Problems with GPO

classic Classic list List threaded Threaded
29 messages Options
12
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Problems with GPO

Samba - General mailing list
I'm having problems with GPO in Samba 4.2.1

I created a GPO to Block Control Panel and applied in my Domain OU.

In desktop client I typed "gpupdate /force" and appear a success message
that to ask reboot my system. After rebuot the GPO don't work.

Other GPOs as WSUS update, Wallpaper and others, don't work too.


Following is the result of command: GPRESULT /H GPResult.html

GPOs Applied
Name            Location Link    Revision
Default Domain Policy    empresa.com.br    AD (1), Sysvol (65535)

GPOs Denied
Name                    Location Link                Denial Reason
Local Group Policies             Location                EMPTY
{0F1E5B10-3640-4FFE-AA6B-5DE4CFF73625}    empresa.com.br
Inacessible
{D65C5B66-A380-48AD-AC8A-DE417173E293}    empresa.comb.br/EMPRESA/SecInfor
Inacessible
Wallpaper                empresa.comb.br/EMPRESA/SecInfor    Inacessible

How can I debug this problem ?

Regards,

Márcio
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Problems with GPO

Samba - General mailing list
On 11/2/2016 5:51 PM, Marcio Demetrio Bacci via samba wrote:

> I'm having problems with GPO in Samba 4.2.1
>
> I created a GPO to Block Control Panel and applied in my Domain OU.
>
> In desktop client I typed "gpupdate /force" and appear a success message
> that to ask reboot my system. After rebuot the GPO don't work.
>
> Other GPOs as WSUS update, Wallpaper and others, don't work too.
>
>
> Following is the result of command: GPRESULT /H GPResult.html
>
> GPOs Applied
> Name            Location Link    Revision
> Default Domain Policy    empresa.com.br    AD (1), Sysvol (65535)
>
> GPOs Denied
> Name                    Location Link                Denial Reason
> Local Group Policies             Location                EMPTY
> {0F1E5B10-3640-4FFE-AA6B-5DE4CFF73625}    empresa.com.br
> Inacessible
> {D65C5B66-A380-48AD-AC8A-DE417173E293}    empresa.comb.br/EMPRESA/SecInfor
> Inacessible
> Wallpaper                empresa.comb.br/EMPRESA/SecInfor    Inacessible
>
> How can I debug this problem ?
>
> Regards,
>
> Márcio

The denial reason Inaccessible usually refers to a permissions problem.
Verify your user and or computer the GPO applies to has the correct
permissions. Can you run 'getfacl
/Policies/{0F1E5B10-3640-4FFE-AA6B-5DE4CFF73625}' and post the results?

--
- James


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Problems with GPO

Samba - General mailing list
On 11/3/2016 9:59 AM, Marcio Demetrio Bacci wrote:

> Thanks Lingpanda101
>
> Following the result of command:
>
> # file: Policies/{0F1E5B10-3640-4FFE-AA6B-5DE4CFF73625}
> # owner: 10060
> # group: 30028
> user::rwx
> user:10060:rwx
> user:3000002:rwx
> user:3000010:r-x
> group::rwx
> group:30028:rwx
> group:30032:r-x
> group:30033:rwx
> group:3000002:rwx
> group:3000010:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:10060:rwx
> default:user:3000002:rwx
> default:user:3000010:r-x
> default:group::---
> default:group:30028:rwx
> default:group:30032:r-x
> default:group:30033:rwx
> default:group:3000002:rwx
> default:group:3000010:r-x
> default:mask::rwx
> default:other::---
>
>
>
> Regards,
>
> Márcio
>
> 2016-11-03 11:46 GMT-02:00 lingpanda101 via samba
> <[hidden email] <mailto:[hidden email]>>:
>
>     On 11/2/2016 5:51 PM, Marcio Demetrio Bacci via samba wrote:
>
>         I'm having problems with GPO in Samba 4.2.1
>
>         I created a GPO to Block Control Panel and applied in my
>         Domain OU.
>
>         In desktop client I typed "gpupdate /force" and appear a
>         success message
>         that to ask reboot my system. After rebuot the GPO don't work.
>
>         Other GPOs as WSUS update, Wallpaper and others, don't work too.
>
>
>         Following is the result of command: GPRESULT /H GPResult.html
>
>         GPOs Applied
>         Name            Location Link    Revision
>         Default Domain Policy empresa.com.br <http://empresa.com.br>
>           AD (1), Sysvol (65535)
>
>         GPOs Denied
>         Name                    Location Link Denial Reason
>         Local Group Policies             Location   EMPTY
>         {0F1E5B10-3640-4FFE-AA6B-5DE4CFF73625} empresa.com.br
>         <http://empresa.com.br>
>         Inacessible
>         {D65C5B66-A380-48AD-AC8A-DE417173E293}
>         empresa.comb.br/EMPRESA/SecInfor
>         <http://empresa.comb.br/EMPRESA/SecInfor>
>         Inacessible
>         Wallpaper empresa.comb.br/EMPRESA/SecInfor
>         <http://empresa.comb.br/EMPRESA/SecInfor>   Inacessible
>
>         How can I debug this problem ?
>
>         Regards,
>
>         Márcio
>
>
>     The denial reason Inaccessible usually refers to a permissions
>     problem. Verify your user and or computer the GPO applies to has
>     the correct permissions. Can you run 'getfacl
>     /Policies/{0F1E5B10-3640-4FFE-AA6B-5DE4CFF73625}' and post the
>     results?
>
>     --
>     - James
>
>
>     --
>     To unsubscribe from this list go to the following URL and read the
>     instructions: https://lists.samba.org/mailman/options/samba
>     <https://lists.samba.org/mailman/options/samba>
>
>
I see you have given some users and groups a UID. Can you tell me the
results of

wbinfo --uid-info=10060
wbinfo --uid-info=30028
wbinfo --uid-info=30032
wbinfo --uid-info=10060
wbinfo --uid-info=30033

I don't see user:3000003 which I believe is Authenticated Users. Did you
give this group a UID?



--
- James

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Problems with GPO

Samba - General mailing list
On Thu, 3 Nov 2016 10:25:00 -0400
lingpanda101 via samba <[hidden email]> wrote:

> On 11/3/2016 9:59 AM, Marcio Demetrio Bacci wrote:
> > Thanks Lingpanda101
> >
> > Following the result of command:
> >
> > # file: Policies/{0F1E5B10-3640-4FFE-AA6B-5DE4CFF73625}
> > # owner: 10060
> > # group: 30028
> > user::rwx
> > user:10060:rwx
> > user:3000002:rwx
> > user:3000010:r-x
> > group::rwx
> > group:30028:rwx
> > group:30032:r-x
> > group:30033:rwx
> > group:3000002:rwx
> > group:3000010:r-x
> > mask::rwx
> > other::---
> > default:user::rwx
> > default:user:10060:rwx
> > default:user:3000002:rwx
> > default:user:3000010:r-x
> > default:group::---
> > default:group:30028:rwx
> > default:group:30032:r-x
> > default:group:30033:rwx
> > default:group:3000002:rwx
> > default:group:3000010:r-x
> > default:mask::rwx
> > default:other::---
> >
> >
> >
> > Regards,
> >
> > Márcio
> >
> > 2016-11-03 11:46 GMT-02:00 lingpanda101 via samba
> > <[hidden email] <mailto:[hidden email]>>:
> >
> >     On 11/2/2016 5:51 PM, Marcio Demetrio Bacci via samba wrote:
> >
> >         I'm having problems with GPO in Samba 4.2.1
> >
> >         I created a GPO to Block Control Panel and applied in my
> >         Domain OU.
> >
> >         In desktop client I typed "gpupdate /force" and appear a
> >         success message
> >         that to ask reboot my system. After rebuot the GPO don't
> > work.
> >
> >         Other GPOs as WSUS update, Wallpaper and others, don't work
> > too.
> >
> >
> >         Following is the result of command: GPRESULT /H
> > GPResult.html
> >
> >         GPOs Applied
> >         Name            Location Link    Revision
> >         Default Domain Policy empresa.com.br
> > <http://empresa.com.br> AD (1), Sysvol (65535)
> >
> >         GPOs Denied
> >         Name                    Location Link Denial Reason
> >         Local Group Policies             Location   EMPTY
> >         {0F1E5B10-3640-4FFE-AA6B-5DE4CFF73625} empresa.com.br
> >         <http://empresa.com.br>
> >         Inacessible
> >         {D65C5B66-A380-48AD-AC8A-DE417173E293}
> >         empresa.comb.br/EMPRESA/SecInfor
> >         <http://empresa.comb.br/EMPRESA/SecInfor>
> >         Inacessible
> >         Wallpaper empresa.comb.br/EMPRESA/SecInfor
> >         <http://empresa.comb.br/EMPRESA/SecInfor>   Inacessible
> >
> >         How can I debug this problem ?
> >
> >         Regards,
> >
> >         Márcio
> >
> >
> >     The denial reason Inaccessible usually refers to a permissions
> >     problem. Verify your user and or computer the GPO applies to has
> >     the correct permissions. Can you run 'getfacl
> >     /Policies/{0F1E5B10-3640-4FFE-AA6B-5DE4CFF73625}' and post the
> >     results?
> >
> >     --
> >     - James
> >
> >
> >     --
> >     To unsubscribe from this list go to the following URL and read
> > the instructions: https://lists.samba.org/mailman/options/samba
> >     <https://lists.samba.org/mailman/options/samba>
> >
> >
> I see you have given some users and groups a UID. Can you tell me the
> results of
>
> wbinfo --uid-info=10060
> wbinfo --uid-info=30028
> wbinfo --uid-info=30032
> wbinfo --uid-info=10060
> wbinfo --uid-info=30033
>
> I don't see user:3000003 which I believe is Authenticated Users. Did
> you give this group a UID?
>
>
>

If giving users a uidNumber isn't modifying things, I don't know what
is.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Problems with GPO

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Thu, 3 Nov 2016 10:25:00 -0400
lingpanda101 via samba <[hidden email]> wrote:

