
>
> In File Server Domain Member "chown" command by users and groups
> names is OK chmod mike:'EMPRESA\unix_admins' test
> drwxr-xr-x 2 root unix_admins 4096 Jul  6 00:19 test
>
> I have performed the following steps:
>
> 1) cd /usr/local/samba/var/locks/sysvol
> 2) mv empresa.com.br /root
> 3) mkdir empresa.com.br
> 4) samba-tool ntacl sysvolreset
> 5) getfacl -R /usr/local/samba/var/locks/sysvol >
> sysvol.permissions.acl 6) rmdir empresa.com.br
> 7) mv /root/empresa.com.br .
> 8) setfacl --restore=sysvol.permissions.acl
> 9) samba-tool ntacl sysvolcheck
>
> 10) I went the GPO editor and fix incorrect rights.
>
> 11) I have opened computer manager, connected to the DC, went to the
> security tab.
> I have set up Sysvol security rights:
> DOMAIN\Server Operators
> Creator Owner
> Authenticated Users
> SYSTEM
> DOMAIN\Administrators
>
> Note 1: I have changed sysvol folder owner to "unix_admins" too by MS
> Windows properties but, when I checked in DC terminal, didn't change
> (to be continued the same user and group).
>
> Note 2: I have already removed "Unix Attributes" of the
> BUILTIN\Administrators, Group Policy creator Owner and others by
> Windows RSAT Tools - Active Directory Users and Computers (changed
> Domain NIS  to None), but UID/GID remain (keep).
>
> For Example: the GID 3000275 still is of the BUILTIN\Administrators.
>
> Other notes:
>
> output of "samba-tool ntacl sysvolreset" command:
> open: error=2 (No such file or directory)
> ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined
> error') File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 176, in _run
>     return self.run(*args, **kwargs)
>   File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
> line 239, in run
>     lp, use_ntvfs=use_ntvfs)
>   File
> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> line 1609, in setsysvolacl
>     set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
> use_ntvfs, passdb=s4_passdb)
>   File
> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> line 1502, in set_gpos_acl
>     use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb,
> service=SYSVOL_SERVICE)
>   File
> "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py", line
> 162, in setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER |
> security.SECINFO_GROUP | security.SECINFO_DACL |
> security.SECINFO_SACL, sd, service=service)
>
>
> The command above (despite the mistakes) reset owner and group to
> root and 3000275 (BUILTIN\Administrators) respectively.
> ls -l
> drwxr-xr-x 2 root 3000275 4096 Jul  6 00:50 empresa.com.br
>
>
> output of "samba-tool ntacl sysvolcheck" command:
> ERROR(<type 'exceptions.TypeError'>): uncaught exception - (2, 'No
> such file or directory')
>   File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 176, in _run
>     return self.run(*args, **kwargs)
>   File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
> line 270, in run
>     lp)
>   File
> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> line 1714, in checksysvolacl
>     fsacl = getntacl(lp, dir_path, direct_db_access=direct_db_access,
> service=SYSVOL_SERVICE)
>   File
> "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py", line
> 81, in getntacl xattr.XATTR_NTACL_NAME)
>
> I'm already getting create and edit my GPOs, but I have many doubts:
>
> 1) Is there another way to remove UID / GID from the users and
> groups ?

Have you run 'net cache flush' on the DC ?

>
> 2) Why GID number of the BUILT\Administrators and other users and
> groups still continue ?

See above

>
> 3) Is normal DC does not identify user and group by name, but only by
> UID / GID number ?

Yes

>
> 4) What are the problems with "samba-tool ntacl sysvolreset" and
> "samba-tool ntacl sysvolcheck" ?

From my tests, to many to mention, but the main one is that sysvolreset
does not set the correct ACEs.

>
> 5) When I change the users and groups from the sysvol folder by MS
> Windows should I not reflect on the DC terminal?
>
> I would really like to solve these problems!

So would I ;-)

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Can't create/update Group Policy in Samba 4.6.5

Samba - General mailing list
Hi Rowland

> My DC doesn't know domains users and groups by name, only by uid/gid.

Sounds like you haven't set up the libnss_winbind.so links or
/etc/nsswitch.conf

I had not installed Winbind, but I installed it now. (winbind,
libnss-winbind and libpam-winbind packages).