> On 11/3/2016 9:59 AM, Marcio Demetrio Bacci wrote:
> > Thanks Lingpanda101
> >
> > Following the result of command:
> >
> > # file: Policies/{0F1E5B10-3640-4FFE-AA6B-5DE4CFF73625}
> > # owner: 10060
> > # group: 30028
> > user::rwx
> > user:10060:rwx
> > user:3000002:rwx
> > user:3000010:r-x
> > group::rwx
> > group:30028:rwx
> > group:30032:r-x
> > group:30033:rwx
> > group:3000002:rwx
> > group:3000010:r-x
> > mask::rwx
> > other::---
> > default:user::rwx
> > default:user:10060:rwx
> > default:user:3000002:rwx
> > default:user:3000010:r-x
> > default:group::---
> > default:group:30028:rwx
> > default:group:30032:r-x
> > default:group:30033:rwx
> > default:group:3000002:rwx
> > default:group:3000010:r-x
> > default:mask::rwx
> > default:other::---
> >
> >
> >
> > Regards,
> >
> > Márcio
> >
> > 2016-11-03 11:46 GMT-02:00 lingpanda101 via samba
> > <[hidden email] <mailto:[hidden email]>>:
> >
> >     On 11/2/2016 5:51 PM, Marcio Demetrio Bacci via samba wrote:
> >
> >         I'm having problems with GPO in Samba 4.2.1
> >
> >         I created a GPO to Block Control Panel and applied in my
> >         Domain OU.
> >
> >         In desktop client I typed "gpupdate /force" and appear a
> >         success message
> >         that to ask reboot my system. After rebuot the GPO don't
> > work.
> >
> >         Other GPOs as WSUS update, Wallpaper and others, don't work
> > too.
> >
> >
> >         Following is the result of command: GPRESULT /H
> > GPResult.html
> >
> >         GPOs Applied
> >         Name            Location Link    Revision
> >         Default Domain Policy empresa.com.br
> > <http://empresa.com.br> AD (1), Sysvol (65535)
> >
> >         GPOs Denied
> >         Name                    Location Link Denial Reason
> >         Local Group Policies             Location   EMPTY
> >         {0F1E5B10-3640-4FFE-AA6B-5DE4CFF73625} empresa.com.br
> >         <http://empresa.com.br>
> >         Inacessible
> >         {D65C5B66-A380-48AD-AC8A-DE417173E293}
> >         empresa.comb.br/EMPRESA/SecInfor
> >         <http://empresa.comb.br/EMPRESA/SecInfor>
> >         Inacessible
> >         Wallpaper empresa.comb.br/EMPRESA/SecInfor
> >         <http://empresa.comb.br/EMPRESA/SecInfor>   Inacessible
> >
> >         How can I debug this problem ?
> >
> >         Regards,
> >
> >         Márcio
> >
> >
> >     The denial reason Inaccessible usually refers to a permissions
> >     problem. Verify your user and or computer the GPO applies to has
> >     the correct permissions. Can you run 'getfacl
> >     /Policies/{0F1E5B10-3640-4FFE-AA6B-5DE4CFF73625}' and post the
> >     results?
> >
> >     --
> >     - James
> >
> >
> >     --
> >     To unsubscribe from this list go to the following URL and read
> > the instructions: https://lists.samba.org/mailman/options/samba
> >     <https://lists.samba.org/mailman/options/samba>
> >
> >
> I see you have given some users and groups a UID. Can you tell me the
> results of
>
> wbinfo --uid-info=10060
> wbinfo --uid-info=30028
> wbinfo --uid-info=30032
> wbinfo --uid-info=10060
> wbinfo --uid-info=30033
>
> I don't see user:3000003 which I believe is Authenticated Users. Did
> you give this group a UID?
>
>
>

Seeing as this is not one of the two std GPOs, you have a problem. When
you create a GPO, the owners are Domain Admins and the group is Domain
Admins, so who is '10060' and what is '30028' ?

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Problems with GPO

Samba - General mailing list
In reply to this post by Samba - General mailing list

A Microsoft security update for Group Policy changed the behavior of clients in regards to GPOs:

MS16-072: Security update for Group Policy: June 14, 2016
https://support.microsoft.com/en-gb/kb/3159398


The following page explains the issues and the corrective measures.
https://support.microsoft.com/en-gb/kb/3163622

In sum:

    Add the Authenticated Users group with Read Permissions to the Group Policy Object (GPO).
    Also add the Domain Computers group with read permission.


Did you take this into account?

This did bit me some months ago. All of a sudden, the GPOs were not being applied. When I made the above changes, they immediately started working again.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Problems with GPO

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hi Rowland

Following the results to:

*USER:*
wbinfo --uid-info=10060:
bacci:*:10060:30049:bacci:/home/EMPRESA/bacci:/bin/false

*GROUP:*
wbinfo --gid-info=30028: Domain Admins

wbinfo --gid-info=30032: Domain Users

wbinfo --gid-info=30033: Enterprise Admins


"I don't see user:3000003"

root@dc1:~# wbinfo -G 3000003
S-1-5-11

root@dc1:~# wbinfo -s S-1-5-11
failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup sid S-1-5-11

I have in my network two DC (Samba 4) and one member File Server (Samba 4).
When I execute wbinfo -r <user>, I have different results:

root@dc1:~# wbinfo -G 3000000
S-1-5-32-544

root@dc1o:~# wbinfo -G 30002
S-1-5-32-544

root@dc1:~# wbinfo -s S-1-5-32-544
BUILTIN\Administrators 4

The SID to Administrators is 3000000 in DC. In File Server the same group
is 30002.

*Different Groups to the same user*
root@*dc1*:~# wbinfo -r bacci
30011
30025
30029
30030
30035
30049
30052
3000000


root@*server-file*:~# wbinfo -r bacci
30002
30003
30025
30028
30029
30030
30032
30035
30049
30052
30053


Regards,

Márcio

2016-11-03 13:59 GMT-02:00 Rowland Penny via samba <[hidden email]>:

> On Thu, 3 Nov 2016 10:25:00 -0400
> lingpanda101 via samba <[hidden email]> wrote:
>
> > On 11/3/2016 9:59 AM, Marcio Demetrio Bacci wrote:
> > > Thanks Lingpanda101
> > >
> > > Following the result of command:
> > >
> > > # file: Policies/{0F1E5B10-3640-4FFE-AA6B-5DE4CFF73625}
> > > # owner: 10060
> > > # group: 30028
> > > user::rwx
> > > user:10060:rwx
> > > user:3000002:rwx
> > > user:3000010:r-x
> > > group::rwx
> > > group:30028:rwx
> > > group:30032:r-x
> > > group:30033:rwx
> > > group:3000002:rwx
> > > group:3000010:r-x
> > > mask::rwx
> > > other::---
> > > default:user::rwx
> > > default:user:10060:rwx
> > > default:user:3000002:rwx
> > > default:user:3000010:r-x
> > > default:group::---
> > > default:group:30028:rwx
> > > default:group:30032:r-x
> > > default:group:30033:rwx
> > > default:group:3000002:rwx
> > > default:group:3000010:r-x
> > > default:mask::rwx
> > > default:other::---
> > >
> > >
> > >
> > > Regards,
> > >
> > > Márcio
> > >
> > > 2016-11-03 11:46 GMT-02:00 lingpanda101 via samba
> > > <[hidden email] <mailto:[hidden email]>>:
> > >
> > >     On 11/2/2016 5:51 PM, Marcio Demetrio Bacci via samba wrote:
> > >
> > >         I'm having problems with GPO in Samba 4.2.1
> > >
> > >         I created a GPO to Block Control Panel and applied in my
> > >         Domain OU.
> > >
> > >         In desktop client I typed "gpupdate /force" and appear a
> > >         success message
> > >         that to ask reboot my system. After rebuot the GPO don't
> > > work.
> > >
> > >         Other GPOs as WSUS update, Wallpaper and others, don't work
> > > too.
> > >
> > >
> > >         Following is the result of command: GPRESULT /H
> > > GPResult.html
> > >
> > >         GPOs Applied
> > >         Name            Location Link    Revision
> > >         Default Domain Policy empresa.com.br
> > > <http://empresa.com.br> AD (1), Sysvol (65535)
> > >
> > >         GPOs Denied
> > >         Name                    Location Link Denial Reason
> > >         Local Group Policies             Location   EMPTY
> > >         {0F1E5B10-3640-4FFE-AA6B-5DE4CFF73625} empresa.com.br
> > >         <http://empresa.com.br>
> > >         Inacessible
> > >         {D65C5B66-A380-48AD-AC8A-DE417173E293}
> > >         empresa.comb.br/EMPRESA/SecInfor
> > >         <http://empresa.comb.br/EMPRESA/SecInfor>
> > >         Inacessible
> > >         Wallpaper empresa.comb.br/EMPRESA/SecInfor
> > >         <http://empresa.comb.br/EMPRESA/SecInfor>   Inacessible
> > >
> > >         How can I debug this problem ?
> > >
> > >         Regards,
> > >
> > >         Márcio
> > >
> > >
> > >     The denial reason Inaccessible usually refers to a permissions
> > >     problem. Verify your user and or computer the GPO applies to has
> > >     the correct permissions. Can you run 'getfacl
> > >     /Policies/{0F1E5B10-3640-4FFE-AA6B-5DE4CFF73625}' and post the
> > >     results?
> > >
> > >     --
> > >     - James
> > >
> > >
> > >     --
> > >     To unsubscribe from this list go to the following URL and read
> > > the instructions: https://lists.samba.org/mailman/options/samba
> > >     <https://lists.samba.org/mailman/options/samba>
> > >
> > >
> > I see you have given some users and groups a UID. Can you tell me the
> > results of
> >
> > wbinfo --uid-info=10060
> > wbinfo --uid-info=30028
> > wbinfo --uid-info=30032
> > wbinfo --uid-info=10060
> > wbinfo --uid-info=30033
> >
> > I don't see user:3000003 which I believe is Authenticated Users. Did
> > you give this group a UID?
> >
> >
> >
>
> Seeing as this is not one of the two std GPOs, you have a problem. When
> you create a GPO, the owners are Domain Admins and the group is Domain
> Admins, so who is '10060' and what is '30028' ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Problems with GPO

Samba - General mailing list
In reply to this post by Samba - General mailing list
Do you use rsync replication?

Watch:

Built-in Groups GID Mappings

here:
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Problems with GPO

Samba - General mailing list
In reply to this post by Samba - General mailing list

See inline comments:

On Thu, 3 Nov 2016 19:17:58 -0200
Marcio Demetrio Bacci <[hidden email]> wrote:

> Hi Rowland
>
> Following the results to:
>
> *USER:*
> wbinfo --uid-info=10060:
> bacci:*:10060:30049:bacci:/home/EMPRESA/bacci:/bin/false
>

It looks like 'bacci' is a normal user and the owner of the
Policies GUID dir should be 'Domain Admins'
 
> *GROUP:*
> wbinfo --gid-info=30028: Domain Admins

This is where one of the problems start, bit of a catch 22 problem, you
need to give 'Domain Admins' a gidNumber to be visible to Unix, but if
you do, it looses the 'ID_TYPE_BOTH' from idmap.ldb that means it can
own dirs & files in sysvol.

>
> wbinfo --gid-info=30032: Domain Users
>
> wbinfo --gid-info=30033: Enterprise Admins
>
>
> "I don't see user:3000003"
>
> root@dc1:~# wbinfo -G 3000003
> S-1-5-11
>
> root@dc1:~# wbinfo -s S-1-5-11
> failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not lookup sid S-1-5-11
>

You will need to look inside idmap.ldb to find this.

> I have in my network two DC (Samba 4) and one member File Server
> (Samba 4). When I execute wbinfo -r <user>, I have different results:
>
> root@dc1:~# wbinfo -G 3000000
> S-1-5-32-544
>
> root@dc1o:~# wbinfo -G 30002
> S-1-5-32-544
>
> root@dc1:~# wbinfo -s S-1-5-32-544
> BUILTIN\Administrators 4
>
> The SID to Administrators is 3000000 in DC. In File Server the same
> group is 30002.

Don't give the BUILTIN users & groups uidNumbers & gidNumbers, let
samba do this on the DC and set up smb.conf correctly on the domain
member. You do this by using 'idmap config * : backend = tdb'


>
> *Different Groups to the same user*
> root@*dc1*:~# wbinfo -r bacci
> 30011
> 30025
> 30029
> 30030
> 30035
> 30049
> 30052
> 3000000
>
>
> root@*server-file*:~# wbinfo -r bacci
> 30002
> 30003
> 30025
> 30028
> 30029
> 30030
> 30032
> 30035
> 30049
> 30052
> 30053
>
>
> Regards,
>
> Márcio
>

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Problems with GPO

Samba - General mailing list
Hi,

bacci user is Domain Admin, because 30049 group is Domain Admin member. I
use this user to create GPO.

Following are my configurations files:

*FILE-SERVER - SMB.CONF*
[global]
  netbios name = file-server
  workgroup = EMPRESA
  security = ads
  realm = EMPRESA.COM.BR
  encrypt passwords = yes
  dedicated keytab file = /etc/krb5.keytab
  kerberos method = secrets and keytab
  preferred master = no
  idmap config *:backend = tdb
  idmap config *:range = 1000-3000
  idmap config EMPRESA:backend = ad
  idmap config EMPRESA:schema_mode = rfc2307
  idmap config EMPRESA:range = 10000-9999999

  winbind nss info = rfc2307
  winbind trusted domains only = no
  winbind use default domain = yes
  winbind enum users = yes
  winbind enum groups = yes
  winbind refresh tickets = yes

  vfs objects = acl_xattr
  map acl inherit = Yes
  store dos attributes = Yes
  username map = /etc/samba/user.map


*DC1 - SMB.CONF*
[global]
    workgroup = EMPRESA
    realm = EMPRESA.COM.BR
    netbios name = DC1
    server role = active directory domain controller
    dns forwarder = 192.168.200.10
    idmap_ldb:use rfc2307 = yes

[netlogon]
    path = /opt/samba/var/locks/sysvol/empresa.com.br/scripts
    read only = No

[sysvol]
    path = /opt/samba/var/locks/sysvol
    read only = No


*DC2 - SMB.CONF*
[global]
    workgroup = EMPRESA
    realm = EMPRESA.COM.BR
    netbios name = dc2
    server role = active directory domain controller
    idmap_ldb:use rfc2307 = yes

[netlogon]
    path = /opt/samba/var/locks/sysvol/empresa.com.br/scripts
    read only = No

[sysvol]
    path = /opt/samba/var/locks/sysvol
    read only = No


I'm using "samba-tool drs showrepl" command in DC2 and the result is
SUCCESS.

Do I have need to remove the Unix attributes of all builtin users
(Administrators, Accout Operators, Users, Guest, ...)? Do Domain Users,
Domain Admins, Domain Computers Groups also to need remove Unix Attributes?

Do I have just select the "None" option in the Unix Attributes tab (in the
RSAT) to remove it?

Have the accounts of the domain computers (joined in domain) must have the
Unix attribute ?

Is there way to remove null objects of Samba 4 ?

*Others Tests*

Result of "*testparm*" command:

Load smb config files from /opt/samba/etc/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC

Result of "*samba-tool gpo list [hidden email] <[hidden email]>*
"

ERROR(runtime): uncaught exception - ('Could not find a DC for domain',
RuntimeError('NT_STATUS_NETWORK_UNREACHABLE',))
  File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
    return self.run(*args, **kwargs)
  File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py", line
349, in run
    self.url = dc_url(self.lp, self.creds, H)
  File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py", line
117, in dc_url
    raise RuntimeError("Could not find a DC for domain", e)

Result of *samba-tool gpo listall*
ERROR(runtime): uncaught exception - ('Could not find a DC for domain',
RuntimeError('NT_STATUS_NETWORK_UNREACHABLE',))
  File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
    return self.run(*args, **kwargs)
  File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py", line
311, in run
    self.url = dc_url(self.lp, self.creds, H)
  File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py", line
117, in dc_url
    raise RuntimeError("Could not find a DC for domain", e


Regards,

Márcio

2016-11-03 20:10 GMT-02:00 Rowland Penny via samba <[hidden email]>:

>
> See inline comments:
>
> On Thu, 3 Nov 2016 19:17:58 -0200
> Marcio Demetrio Bacci <[hidden email]> wrote:
>
> > Hi Rowland
> >
> > Following the results to:
> >
> > *USER:*
> > wbinfo --uid-info=10060:
> > bacci:*:10060:30049:bacci:/home/EMPRESA/bacci:/bin/false
> >
>
> It looks like 'bacci' is a normal user and the owner of the
> Policies GUID dir should be 'Domain Admins'
>
> > *GROUP:*
> > wbinfo --gid-info=30028: Domain Admins
>
> This is where one of the problems start, bit of a catch 22 problem, you
> need to give 'Domain Admins' a gidNumber to be visible to Unix, but if
> you do, it looses the 'ID_TYPE_BOTH' from idmap.ldb that means it can
> own dirs & files in sysvol.
>
> >
> > wbinfo --gid-info=30032: Domain Users
> >
> > wbinfo --gid-info=30033: Enterprise Admins
> >
> >
> > "I don't see user:3000003"
> >
> > root@dc1:~# wbinfo -G 3000003
> > S-1-5-11
> >
> > root@dc1:~# wbinfo -s S-1-5-11
> > failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
> > Could not lookup sid S-1-5-11
> >
>
> You will need to look inside idmap.ldb to find this.
>
> > I have in my network two DC (Samba 4) and one member File Server
> > (Samba 4). When I execute wbinfo -r <user>, I have different results:
> >
> > root@dc1:~# wbinfo -G 3000000
> > S-1-5-32-544
> >
> > root@dc1o:~# wbinfo -G 30002
> > S-1-5-32-544
> >
> > root@dc1:~# wbinfo -s S-1-5-32-544
> > BUILTIN\Administrators 4
> >
> > The SID to Administrators is 3000000 in DC. In File Server the same
> > group is 30002.
>
> Don't give the BUILTIN users & groups uidNumbers & gidNumbers, let
> samba do this on the DC and set up smb.conf correctly on the domain
> member. You do this by using 'idmap config * : backend = tdb'
>
>
> >
> > *Different Groups to the same user*
> > root@*dc1*:~# wbinfo -r bacci
> > 30011
> > 30025
> > 30029
> > 30030
> > 30035
> > 30049
> > 30052
> > 3000000
> >
> >
> > root@*server-file*:~# wbinfo -r bacci
> > 30002
> > 30003
> > 30025
> > 30028
> > 30029
> > 30030
> > 30032
> > 30035
> > 30049
> > 30052
> > 30053
> >
> >
> > Regards,
> >
> > Márcio
> >
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Problems with GPO

Samba - General mailing list
On Fri, 4 Nov 2016 01:32:44 -0200
Marcio Demetrio Bacci <[hidden email]> wrote:

> Hi,
>
> bacci user is Domain Admin, because 30049 group is Domain Admin
> member. I use this user to create GPO.
>
> Following are my configurations files:
>
> *FILE-SERVER - SMB.CONF*
> [global]
>   netbios name = file-server
>   workgroup = EMPRESA
>   security = ads
>   realm = EMPRESA.COM.BR
>   encrypt passwords = yes
>   dedicated keytab file = /etc/krb5.keytab
>   kerberos method = secrets and keytab
>   preferred master = no
>   idmap config *:backend = tdb
>   idmap config *:range = 1000-3000
>   idmap config EMPRESA:backend = ad
>   idmap config EMPRESA:schema_mode = rfc2307
>   idmap config EMPRESA:range = 10000-9999999
>
>   winbind nss info = rfc2307
>   winbind trusted domains only = no
>   winbind use default domain = yes
>   winbind enum users = yes
>   winbind enum groups = yes
>   winbind refresh tickets = yes
>
>   vfs objects = acl_xattr
>   map acl inherit = Yes
>   store dos attributes = Yes
>   username map = /etc/samba/user.map
>
>
> *DC1 - SMB.CONF*
> [global]
>     workgroup = EMPRESA
>     realm = EMPRESA.COM.BR
>     netbios name = DC1
>     server role = active directory domain controller
>     dns forwarder = 192.168.200.10
>     idmap_ldb:use rfc2307 = yes
>
> [netlogon]
>     path = /opt/samba/var/locks/sysvol/empresa.com.br/scripts
>     read only = No
>
> [sysvol]
>     path = /opt/samba/var/locks/sysvol
>     read only = No
>
>
> *DC2 - SMB.CONF*
> [global]
>     workgroup = EMPRESA
>     realm = EMPRESA.COM.BR
>     netbios name = dc2
>     server role = active directory domain controller
>     idmap_ldb:use rfc2307 = yes
>
> [netlogon]
>     path = /opt/samba/var/locks/sysvol/empresa.com.br/scripts
>     read only = No
>
> [sysvol]
>     path = /opt/samba/var/locks/sysvol
>     read only = No
>
>

The only possible problem with your smb.conf files (and it doesn't have
anything to do with your problem) is the second DC doesn't have a
forwarder.

> I'm using "samba-tool drs showrepl" command in DC2 and the result is
> SUCCESS.
>
> Do I have need to remove the Unix attributes of all builtin users
> (Administrators, Accout Operators, Users, Guest, ...)? Do Domain
> Users, Domain Admins, Domain Computers Groups also to need remove
> Unix Attributes?

The only Group that may need a gidNumber is Domain Admins, the only
only group that must have a gidNumber is Domain Users and then only if
you use the winbind 'ad' backend on a domain member.

>
> Do I have just select the "None" option in the Unix Attributes tab
> (in the RSAT) to remove it?

Yes, this should remove them

>
> Have the accounts of the domain computers (joined in domain) must
> have the Unix attribute ?

No, I have never added them

>
> Is there way to remove null objects of Samba 4 ?