I configured /etc/nsswitch as below:

passwd:       compat winbind
group:          compat winbind
shadow:       compat
gshadow:     files
hosts:          files dns
networks:    files
protocols:   db files
services:    db files
ethers:       db files
rpc:            db files
netgroup:  nis

My /etc/pam.d/common-session looks like this:

session [default=1]             pam_permit.so
session requisite                pam_deny.so
session required                pam_permit.so
session required                pam_unix.so
session optional                pam_winbind.so


Below is my /usr/local/samba/etc/smb.conf  of the DC

[global]
 workgroup = EMPRESA
 realm = EMPRESA.COM.BR
 netbios name = EMPRESA
 server role = active directory domain controller
 dns forwarder = 192.168.0.88
 idmap_ldb:use rfc2307 = yes
 ldap server require strong auth = no
 template shell = /bin/bash
 template homedir = home/%U

[netlogon]
 path = /usr/local/samba/var/locks/sysvol/empresa.com.br/scripts
 read only = No

[sysvol]
 path = /usr/local/samba/var/locks/sysvol
 read only = No
 acl_xattr:ignore system acls = yes
##########################################

wbinfo -u, wbinfo -g, wbinfo -a <user> commands are Ok, but "getent passwd"
only shows local users.
wbinfo --ping-dc doesn't show the short domain name, please see the output:

checking the NETLOGON dc connection to "" succeeded

id <user> command doesn't work too:
id marcio
id: marcio: no such user


Do I need set up smb.conf Domain Controller with the parameters below?

  idmap config *:backend = tdb
  idmap config *:range = 1000-3000
  idmap config EMPRESA:backend = ad
  idmap config EMPRESA:schema_mode = rfc2307
  idmap config EMPRESA:range = 10000-9999999

  winbind nss info = rfc2307
  winbind trusted domains only = no
  winbind use default domain = yes
  winbind enum users = yes
  winbind enum groups = yes
  winbind refresh tickets = yes


What else could be wrong?

Regards,

Márcio Bacci

2017-07-06 4:58 GMT-03:00 Rowland Penny via samba <[hidden email]>:

> On Thu, 6 Jul 2017 02:14:42 -0300
> Marcio Demetrio Bacci via samba <[hidden email]> wrote:
>
> > Hi,
> >
> > My DC doesn't know domains users and groups by name, only by uid/gid.
>
> Sounds like you haven't set up the libnss_winbind.so links
> or /etc/nsswitch.conf
>
> >
> > Ex: chmod mike:'EMPRESA\unix_admins' test
> > chown: invalid group mike:EMPRESA\\unix_admins
> >
> > if run with GID work properly
> > chmod mike:30059 test
> > drwxr-xr-x 2 root 30059 4096 Jul  6 00:17 test
>
> Where is 30059 coming from ?
> As standard I would expect numbers in the '3000000' range.
>
> >
> > There is unix_admins group
> > wbinfo --gid-info 30059
> > EMPRESA\unix_admins:x:30059:
> >
> > In File Server Domain Member "chown" command by users and groups
> > names is OK chmod mike:'EMPRESA\unix_admins' test
> > drwxr-xr-x 2 root unix_admins 4096 Jul  6 00:19 test
> >
> > I have performed the following steps:
> >
> > 1) cd /usr/local/samba/var/locks/sysvol
> > 2) mv empresa.com.br /root
> > 3) mkdir empresa.com.br
> > 4) samba-tool ntacl sysvolreset
> > 5) getfacl -R /usr/local/samba/var/locks/sysvol >
> > sysvol.permissions.acl 6) rmdir empresa.com.br
> > 7) mv /root/empresa.com.br .
> > 8) setfacl --restore=sysvol.permissions.acl
> > 9) samba-tool ntacl sysvolcheck
> >
> > 10) I went the GPO editor and fix incorrect rights.
> >
> > 11) I have opened computer manager, connected to the DC, went to the
> > security tab.
> > I have set up Sysvol security rights:
> > DOMAIN\Server Operators
> > Creator Owner
> > Authenticated Users
> > SYSTEM
> > DOMAIN\Administrators
> >
> > Note 1: I have changed sysvol folder owner to "unix_admins" too by MS
> > Windows properties but, when I checked in DC terminal, didn't change
> > (to be continued the same user and group).
> >
> > Note 2: I have already removed "Unix Attributes" of the
> > BUILTIN\Administrators, Group Policy creator Owner and others by
> > Windows RSAT Tools - Active Directory Users and Computers (changed
> > Domain NIS  to None), but UID/GID remain (keep).
> >
> > For Example: the GID 3000275 still is of the BUILTIN\Administrators.
> >
> > Other notes:
> >
> > output of "samba-tool ntacl sysvolreset" command:
> > open: error=2 (No such file or directory)
> > ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined
> > error') File
> > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> > line 176, in _run
> >     return self.run(*args, **kwargs)
> >   File
> > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
> > line 239, in run
> >     lp, use_ntvfs=use_ntvfs)
> >   File
> > "/usr/local/samba/lib/python2.7/site-packages/samba/
> provision/__init__.py",
> > line 1609, in setsysvolacl
> >     set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
> > use_ntvfs, passdb=s4_passdb)
> >   File
> > "/usr/local/samba/lib/python2.7/site-packages/samba/
> provision/__init__.py",
> > line 1502, in set_gpos_acl
> >     use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb,
> > service=SYSVOL_SERVICE)
> >   File
> > "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py", line
> > 162, in setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER |
> > security.SECINFO_GROUP | security.SECINFO_DACL |
> > security.SECINFO_SACL, sd, service=service)
> >
> >
> > The command above (despite the mistakes) reset owner and group to
> > root and 3000275 (BUILTIN\Administrators) respectively.
> > ls -l
> > drwxr-xr-x 2 root 3000275 4096 Jul  6 00:50 empresa.com.br
> >
> >
> > output of "samba-tool ntacl sysvolcheck" command:
> > ERROR(<type 'exceptions.TypeError'>): uncaught exception - (2, 'No
> > such file or directory')
> >   File
> > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> > line 176, in _run
> >     return self.run(*args, **kwargs)
> >   File
> > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
> > line 270, in run
> >     lp)
> >   File
> > "/usr/local/samba/lib/python2.7/site-packages/samba/
> provision/__init__.py",
> > line 1714, in checksysvolacl
> >     fsacl = getntacl(lp, dir_path, direct_db_access=direct_db_access,
> > service=SYSVOL_SERVICE)
> >   File
> > "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py", line
> > 81, in getntacl xattr.XATTR_NTACL_NAME)
> >
> > I'm already getting create and edit my GPOs, but I have many doubts:
> >
> > 1) Is there another way to remove UID / GID from the users and
> > groups ?
>
> Have you run 'net cache flush' on the DC ?
>
> >
> > 2) Why GID number of the BUILT\Administrators and other users and
> > groups still continue ?
>
> See above
>
> >
> > 3) Is normal DC does not identify user and group by name, but only by
> > UID / GID number ?
>
> Yes
>
> >
> > 4) What are the problems with "samba-tool ntacl sysvolreset" and
> > "samba-tool ntacl sysvolcheck" ?
>
> From my tests, to many to mention, but the main one is that sysvolreset
> does not set the correct ACEs.
>
> >
> > 5) When I change the users and groups from the sysvol folder by MS
> > Windows should I not reflect on the DC terminal?
> >
> > I would really like to solve these problems!
>
> So would I ;-)
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Can't create/update Group Policy in Samba 4.6.5