Sorry, I don't understand what you mean by 'null objects'

>
> *Others Tests*
>
> Result of "*testparm*" command:
>
> Load smb config files from /opt/samba/etc/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> (16384) Processing section "[netlogon]"
> Processing section "[sysvol]"
> Loaded services file OK.
> Server role: ROLE_ACTIVE_DIRECTORY_DC
>
> Result of "*samba-tool gpo list [hidden email]
> <[hidden email]>* "
>
> ERROR(runtime): uncaught exception - ('Could not find a DC for
> domain', RuntimeError('NT_STATUS_NETWORK_UNREACHABLE',))
>   File
> "/opt/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run return self.run(*args, **kwargs)
>   File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py",
> line 349, in run
>     self.url = dc_url(self.lp, self.creds, H)
>   File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py",
> line 117, in dc_url
>     raise RuntimeError("Could not find a DC for domain", e)

This looks like a dns problem, plus the command should be:

samba-tool gpo list bacci

>
> Result of *samba-tool gpo listall*
> ERROR(runtime): uncaught exception - ('Could not find a DC for
> domain', RuntimeError('NT_STATUS_NETWORK_UNREACHABLE',))
>   File
> "/opt/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run return self.run(*args, **kwargs)
>   File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py",
> line 311, in run
>     self.url = dc_url(self.lp, self.creds, H)
>   File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py",
> line 117, in dc_url
>     raise RuntimeError("Could not find a DC for domain", e
>
>

This is definitely a dns problem

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Problems with GPO

Samba - General mailing list
In reply to this post by Samba - General mailing list
Just make it yourself a bit more easy.

Setup sysvol like this.

[sysvol]
        path = /home/samba/sysvol
        read only = No
        acl_xattr:ignore system acls = yes

Restart samba, and set the SHARE RIGHTS and File/Folder rights again.
Or atleast check them, the defaults should be ok.

When thats done.
Go here. :
http://trekker.net/archives/group-policy-downloads/ 
get the ADMX templates you need.

Win 10 build 1607 is not on that site, found here :
https://www.microsoft.com/en-us/download/details.aspx?id=53430

and for otheres, install this in win 7 and copy the templates to the sysvol.
( located somewhere in programfiles )

Extra usable templates here:
http://winintro.com/ 

now, when thats done, and this if more for you.

Does the user bacci need Domain Admin.
Like is it you replacement for user Administrator?  Then thats ok.
If its a normal user which needs todo GPO stuff. Then i suggest adding this user to "Group Policy Creator Owners" and dont abuse the domain admin group.

So this is the basic stuff go a GPO setup.


Now, about the error :
ERROR(runtime): uncaught exception  ...
You can ignore it IF you use the parameter : acl_xattr:ignore system acls = yes
Or, move all folder from sysvol, do the sysvol reset, and place the folders back, that can help.

I do advice to setup GID for "Domain -" Users/Admins/Guest and most important. "Domain Computers" .. now we are getting to you problem.

Due to all MS changes, how policies are applies has changes.

The user setting is not applied anymore by the user, but by the computer.
This is key to remember.

So for every policy you set you need one the these groups.

1) authenticated users  ( users and computer accounts ) ( preffered )
2) Domain users + any group  this is a group for applying the GPO.
3) Domain computers/ any computer group

In option 1, nothing special is needed.
In option 2, you must set read GPO polices for domain users, and read+apply for the custom group.
In option 3, same as option 2. but this is only for a computer policie.

If you have problem like, GPO applies from one server, but the other dc.
Run : net cache flush
Stop samba on both DC's and copy the idmap.tdb from DC1 to DC2.


About you setup and config, looks all fine to me, exept.
> 117, in dc_url
>     raise RuntimeError("Could not find a DC for domain", e

Please post you resolv.conf /etc/hosts /etc/nsswitch.conf
And are you using bind_DLZ or internal samba DNS

Greetz,

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens Marcio Demetrio
> Bacci via samba
> Verzonden: vrijdag 4 november 2016 4:33
> Aan: Rowland Penny; [hidden email]
> Onderwerp: Re: [Samba] Problems with GPO
>
> Hi,
>
> bacci user is Domain Admin, because 30049 group is Domain Admin member. I
> use this user to create GPO.
>
> Following are my configurations files:
>
> *FILE-SERVER - SMB.CONF*
> [global]
>   netbios name = file-server
>   workgroup = EMPRESA
>   security = ads
>   realm = EMPRESA.COM.BR
>   encrypt passwords = yes
>   dedicated keytab file = /etc/krb5.keytab
>   kerberos method = secrets and keytab
>   preferred master = no
>   idmap config *:backend = tdb
>   idmap config *:range = 1000-3000
>   idmap config EMPRESA:backend = ad
>   idmap config EMPRESA:schema_mode = rfc2307
>   idmap config EMPRESA:range = 10000-9999999
>
>   winbind nss info = rfc2307
>   winbind trusted domains only = no
>   winbind use default domain = yes
>   winbind enum users = yes
>   winbind enum groups = yes
>   winbind refresh tickets = yes
>
>   vfs objects = acl_xattr
>   map acl inherit = Yes
>   store dos attributes = Yes
>   username map = /etc/samba/user.map
>
>
> *DC1 - SMB.CONF*
> [global]
>     workgroup = EMPRESA
>     realm = EMPRESA.COM.BR
>     netbios name = DC1
>     server role = active directory domain controller
>     dns forwarder = 192.168.200.10
>     idmap_ldb:use rfc2307 = yes
>
> [netlogon]
>     path = /opt/samba/var/locks/sysvol/empresa.com.br/scripts
>     read only = No
>
> [sysvol]
>     path = /opt/samba/var/locks/sysvol
>     read only = No
>
>
> *DC2 - SMB.CONF*
> [global]
>     workgroup = EMPRESA
>     realm = EMPRESA.COM.BR
>     netbios name = dc2
>     server role = active directory domain controller
>     idmap_ldb:use rfc2307 = yes
>
> [netlogon]
>     path = /opt/samba/var/locks/sysvol/empresa.com.br/scripts
>     read only = No
>
> [sysvol]
>     path = /opt/samba/var/locks/sysvol
>     read only = No
>
>
> I'm using "samba-tool drs showrepl" command in DC2 and the result is
> SUCCESS.
>
> Do I have need to remove the Unix attributes of all builtin users
> (Administrators, Accout Operators, Users, Guest, ...)? Do Domain Users,
> Domain Admins, Domain Computers Groups also to need remove Unix
> Attributes?
>
> Do I have just select the "None" option in the Unix Attributes tab (in the
> RSAT) to remove it?
>
> Have the accounts of the domain computers (joined in domain) must have the
> Unix attribute ?
>
> Is there way to remove null objects of Samba 4 ?
>
> *Others Tests*
>
> Result of "*testparm*" command:
>
> Load smb config files from /opt/samba/etc/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> Loaded services file OK.
> Server role: ROLE_ACTIVE_DIRECTORY_DC
>
> Result of "*samba-tool gpo list [hidden email]
> <[hidden email]>*
> "
>
> ERROR(runtime): uncaught exception - ('Could not find a DC for domain',
> RuntimeError('NT_STATUS_NETWORK_UNREACHABLE',))
>   File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
>     return self.run(*args, **kwargs)
>   File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py", line
> 349, in run
>     self.url = dc_url(self.lp, self.creds, H)
>   File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py", line
> 117, in dc_url
>     raise RuntimeError("Could not find a DC for domain", e)
>
> Result of *samba-tool gpo listall*
> ERROR(runtime): uncaught exception - ('Could not find a DC for domain',
> RuntimeError('NT_STATUS_NETWORK_UNREACHABLE',))
>   File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
>     return self.run(*args, **kwargs)
>   File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py", line
> 311, in run
>     self.url = dc_url(self.lp, self.creds, H)
>   File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py", line
> 117, in dc_url
>     raise RuntimeError("Could not find a DC for domain", e
>
>
> Regards,
>
> Márcio
>
> 2016-11-03 20:10 GMT-02:00 Rowland Penny via samba
> <[hidden email]>:
>
> >
> > See inline comments:
> >
> > On Thu, 3 Nov 2016 19:17:58 -0200
> > Marcio Demetrio Bacci <[hidden email]> wrote:
> >
> > > Hi Rowland
> > >
> > > Following the results to:
> > >
> > > *USER:*
> > > wbinfo --uid-info=10060:
> > > bacci:*:10060:30049:bacci:/home/EMPRESA/bacci:/bin/false
> > >
> >
> > It looks like 'bacci' is a normal user and the owner of the
> > Policies GUID dir should be 'Domain Admins'
> >
> > > *GROUP:*
> > > wbinfo --gid-info=30028: Domain Admins
> >
> > This is where one of the problems start, bit of a catch 22 problem, you
> > need to give 'Domain Admins' a gidNumber to be visible to Unix, but if
> > you do, it looses the 'ID_TYPE_BOTH' from idmap.ldb that means it can
> > own dirs & files in sysvol.
> >
> > >
> > > wbinfo --gid-info=30032: Domain Users
> > >
> > > wbinfo --gid-info=30033: Enterprise Admins
> > >
> > >
> > > "I don't see user:3000003"
> > >
> > > root@dc1:~# wbinfo -G 3000003
> > > S-1-5-11
> > >
> > > root@dc1:~# wbinfo -s S-1-5-11
> > > failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
> > > Could not lookup sid S-1-5-11
> > >
> >
> > You will need to look inside idmap.ldb to find this.
> >
> > > I have in my network two DC (Samba 4) and one member File Server
> > > (Samba 4). When I execute wbinfo -r <user>, I have different results:
> > >
> > > root@dc1:~# wbinfo -G 3000000
> > > S-1-5-32-544
> > >
> > > root@dc1o:~# wbinfo -G 30002
> > > S-1-5-32-544
> > >
> > > root@dc1:~# wbinfo -s S-1-5-32-544
> > > BUILTIN\Administrators 4
> > >
> > > The SID to Administrators is 3000000 in DC. In File Server the same
> > > group is 30002.
> >
> > Don't give the BUILTIN users & groups uidNumbers & gidNumbers, let
> > samba do this on the DC and set up smb.conf correctly on the domain
> > member. You do this by using 'idmap config * : backend = tdb'
> >
> >
> > >
> > > *Different Groups to the same user*
> > > root@*dc1*:~# wbinfo -r bacci
> > > 30011
> > > 30025
> > > 30029
> > > 30030
> > > 30035
> > > 30049
> > > 30052
> > > 3000000
> > >
> > >
> > > root@*server-file*:~# wbinfo -r bacci
> > > 30002
> > > 30003
> > > 30025
> > > 30028
> > > 30029
> > > 30030
> > > 30032
> > > 30035
> > > 30049
> > > 30052
> > > 30053
> > >
> > >
> > > Regards,
> > >
> > > Márcio
> > >
> >
> > Rowland
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Problems with GPO

Samba - General mailing list
In reply to this post by Samba - General mailing list


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens Rowland Penny via
> samba
> Verzonden: vrijdag 4 november 2016 9:54
> Aan: [hidden email]
> Onderwerp: Re: [Samba] Problems with GPO
>
> On Fri, 4 Nov 2016 01:32:44 -0200
> Marcio Demetrio Bacci <[hidden email]> wrote:
> ..................
.................

>
> >
> > Have the accounts of the domain computers (joined in domain) must
> > have the Unix attribute ?
>
> No, I have never added them

If you dont add them and the idmap is out of sync somehow, you get GPO errors. So i suggest, untill the BUILDIN\groups are all correct mapped in samba, give domain computers a GID. This can really help with GPO problems.

Greetz,

Louis





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Problems with GPO

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hi,

Here is my configurations files (DC1, DC2 and FILE-SERVER)

*DC1*

/etc/nsswitch.conf
passwd: compat
group: compat
shadow: compat
hosts: files dns
networks: files
protocols:  db files
services:   db files
ethers: db files
rpc: db files
netgroup:  nis


/etc/resolv.conf
domain empresa.com.br
search empresa.com.br
nameserver 192.168.200.25
nameserver 192.168.200.10

/etc/hosts
/etc/hosts
127.0.0.1       localhost.localadmin    localhost
192.168.200.25  dc1.empresa.com.br      dc1

/opt/samba/etc/smb.conf
[global]
 workgroup = EMPRESA
 realm = EMPRESA.COM.BR
 netbios name = DC1
 server role = active directory domain controller
 dns forwarder = 192.168.200.10
 idmap_ldb:use rfc2307 = yes

[netlogon]
 path = /opt/samba/var/locks/sysvol/empresa.com.br/scripts
 read only = No

[sysvol]
 path = /opt/samba/var/locks/sysvol
 read only = No
 acl_xattr:ignore system acls = yes

##################################################

*DC2*

/etc/nsswitch.conf
passwd: compat
group: compat
shadow: compat
hosts: files dns
networks: files
protocols:  db files
services:   db files
ethers: db files
rpc: db files
netgroup: nis
~


/etc/resolv.conf
domain empresa.com.br
search empresa.com.br
nameserver 192.168.200.4
nameserver 192.168.200.10

/etc/hosts
127.0.0.1       localhost.localadmin    localhost
192.168.200.4   dc2.empresa.com.br  dc2


/opt/samba/etc/smb.conf
[global]
 workgroup = EMPRESA
 realm = EMPRESA.COM.BR
 netbios name = DC1
 server role = active directory domain controller
 dns forwarder = 192.168.200.10
 idmap_ldb:use rfc2307 = yes

[netlogon]
 path = /opt/samba/var/locks/sysvol/empresa.com.br/scripts
 read only = No

[sysvol]
 path = /opt/samba/var/locks/sysvol
 read only = No
 acl_xattr:ignore system acls = yes

######################################################

*FILE-SERVER (DOMAIN MEMBER)*

/etc/nsswitch.conf
passwd: compat winbind
group:  compat winbind
shadow: compat
hosts: files dns
networks: files
protocols:  db files
services:   db files
ethers: db files
rpc: db files
netgroup: nis

/etc/resolv.conf
domain empresa.com.br
search empresa.com.br
nameserver 192.168.200.25
nameserver 192.168.200.10

/etc/hosts
127.0.0.1       localhost
192.168.200.3   file-server.empresa.com.br  file-server
192.168.200.25  dc1.empresa.com.br  dc1
192.168.200.4   dc2.empresa.com.br  dc2


/etc/samba/smb.conf (only a piece)
...
idmap config *:backend = tdb
idmap config *:range = 1000-3000
idmap config EMPRESA:backend = ad
idmap config EMPRESA:schema_mode = rfc2307
idmap config EMPRESA:range = 10000-9999999
winbind nss info = rfc2307
...

I copied idmap.ldb from DC1 to DC2, now uidNumber and gidNumber are the
same. But in File Server is still different of the DC.

I would like to remove without reference objects in my Domain. (Ex: SID:
S-1-22-33-55 "unknown"). Is Possible ?



*GPO List has still problems*
root@DC1:/opt/samba/private# samba-tool gpo list ferreira
ERROR(runtime): uncaught exception - ('Could not find a DC for domain',
RuntimeError('NT_STATUS_NETWORK_UNREACHABLE',))
  File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
    return self.run(*args, **kwargs)
  File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py", line
349, in run
    self.url = dc_url(self.lp, self.creds, H)
  File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py", line
117, in dc_url
    raise RuntimeError("Could not find a DC for domain", e)

In DC1 has 2 pastes in Sysvol\empresa.com.br: Policies and Scripts. But in
DC2, the Policies paste there isn't. Is this normal?

I'm using *INTERNAL Samba DNS*. Following my DNS tests:

root@dc1:~# host -t SRV _ldap._tcp.empresa.com.br.
_ldap._tcp.empresa.com.br has SRV record 0 100 389 dc1.empresa.com.br.
_ldap._tcp.empresa.com.br has SRV record 0 100 389 dc2.empresa.com.br.

root@dc1:~# host -t SRV _kerberos._udp.empresa.com.br.
_kerberos._udp.empresa.com.br has SRV record 0 100 88 dc1.empresa.com.br.
_kerberos._udp.empresa.com.br has SRV record 0 100 88 dc2.empresa.com.br.

root@dc1:~# host -t A dc1.empresa.com.br.
dc1.empresa.com.br has address 192.168.200.25
root@dc1:~# host -t A dc2.empresa.com.br.
dc2.empresa.com.br has address 192.168.200.4


Here is the result of command "samba-tool dns zonelist dc1.empresa.com.br
--primary -U administrator"

 3 zone(s) found

  pszZoneName          : 200.168.192.in-addr.arpa
  Flags                       : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
  ZoneType                 : DNS_ZONE_TYPE_PRIMARY
  Version                    : 50
  dwDpFlags               : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
  pszDpFqdn               : DomainDnsZones.empresa.com.br

  pszZoneName          : empresa.com.br
  Flags                       : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
  ZoneType                 : DNS_ZONE_TYPE_PRIMARY
  Version                    : 50
  dwDpFlags               : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
  pszDpFqdn               : DomainDnsZones.empresa.com.br

  pszZoneName          : _msdcs.empresa.com.br
  Flags                       : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
  ZoneType                 : DNS_ZONE_TYPE_PRIMARY
  Version                    : 50
  dwDpFlags               : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
DNS_DP_ENLISTED
  pszDpFqdn              : ForestDnsZones.empresa.com.br


samba-tool dns zoneinfo dc1.empresa.com.br empresa.com.br -U administrator

 pszZoneName             : empresa.com.br
  dwZoneType               : DNS_ZONE_TYPE_PRIMARY
  fReverse                     : FALSE
  fAllowUpdate              : DNS_ZONE_UPDATE_SECURE
  fPaused                     : FALSE
  fShutdown                  : FALSE
  fAutoCreated              : FALSE
  fUseDatabase             : TRUE
  pszDataFile                : None
  aipMasters                 : []
  fSecureSecondaries    : DNS_ZONE_SECSECURE_NO_XFER
  fNotifyLevel                : DNS_ZONE_NOTIFY_LIST_ONLY
  aipSecondaries          : []
  aipNotify                   : []
fUseWins                    : FALSE
  fUseNbstat               : FALSE
  fAging                      : FALSE
  dwNoRefreshInterval  : 168
  dwRefreshInterval      : 168
  dwAvailForScavengeTime  : 0
  aipScavengeServers          : []
  dwRpcStructureVersion     : 0x2
  dwForwarderTimeout          : 0
  fForwarderSlave             : 0
  aipLocalMasters           : []
  dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
  pszDpFqdn                   : DomainDnsZones.empresa.com.br
  pwszZoneDn                 : DC=empresa.com.br
,CN=MicrosoftDNS,DC=DomainDnsZones,DC=empresa,DC=com,DC=br
  dwLastSuccessfulSoaCheck    : 0
  dwLastSuccessfulXfr         : 0
  fQueuedForBackgroundLoad    : FALSE
  fBackgroundLoadInProgress   : FALSE
  fReadOnlyZone               : FALSE
  dwLastXfrAttempt            : 0
  dwLastXfrResult             : 0

PS: Now, in some users/computers, my GPO is working. I'm test only windows
7 professional workstations.

Regards,

Márcio

2016-11-04 7:10 GMT-02:00 L.P.H. van Belle <[hidden email]>:

> Just make it yourself a bit more easy.
>
> Setup sysvol like this.
>
> [sysvol]
>         path = /home/samba/sysvol
>         read only = No
>         acl_xattr:ignore system acls = yes
>
> Restart samba, and set the SHARE RIGHTS and File/Folder rights again.
> Or atleast check them, the defaults should be ok.
>
> When thats done.
> Go here. :
> http://trekker.net/archives/group-policy-downloads/
> get the ADMX templates you need.
>
> Win 10 build 1607 is not on that site, found here :
> https://www.microsoft.com/en-us/download/details.aspx?id=53430
>
> and for otheres, install this in win 7 and copy the templates to the
> sysvol.
> ( located somewhere in programfiles )
>
> Extra usable templates here:
> http://winintro.com/
>
> now, when thats done, and this if more for you.
>
> Does the user bacci need Domain Admin.
> Like is it you replacement for user Administrator?  Then thats ok.
> If its a normal user which needs todo GPO stuff. Then i suggest adding
> this user to "Group Policy Creator Owners" and dont abuse the domain admin
> group.
>
> So this is the basic stuff go a GPO setup.
>
>
> Now, about the error :
> ERROR(runtime): uncaught exception  ...
> You can ignore it IF you use the parameter : acl_xattr:ignore system acls
> = yes
> Or, move all folder from sysvol, do the sysvol reset, and place the
> folders back, that can help.
>
> I do advice to setup GID for "Domain -" Users/Admins/Guest and most
> important. "Domain Computers" .. now we are getting to you problem.
>
> Due to all MS changes, how policies are applies has changes.
>
> The user setting is not applied anymore by the user, but by the computer.
> This is key to remember.
>
> So for every policy you set you need one the these groups.
>
> 1) authenticated users  ( users and computer accounts ) ( preffered )
> 2) Domain users + any group  this is a group for applying the GPO.
> 3) Domain computers/ any computer group
>
> In option 1, nothing special is needed.
> In option 2, you must set read GPO polices for domain users, and
> read+apply for the custom group.
> In option 3, same as option 2. but this is only for a computer policie.
>
> If you have problem like, GPO applies from one server, but the other dc.
> Run : net cache flush
> Stop samba on both DC's and copy the idmap.tdb from DC1 to DC2.
>
>
> About you setup and config, looks all fine to me, exept.
> > 117, in dc_url
> >     raise RuntimeError("Could not find a DC for domain", e
>
> Please post you resolv.conf /etc/hosts /etc/nsswitch.conf
> And are you using bind_DLZ or internal samba DNS
>
> Greetz,
>
> Louis
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:[hidden email]] Namens Marcio Demetrio
> > Bacci via samba
> > Verzonden: vrijdag 4 november 2016 4:33
> > Aan: Rowland Penny; [hidden email]
> > Onderwerp: Re: [Samba] Problems with GPO
> >
> > Hi,
> >
> > bacci user is Domain Admin, because 30049 group is Domain Admin member. I
> > use this user to create GPO.
> >
> > Following are my configurations files:
> >
> > *FILE-SERVER - SMB.CONF*
> > [global]
> >   netbios name = file-server
> >   workgroup = EMPRESA
> >   security = ads
> >   realm = EMPRESA.COM.BR
> >   encrypt passwords = yes
> >   dedicated keytab file = /etc/krb5.keytab
> >   kerberos method = secrets and keytab
> >   preferred master = no
> >   idmap config *:backend = tdb
> >   idmap config *:range = 1000-3000
> >   idmap config EMPRESA:backend = ad
> >   idmap config EMPRESA:schema_mode = rfc2307
> >   idmap config EMPRESA:range = 10000-9999999
> >
> >   winbind nss info = rfc2307
> >   winbind trusted domains only = no
> >   winbind use default domain = yes
> >   winbind enum users = yes
> >   winbind enum groups = yes
> >   winbind refresh tickets = yes
> >
> >   vfs objects = acl_xattr
> >   map acl inherit = Yes
> >   store dos attributes = Yes
> >   username map = /etc/samba/user.map
> >
> >
> > *DC1 - SMB.CONF*
> > [global]
> >     workgroup = EMPRESA
> >     realm = EMPRESA.COM.BR
> >     netbios name = DC1
> >     server role = active directory domain controller
> >     dns forwarder = 192.168.200.10
> >     idmap_ldb:use rfc2307 = yes
> >
> > [netlogon]
> >     path = /opt/samba/var/locks/sysvol/empresa.com.br/scripts
> >     read only = No
> >
> > [sysvol]
> >     path = /opt/samba/var/locks/sysvol
> >     read only = No
> >
> >
> > *DC2 - SMB.CONF*
> > [global]
> >     workgroup = EMPRESA
> >     realm = EMPRESA.COM.BR
> >     netbios name = dc2
> >     server role = active directory domain controller
> >     idmap_ldb:use rfc2307 = yes
> >
> > [netlogon]
> >     path = /opt/samba/var/locks/sysvol/empresa.com.br/scripts
> >     read only = No
> >
> > [sysvol]
> >     path = /opt/samba/var/locks/sysvol
> >     read only = No
> >
> >
> > I'm using "samba-tool drs showrepl" command in DC2 and the result is
> > SUCCESS.
> >
> > Do I have need to remove the Unix attributes of all builtin users
> > (Administrators, Accout Operators, Users, Guest, ...)? Do Domain Users,
> > Domain Admins, Domain Computers Groups also to need remove Unix
> > Attributes?
> >
> > Do I have just select the "None" option in the Unix Attributes tab (in
> the
> > RSAT) to remove it?
> >
> > Have the accounts of the domain computers (joined in domain) must have
> the
> > Unix attribute ?
> >
> > Is there way to remove null objects of Samba 4 ?
> >
> > *Others Tests*
> >
> > Result of "*testparm*" command:
> >
> > Load smb config files from /opt/samba/etc/smb.conf
> > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> > Processing section "[netlogon]"
> > Processing section "[sysvol]"
> > Loaded services file OK.
> > Server role: ROLE_ACTIVE_DIRECTORY_DC
> >
> > Result of "*samba-tool gpo list [hidden email]
> > <[hidden email]>*
> > "
> >
> > ERROR(runtime): uncaught exception - ('Could not find a DC for domain',
> > RuntimeError('NT_STATUS_NETWORK_UNREACHABLE',))
> >   File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/__
> init__.py",
> > line 175, in _run
> >     return self.run(*args, **kwargs)
> >   File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py",
> line
> > 349, in run
> >     self.url = dc_url(self.lp, self.creds, H)
> >   File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py",
> line
> > 117, in dc_url
> >     raise RuntimeError("Could not find a DC for domain", e)
> >
> > Result of *samba-tool gpo listall*
> > ERROR(runtime): uncaught exception - ('Could not find a DC for domain',
> > RuntimeError('NT_STATUS_NETWORK_UNREACHABLE',))
> >   File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/__
> init__.py",
> > line 175, in _run
> >     return self.run(*args, **kwargs)
> >   File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py",
> line
> > 311, in run
> >     self.url = dc_url(self.lp, self.creds, H)
> >   File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py",
> line
> > 117, in dc_url
> >     raise RuntimeError("Could not find a DC for domain", e
> >
> >
> > Regards,
> >
> > Márcio
> >
> > 2016-11-03 20:10 GMT-02:00 Rowland Penny via samba
> > <[hidden email]>:
> >
> > >
> > > See inline comments:
> > >
> > > On Thu, 3 Nov 2016 19:17:58 -0200
> > > Marcio Demetrio Bacci <[hidden email]> wrote:
> > >
> > > > Hi Rowland
> > > >
> > > > Following the results to:
> > > >
> > > > *USER:*
> > > > wbinfo --uid-info=10060:
> > > > bacci:*:10060:30049:bacci:/home/EMPRESA/bacci:/bin/false
> > > >
> > >
> > > It looks like 'bacci' is a normal user and the owner of the
> > > Policies GUID dir should be 'Domain Admins'
> > >
> > > > *GROUP:*
> > > > wbinfo --gid-info=30028: Domain Admins
> > >
> > > This is where one of the problems start, bit of a catch 22 problem, you
> > > need to give 'Domain Admins' a gidNumber to be visible to Unix, but if
> > > you do, it looses the 'ID_TYPE_BOTH' from idmap.ldb that means it can
> > > own dirs & files in sysvol.
> > >
> > > >
> > > > wbinfo --gid-info=30032: Domain Users
> > > >
> > > > wbinfo --gid-info=30033: Enterprise Admins
> > > >
> > > >
> > > > "I don't see user:3000003"
> > > >
> > > > root@dc1:~# wbinfo -G 3000003
> > > > S-1-5-11
> > > >
> > > > root@dc1:~# wbinfo -s S-1-5-11
> > > > failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
> > > > Could not lookup sid S-1-5-11
> > > >
> > >
> > > You will need to look inside idmap.ldb to find this.
> > >
> > > > I have in my network two DC (Samba 4) and one member File Server
> > > > (Samba 4). When I execute wbinfo -r <user>, I have different results:
> > > >
> > > > root@dc1:~# wbinfo -G 3000000
> > > > S-1-5-32-544
> > > >
> > > > root@dc1o:~# wbinfo -G 30002
> > > > S-1-5-32-544
> > > >
> > > > root@dc1:~# wbinfo -s S-1-5-32-544
> > > > BUILTIN\Administrators 4
> > > >
> > > > The SID to Administrators is 3000000 in DC. In File Server the same
> > > > group is 30002.
> > >
> > > Don't give the BUILTIN users & groups uidNumbers & gidNumbers, let
> > > samba do this on the DC and set up smb.conf correctly on the domain
> > > member. You do this by using 'idmap config * : backend = tdb'
> > >
> > >
> > > >
> > > > *Different Groups to the same user*
> > > > root@*dc1*:~# wbinfo -r bacci
> > > > 30011
> > > > 30025
> > > > 30029
> > > > 30030
> > > > 30035
> > > > 30049
> > > > 30052
> > > > 3000000
> > > >
> > > >
> > > > root@*server-file*:~# wbinfo -r bacci
> > > > 30002
> > > > 30003
> > > > 30025
> > > > 30028
> > > > 30029
> > > > 30030
> > > > 30032
> > > > 30035
> > > > 30049
> > > > 30052
> > > > 30053
> > > >
> > > >
> > > > Regards,
> > > >
> > > > Márcio
> > > >
> > >
> > > Rowland
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions:  https://lists.samba.org/mailman/options/samba
> > >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Problems with GPO

Samba - General mailing list
Looking at you config setup, i noticed a few things.

 

DC1.

/etc/resolv.conf
domain empresa.com.br
search empresa.com.br
nameserver 192.168.200.25   (=dc1)
nameserver 192.168.200.10

 

/etc/resolv.conf
domain empresa.com.br
search empresa.com.br
nameserver 192.168.200.4   (dc=2)
nameserver 192.168.200.10

 

 

/etc/resolv.conf
domain empresa.com.br
search empresa.com.br
nameserver 192.168.200.25
nameserver 192.168.200.10

 

I suggest you change you DC resolv.conf setup first and change the following.

 

DC1.

nameserver 192.168.200.4

nameserver 192.168.200.25

 

DC2

nameserver 192.168.200.25

nameserver 192.168.200.4

 

Fileserver

nameserver 192.168.200.4

nameserver 192.168.200.25

 

 

and to make sure run this script, to check on database replication errors.

http://downloads.van-belle.nl/samba4/samba-check-db-repl.sh 

This compaires the samba AD DC databases. ( up to 10 DC.s )

Its no need to configure anything in the script.

 

And based on you config below i guessing you AD DC servers are runing backend RID and the file server backend AD.

A mixed setup is, as far as I know not supported.

 

Please reread :

https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Setting_up_the_AD_DNS_back_end 

start and the second blue part after ?Provisioning a Samba Active Directory? 

.....

However, to enable them in an existing domain requires to manually extend the AD schema. For further details about Unix attributes in AD, see::
* Setting up RFC2307 in AD
* idmap config = ad
 

 

Greetz,

 

Louis

 

 

 

 

 


Van: Marcio Demetrio Bacci [mailto:[hidden email]]
Verzonden: zaterdag 5 november 2016 4:55
Aan: L.P.H. van Belle; [hidden email]
Onderwerp: Re: [Samba] Problems with GPO


 

Hi,

Here is my configurations files (DC1, DC2 and FILE-SERVER)

DC1

/etc/nsswitch.conf
passwd: compat
group: compat
shadow: compat
hosts: files dns
networks: files
protocols:  db files
services:   db files
ethers: db files
rpc: db files
netgroup:  nis


/etc/resolv.conf
domain empresa.com.br
search empresa.com.br
nameserver 192.168.200.25
nameserver 192.168.200.10

/etc/hosts
/etc/hosts
127.0.0.1       localhost.localadmin    localhost
192.168.200.25  dc1.empresa.com.br      dc1      

/opt/samba/etc/smb.conf
[global]
 workgroup = EMPRESA
 realm = EMPRESA.COM.BR
 netbios name = DC1
 server role = active directory domain controller
 dns forwarder = 192.168.200.10
 idmap_ldb:use rfc2307 = yes

[netlogon]
 path = /opt/samba/var/locks/sysvol/empresa.com.br/scripts
 read only = No

[sysvol]
 path = /opt/samba/var/locks/sysvol
 read only = No
 acl_xattr:ignore system acls = yes

##################################################

DC2

/etc/nsswitch.conf
passwd: compat
group: compat
shadow: compat
hosts: files dns
networks: files
protocols:  db files
services:   db files
ethers: db files
rpc: db files
netgroup: nis
~  