Samba - General mailing list
On Thu, 6 Jul 2017 15:35:09 -0300
Marcio Demetrio Bacci <[hidden email]> wrote:

> Hi Rowland
>

> I had not installed Winbind, but I installed it now. (winbind,
> libnss-winbind and libpam-winbind packages).

I cannot understand why you hadn't installed winbind, you need it.

>
> I configured /etc/nsswitch as below:
>
> passwd:       compat winbind
> group:          compat winbind
> shadow:       compat
> gshadow:     files
> hosts:          files dns
> networks:    files
> protocols:   db files
> services:    db files
> ethers:       db files
> rpc:            db files
> netgroup:  nis

Where did 'gshadow' come from, I do not have it.

>
> My /etc/pam.d/common-session looks like this:
>
> session [default=1]             pam_permit.so
> session requisite                pam_deny.so
> session required                pam_permit.so
> session required                pam_unix.so
> session optional                pam_winbind.so
>
>

Mine has kerberos in it, because I have libpam_krb5 installed.

> Below is my /usr/local/samba/etc/smb.conf  of the DC
>
> [global]
>  workgroup = EMPRESA
>  realm = EMPRESA.COM.BR
>  netbios name = EMPRESA
>  server role = active directory domain controller
>  dns forwarder = 192.168.0.88
>  idmap_ldb:use rfc2307 = yes
>  ldap server require strong auth = no
>  template shell = /bin/bash
>  template homedir = home/%U
>

Why is the netbios name of your DC the same as your netbios domain
name (workgroup) ?

> [netlogon]
>  path = /usr/local/samba/var/locks/sysvol/empresa.com.br/scripts
>  read only = No
>
> [sysvol]
>  path = /usr/local/samba/var/locks/sysvol
>  read only = No
>  acl_xattr:ignore system acls = yes
> ##########################################
>
> wbinfo -u, wbinfo -g, wbinfo -a <user> commands are Ok,

wbinfo connects direct to winbind, getent doesn't and you will need to
use 'getent passwd username' to get any output for domain users.

> but "getent
> passwd" only shows local users.
> wbinfo --ping-dc doesn't show the short domain name, please see the
> output:
>
> checking the NETLOGON dc connection to "" succeeded

This could be an artifact of your netbios name and netbios domain name
being the same.

>
> id <user> command doesn't work too:
> id marcio
> id: marcio: no such user

It should.

>
>
> Do I need set up smb.conf Domain Controller with the parameters below?
>
>   idmap config *:backend = tdb
>   idmap config *:range = 1000-3000
>   idmap config EMPRESA:backend = ad
>   idmap config EMPRESA:schema_mode = rfc2307
>   idmap config EMPRESA:range = 10000-9999999
>
>   winbind nss info = rfc2307
>   winbind trusted domains only = no
>   winbind use default domain = yes
>   winbind enum users = yes
>   winbind enum groups = yes
>   winbind refresh tickets = yes
>
>

No, definitely not, apart from the 'winbind enum' lines.

> What else could be wrong?
>

No idea, mainly because I am not sat where you are and I didn't set up
your Samba AD DC ;-)

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...