/etc/resolv.conf
domain empresa.com.br
search empresa.com.br
nameserver 192.168.200.4
nameserver 192.168.200.10

/etc/hosts
127.0.0.1       localhost.localadmin    localhost
192.168.200.4   dc2.empresa.com.br  dc2  


/opt/samba/etc/smb.conf
[global]
 workgroup = EMPRESA
 realm = EMPRESA.COM.BR
 netbios name = DC1
 server role = active directory domain controller
 dns forwarder = 192.168.200.10
 idmap_ldb:use rfc2307 = yes

[netlogon]
 path = /opt/samba/var/locks/sysvol/empresa.com.br/scripts
 read only = No

[sysvol]
 path = /opt/samba/var/locks/sysvol
 read only = No
 acl_xattr:ignore system acls = yes
                                     
######################################################

FILE-SERVER (DOMAIN MEMBER)

/etc/nsswitch.conf
passwd: compat winbind
group:  compat winbind
shadow: compat
hosts: files dns
networks: files
protocols:  db files
services:   db files
ethers: db files
rpc: db files
netgroup: nis

/etc/resolv.conf
domain empresa.com.br
search empresa.com.br
nameserver 192.168.200.25
nameserver 192.168.200.10

/etc/hosts
127.0.0.1       localhost
192.168.200.3   file-server.empresa.com.br  file-server
192.168.200.25  dc1.empresa.com.br  dc1
192.168.200.4   dc2.empresa.com.br  dc2   


/etc/samba/smb.conf (only a piece)
...
idmap config *:backend = tdb
idmap config *:range = 1000-3000
idmap config EMPRESA:backend = ad
idmap config EMPRESA:schema_mode = rfc2307
idmap config EMPRESA:range = 10000-9999999
winbind nss info = rfc2307
...

I copied idmap.ldb from DC1 to DC2, now uidNumber and gidNumber are the same. But in File Server is still different of the DC.

I would like to remove without reference objects in my Domain. (Ex: SID: S-1-22-33-55 "unknown"). Is Possible ?



GPO List has still problems
root@DC1:/opt/samba/private# samba-tool gpo list ferreira
ERROR(runtime): uncaught exception - ('Could not find a DC for domain', RuntimeError('NT_STATUS_NETWORK_UNREACHABLE',))
  File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py", line 349, in run
    self.url = dc_url(self.lp, self.creds, H)
  File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py", line 117, in dc_url
    raise RuntimeError("Could not find a DC for domain", e)

In DC1 has 2 pastes in Sysvol\empresa.com.br: Policies and Scripts. But in DC2, the Policies paste there isn't. Is this normal?

I'm using INTERNAL Samba DNS. Following my DNS tests:

root@dc1:~# host -t SRV _ldap._tcp.empresa.com.br.
_ldap._tcp.empresa.com.br has SRV record 0 100 389 dc1.empresa.com.br.
_ldap._tcp.empresa.com.br has SRV record 0 100 389 dc2.empresa.com.br.

root@dc1:~# host -t SRV _kerberos._udp.empresa.com.br.
_kerberos._udp.empresa.com.br has SRV record 0 100 88 dc1.empresa.com.br.
_kerberos._udp.empresa.com.br has SRV record 0 100 88 dc2.empresa.com.br.

root@dc1:~# host -t A dc1.empresa.com.br.
dc1.empresa.com.br has address 192.168.200.25
root@dc1:~# host -t A dc2.empresa.com.br.
dc2.empresa.com.br has address 192.168.200.4


Here is the result of command "samba-tool dns zonelist dc1.empresa.com.br --primary -U administrator"

 3 zone(s) found

  pszZoneName          : 200.168.192.in-addr.arpa
  Flags                       : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
  ZoneType                 : DNS_ZONE_TYPE_PRIMARY
  Version                    : 50
  dwDpFlags               : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
  pszDpFqdn               : DomainDnsZones.empresa.com.br

  pszZoneName          : empresa.com.br
  Flags                       : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
  ZoneType                 : DNS_ZONE_TYPE_PRIMARY
  Version                    : 50
  dwDpFlags               : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
  pszDpFqdn               : DomainDnsZones.empresa.com.br

  pszZoneName          : _msdcs.empresa.com.br
  Flags                       : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
  ZoneType                 : DNS_ZONE_TYPE_PRIMARY
  Version                    : 50
  dwDpFlags               : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
  pszDpFqdn              : ForestDnsZones.empresa.com.br


samba-tool dns zoneinfo dc1.empresa.com.br empresa.com.br -U administrator

 pszZoneName             : empresa.com.br
  dwZoneType               : DNS_ZONE_TYPE_PRIMARY
  fReverse                     : FALSE
  fAllowUpdate              : DNS_ZONE_UPDATE_SECURE
  fPaused                     : FALSE
  fShutdown                  : FALSE
  fAutoCreated              : FALSE
  fUseDatabase             : TRUE
  pszDataFile                : None
  aipMasters                 : []
  fSecureSecondaries    : DNS_ZONE_SECSECURE_NO_XFER
  fNotifyLevel                : DNS_ZONE_NOTIFY_LIST_ONLY
  aipSecondaries          : []
  aipNotify                   : []
fUseWins                    : FALSE
  fUseNbstat               : FALSE
  fAging                      : FALSE
  dwNoRefreshInterval  : 168
  dwRefreshInterval      : 168
  dwAvailForScavengeTime  : 0
  aipScavengeServers          : []
  dwRpcStructureVersion     : 0x2
  dwForwarderTimeout          : 0
  fForwarderSlave             : 0
  aipLocalMasters           : []
  dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
  pszDpFqdn                   : DomainDnsZones.empresa.com.br
  pwszZoneDn                 : DC=empresa.com.br,CN=MicrosoftDNS,DC=DomainDnsZones,DC=empresa,DC=com,DC=br
  dwLastSuccessfulSoaCheck    : 0
  dwLastSuccessfulXfr         : 0
  fQueuedForBackgroundLoad    : FALSE
  fBackgroundLoadInProgress   : FALSE
  fReadOnlyZone               : FALSE
  dwLastXfrAttempt            : 0
  dwLastXfrResult             : 0

PS: Now, in some users/computers, my GPO is working. I'm test only windows 7 professional workstations.

Regards,

Márcio


 

2016-11-04 7:10 GMT-02:00 L.P.H. van Belle <[hidden email]>:

Just make it yourself a bit more easy.

Setup sysvol like this.

[sysvol]
        path = /home/samba/sysvol
        read only = No
        acl_xattr:ignore system acls = yes

Restart samba, and set the SHARE RIGHTS and File/Folder rights again.
Or atleast check them, the defaults should be ok.

When thats done.
Go here. :
http://trekker.net/archives/group-policy-downloads/
get the ADMX templates you need.

Win 10 build 1607 is not on that site, found here :
https://www.microsoft.com/en-us/download/details.aspx?id=53430

and for otheres, install this in win 7 and copy the templates to the sysvol.
( located somewhere in programfiles )

Extra usable templates here:
http://winintro.com/

now, when thats done, and this if more for you.

Does the user bacci need Domain Admin.
Like is it you replacement for user Administrator?  Then thats ok.
If its a normal user which needs todo GPO stuff. Then i suggest adding this user to "Group Policy Creator Owners" and dont abuse the domain admin group.

So this is the basic stuff go a GPO setup.


Now, about the error :
ERROR(runtime): uncaught exception  ...
You can ignore it IF you use the parameter : acl_xattr:ignore system acls = yes
Or, move all folder from sysvol, do the sysvol reset, and place the folders back, that can help.

I do advice to setup GID for "Domain -" Users/Admins/Guest and most important. "Domain Computers" .. now we are getting to you problem.

Due to all MS changes, how policies are applies has changes.

The user setting is not applied anymore by the user, but by the computer.
This is key to remember.

So for every policy you set you need one the these groups.

1) authenticated users  ( users and computer accounts ) ( preffered )
2) Domain users + any group  this is a group for applying the GPO.
3) Domain computers/ any computer group

In option 1, nothing special is needed.
In option 2, you must set read GPO polices for domain users, and read+apply for the custom group.
In option 3, same as option 2. but this is only for a computer policie.

If you have problem like, GPO applies from one server, but the other dc.
Run : net cache flush
Stop samba on both DC's and copy the idmap.tdb from DC1 to DC2.


About you setup and config, looks all fine to me, exept.
> 117, in dc_url
>     raise RuntimeError("Could not find a DC for domain", e

Please post you resolv.conf /etc/hosts /etc/nsswitch.conf
And are you using bind_DLZ or internal samba DNS

Greetz,

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens Marcio Demetrio
> Bacci via samba
> Verzonden: vrijdag 4 november 2016 4:33
> Aan: Rowland Penny; [hidden email]
> Onderwerp: Re: [Samba] Problems with GPO
>
> Hi,
>
> bacci user is Domain Admin, because 30049 group is Domain Admin member. I
> use this user to create GPO.
>
> Following are my configurations files:
>
> *FILE-SERVER - SMB.CONF*
> [global]
>   netbios name = file-server
>   workgroup = EMPRESA
>   security = ads
>   realm = EMPRESA.COM.BR
>   encrypt passwords = yes
>   dedicated keytab file = /etc/krb5.keytab
>   kerberos method = secrets and keytab
>   preferred master = no
>   idmap config *:backend = tdb
>   idmap config *:range = 1000-3000
>   idmap config EMPRESA:backend = ad
>   idmap config EMPRESA:schema_mode = rfc2307
>   idmap config EMPRESA:range = 10000-9999999
>
>   winbind nss info = rfc2307
>   winbind trusted domains only = no
>   winbind use default domain = yes
>   winbind enum users = yes
>   winbind enum groups = yes
>   winbind refresh tickets = yes
>
>   vfs objects = acl_xattr
>   map acl inherit = Yes
>   store dos attributes = Yes
>   username map = /etc/samba/user.map
>
>
> *DC1 - SMB.CONF*
> [global]
>     workgroup = EMPRESA
>     realm = EMPRESA.COM.BR
>     netbios name = DC1
>     server role = active directory domain controller
>     dns forwarder = 192.168.200.10
>     idmap_ldb:use rfc2307 = yes
>
> [netlogon]
>     path = /opt/samba/var/locks/sysvol/empresa.com.br/scripts
>     read only = No
>
> [sysvol]
>     path = /opt/samba/var/locks/sysvol
>     read only = No
>
>
> *DC2 - SMB.CONF*
> [global]
>     workgroup = EMPRESA
>     realm = EMPRESA.COM.BR
>     netbios name = dc2
>     server role = active directory domain controller
>     idmap_ldb:use rfc2307 = yes
>
> [netlogon]
>     path = /opt/samba/var/locks/sysvol/empresa.com.br/scripts
>     read only = No
>
> [sysvol]
>     path = /opt/samba/var/locks/sysvol
>     read only = No
>
>
> I'm using "samba-tool drs showrepl" command in DC2 and the result is
> SUCCESS.
>
> Do I have need to remove the Unix attributes of all builtin users
> (Administrators, Accout Operators, Users, Guest, ...)? Do Domain Users,
> Domain Admins, Domain Computers Groups also to need remove Unix
> Attributes?
>
> Do I have just select the "None" option in the Unix Attributes tab (in the
> RSAT) to remove it?
>
> Have the accounts of the domain computers (joined in domain) must have the
> Unix attribute ?
>
> Is there way to remove null objects of Samba 4 ?
>
> *Others Tests*
>
> Result of "*testparm*" command:
>
> Load smb config files from /opt/samba/etc/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> Loaded services file OK.
> Server role: ROLE_ACTIVE_DIRECTORY_DC
>
> Result of "*samba-tool gpo list [hidden email]
> <[hidden email]>*
> "
>
> ERROR(runtime): uncaught exception - ('Could not find a DC for domain',
> RuntimeError('NT_STATUS_NETWORK_UNREACHABLE',))
>   File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
>     return self.run(*args, **kwargs)
>   File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py", line
> 349, in run
>     self.url = dc_url(self.lp, self.creds, H)
>   File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py", line
> 117, in dc_url
>     raise RuntimeError("Could not find a DC for domain", e)
>
> Result of *samba-tool gpo listall*

> ERROR(runtime): uncaught exception - ('Could not find a DC for domain',
> RuntimeError('NT_STATUS_NETWORK_UNREACHABLE',))
>   File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
>     return self.run(*args, **kwargs)
>   File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py", line
> 311, in run
>     self.url = dc_url(self.lp, self.creds, H)
>   File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py", line
> 117, in dc_url
>     raise RuntimeError("Could not find a DC for domain", e
>
>
> Regards,
>
> Márcio
>
> 2016-11-03 20:10 GMT-02:00 Rowland Penny via samba
> <[hidden email]>:
>
> >
> > See inline comments:
> >
> > On Thu, 3 Nov 2016 19:17:58 -0200
> > Marcio Demetrio Bacci <[hidden email]> wrote:
> >
> > > Hi Rowland
> > >
> > > Following the results to:
> > >
> > > *USER:*
> > > wbinfo --uid-info=10060:
> > > bacci:*:10060:30049:bacci:/home/EMPRESA/bacci:/bin/false
> > >
> >
> > It looks like 'bacci' is a normal user and the owner of the
> > Policies GUID dir should be 'Domain Admins'
> >
> > > *GROUP:*
> > > wbinfo --gid-info=30028: Domain Admins
> >
> > This is where one of the problems start, bit of a catch 22 problem, you
> > need to give 'Domain Admins' a gidNumber to be visible to Unix, but if
> > you do, it looses the 'ID_TYPE_BOTH' from idmap.ldb that means it can
> > own dirs & files in sysvol.
> >
> > >
> > > wbinfo --gid-info=30032: Domain Users
> > >
> > > wbinfo --gid-info=30033: Enterprise Admins
> > >
> > >
> > > "I don't see user:3000003"
> > >
> > > root@dc1:~# wbinfo -G 3000003
> > > S-1-5-11
> > >
> > > root@dc1:~# wbinfo -s S-1-5-11
> > > failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
> > > Could not lookup sid S-1-5-11
> > >
> >
> > You will need to look inside idmap.ldb to find this.
> >
> > > I have in my network two DC (Samba 4) and one member File Server
> > > (Samba 4). When I execute wbinfo -r <user>, I have different results:
> > >
> > > root@dc1:~# wbinfo -G 3000000
> > > S-1-5-32-544
> > >
> > > root@dc1o:~# wbinfo -G 30002
> > > S-1-5-32-544
> > >
> > > root@dc1:~# wbinfo -s S-1-5-32-544
> > > BUILTIN\Administrators 4
> > >
> > > The SID to Administrators is 3000000 in DC. In File Server the same
> > > group is 30002.
> >
> > Don't give the BUILTIN users & groups uidNumbers & gidNumbers, let
> > samba do this on the DC and set up smb.conf correctly on the domain
> > member. You do this by using 'idmap config * : backend = tdb'
> >
> >
> > >
> > > *Different Groups to the same user*
> > > root@*dc1*:~# wbinfo -r bacci
> > > 30011
> > > 30025
> > > 30029
> > > 30030
> > > 30035
> > > 30049
> > > 30052
> > > 3000000
> > >
> > >
> > > root@*server-file*:~# wbinfo -r bacci
> > > 30002
> > > 30003
> > > 30025
> > > 30028
> > > 30029
> > > 30030
> > > 30032
> > > 30035
> > > 30049
> > > 30052
> > > 30053
> > >
> > >
> > > Regards,
> > >
> > > Márcio
> > >
> >
> > Rowland
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba




 



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Problems with GPO

Samba - General mailing list
On Mon, 7 Nov 2016 09:41:33 +0100
"L.P.H. van Belle via samba" <[hidden email]> wrote:

> Looking at you config setup, i noticed a few things.
>
>  
>
> DC1.
>
> /etc/resolv.conf
> domain empresa.com.br
> search empresa.com.br
> nameserver 192.168.200.25   (=dc1)
> nameserver 192.168.200.10
>
>  
>
> /etc/resolv.conf
> domain empresa.com.br
> search empresa.com.br
> nameserver 192.168.200.4   (dc=2)
> nameserver 192.168.200.10
>
>  
>
>  
>
> /etc/resolv.conf
> domain empresa.com.br
> search empresa.com.br
> nameserver 192.168.200.25
> nameserver 192.168.200.10
>
>  
>
> I suggest you change you DC resolv.conf setup first and change the
> following.
>
>  
>
> DC1.
>
> nameserver 192.168.200.4
>
> nameserver 192.168.200.25
>
>  
>
> DC2
>
> nameserver 192.168.200.25
>
> nameserver 192.168.200.4
>
>  
>
> Fileserver
>
> nameserver 192.168.200.4
>
> nameserver 192.168.200.25
>
>  
>
>  
>
> and to make sure run this script, to check on database replication
> errors.
>
> http://downloads.van-belle.nl/samba4/samba-check-db-repl.sh 
>
> This compaires the samba AD DC databases. ( up to 10 DC.s )
>
> Its no need to configure anything in the script.
>
>  
>
> And based on you config below i guessing you AD DC servers are runing
> backend RID and the file server backend AD.
>

No he isn't, there is no such thing as 'rid' backend on a DC.

A DC uses the xidNumbers in 'idmap.ldb' OR uidNumber & gidNumber
attributes in AD. No IDs are calculated on an AD DC

> A mixed setup is, as far as I know not supported.
>
>  
>
> Please reread :
>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Setting_up_the_AD_DNS_back_end 
>
> start and the second blue part after ?Provisioning a Samba Active
> Directory? 
>
> .....
>
> However, to enable them in an existing domain requires to manually
> extend the AD schema. For further details about Unix attributes in
> AD, see::
> * Setting up RFC2307 in AD
> * idmap config = ad
>

Never add the above line to the smb.conf on a DC, it will do
NOTHING!
 
Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Problems with GPO

Samba - General mailing list
In reply to this post by Samba - General mailing list
Am 2016-11-04 um 10:10 schrieb L.P.H. van Belle via samba:

> Just make it yourself a bit more easy.
>
> Setup sysvol like this.
>
> [sysvol]
>         path = /home/samba/sysvol
>         read only = No
>         acl_xattr:ignore system acls = yes
>
> Restart samba, and set the SHARE RIGHTS and File/Folder rights again.
> Or atleast check them, the defaults should be ok.

I get errors around inconsistent permissions for SYSVOL.
Share is set up as mentioned above.

Whom should I chown that dir to on linux level?
Should I run or avoid that sysvolreset thingy?

thx

getting there slowly ;-)


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Problems with GPO

Samba - General mailing list
In reply to this post by Samba - General mailing list
dont chown, dont run samba-tool ntacl sysvolreset.

just fix the rights from  windows and test.
if the win event log is ok, then dont touch sysvol again, only setup/change gpo's.

if gpos dont work, what is the event id and error message.

greetz,

Louis
ps im sick and only mail available so im bit slow in responce.

> Op 8 jul. 2017 om 10:42 heeft Stefan G. Weichinger via samba <[hidden email]> het volgende geschreven:
>
>> Am 2016-11-04 um 10:10 schrieb L.P.H. van Belle via samba:
>> Just make it yourself a bit more easy.
>>
>> Setup sysvol like this.
>>
>> [sysvol]
>>        path = /home/samba/sysvol
>>        read only = No
>>        acl_xattr:ignore system acls = yes
>>
>> Restart samba, and set the SHARE RIGHTS and File/Folder rights again.
>> Or atleast check them, the defaults should be ok.
>
> I get errors around inconsistent permissions for SYSVOL.
> Share is set up as mentioned above.
>
> Whom should I chown that dir to on linux level?
> Should I run or avoid that sysvolreset thingy?
>
> thx
>
> getting there slowly ;-)
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Problems with GPO

Samba - General mailing list
Am 2017-07-08 um 15:20 schrieb L.P.H. van Belle via samba:
> dont chown, dont run samba-tool ntacl sysvolreset.
>
> just fix the rights from  windows and test.
> if the win event log is ok, then dont touch sysvol again, only setup/change gpo's.
>
> if gpos dont work, what is the event id and error message.

seems I have solved it already, no more errors when I edit GPOs with RSAT.

real world test tmrw morning, when the users log in again.

> greetz,
>
> Louis
> ps im sick and only mail available so im bit slow in responce.

oh, sad to hear. Best wishes, recover soon (and take the time it needs).

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Problems with GPO

Samba - General mailing list
In reply to this post by Samba - General mailing list
good to hear you made it all work :-) and thanx, its getting better not there yet, few more days the doc says.. some nasty virus did hit me.. takes time and rest...the rest, i dont mind ;-)

Greetz

Louis
 

> Op 9 jul. 2017 om 11:23 heeft Stefan G. Weichinger via samba <[hidden email]> het volgende geschreven:
>
>> Am 2017-07-08 um 15:20 schrieb L.P.H. van Belle via samba:
>> dont chown, dont run samba-tool ntacl sysvolreset.
>>
>> just fix the rights from  windows and test.
>> if the win event log is ok, then dont touch sysvol again, only setup/change gpo's.
>>
>> if gpos dont work, what is the event id and error message.
>
> seems I have solved it already, no more errors when I edit GPOs with RSAT.
>
> real world test tmrw morning, when the users log in again.
>
>> greetz,
>>
>> Louis
>> ps im sick and only mail available so im bit slow in responce.
>
> oh, sad to hear. Best wishes, recover soon (and take the time it needs).
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
12
Loading...