[Samba] Samba4 Disable USB ports

Achim Gottinger achim at ag-web.biz
Fri May 22 09:26:34 MDT 2015 

Hi Gabriel,

I"ll answer to the lists email adress.

Am 22.05.2015 um 16:54 schrieb Gabriel Franca:
> follows the output of the command:
>
>   attr -l / var / lib / samba / sysvol
> Attribute "SGI_ACL_FILE" has a 124 byte value for / var / lib / samba 
> / sysvol
> Attribute "SGI_ACL_DEFAULT" has a 124 byte value for / var / lib / 
> samba / sysvol
> Attribute "NTACL" has a 320 byte value for / var / lib / samba / sysvol
>
> att,
>
> Gabriel Franca
Thank you for the test xfs should have xattrs enabled by default. Can 
you post your smb.conf here please.

Another xattr test i found here 
https://www.samba.org/samba/docs/man/manpages/vfs_acl_xattr.8.html is

getfattr -n security.NTACL /var/lib/samba/sysvol

Also are there any other errors if you run sysvolreset?

achim~
>
>
>> Em 22/05/2015, à(s) 10:40, Achim Gottinger <achim at ag-web.biz 
>> <mailto:achim at ag-web.biz>> escreveu:
>>
>> Hello Gabriel,
>>
>>
>> Am 22.05.2015 um 15:23 schrieb Gabriel Franca:
>>> Good morning people,
>>>
>>> I make the case that Achim Gottinger passed.
>>>
>>> samba-tool ntacl sysvolreset and received the following information:
>>> Segmentation fault (core of the recorded image)
>>>
>>> then sent a samba-tool ntacl sysvolcheck and received the following:
>>> ERROR (<type 'exceptions.TypeError'>): uncaught exception - (61 'No 
>>> data available')
>>>   File 
>>> "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 
>>> 175, in _run
>>>     self.run return (* args, ** kwargs)
>>>   File "/usr/lib64/python2.7/site-packages/samba/netcmd/ntacl.py", 
>>> line 249, in run
>>>     lp)
>>>   File 
>>> "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", 
>>> line 1717, in checksysvolacl
>>>     fsacl = getntacl (lp, dir_path, direct_db_access = 
>>> direct_db_access, service = SYSVOL_SERVICE)
>>>   File "/usr/lib64/python2.7/site-packages/samba/ntacls.py", line 
>>> 73, in getntacl
>>>     xattr.XATTR_NTACL_NAME)
>>>
>>> Will there this the source of my problem? hehehehe
>>>
>>> Remembering that I'm using Centos 7 and Samba version 
>>> 4.1.17-Sernet-RedHat-11.el7
>>>
>>> Sincerely,
>>>
>>> Gabriel Franca
>>>
>>>
>> This error looks like you have not enabled xattrs on the partition 
>> sysvol resides. In case it is an ext3/4 partition do you have acl and 
>> user_xattr in the mount options?
>>
>> What is the output of
>>
>> attr -l /var/lib/samba/sysvol
>>
>> use the localtion of the sysvol folder on your server in above example.
>> On my server i get
>>
>> Attribute "NTACL" has a 320 byte value for /var/lib/samba/sysvol
>>
>> achim~
>>>
>>>> Em 22/05/2015, à(s) 11:22, Achim Gottinger <achim at ag-web.biz 
>>>> <mailto:achim at ag-web.biz>> escreveu:
>>>>
>>>> Hello Gabriel,
>>>>
>>>> I recommend you use
>>>>
>>>> gpupdate /force
>>>>
>>>> on the windows command line after login.
>>>> The results of above command can be checked afterwards with the 
>>>> "gpresults"  command.
>>>>
>>>> Can be you have an permission problem on your samba server. Only 
>>>> skimmed ofver the thread but did you try
>>>> samba-tools ntacl sysvolreset
>>>> on your samba server?
>>>>
>>>> achim~
>>>>
>>>> Am 22.05.2015 um 12:08 schrieb Gabriel Franca:
>>>>> Good morning Daniel,
>>>>>
>>>>> The amendment that I spoke have to be done on the server.
>>>>>
>>>>> All user created in Samba4 receives the "Domain Users" group as 
>>>>> primary.
>>>>>
>>>>> I did several tests on the GPO to no avail.
>>>>>
>>>>> When I took the User of the "Domain Users" and put in "Domain 
>>>>> Admins" the GPO to make any changes now operates.
>>>>>
>>>>> I believe that because of the "Domain Users" did not have 
>>>>> privileges to edit the GPO record in the station can not be applied.
>>>>>
>>>>> I wonder if the guys who are using Samba 4, is using successfully 
>>>>> GPOS the "Domain Users"
>>>>>
>>>>> Sincerely,
>>>>>
>>>>> Gabriel Franca
>>>>>
>>>>>
>>>>>
>>>>>> Em 22/05/2015, à(s) 09:01, Daniel Carrasco Marín 
>>>>>> <danielmadrid19 at gmail.com <mailto:danielmadrid19 at gmail.com>> 
>>>>>> escreveu:
>>>>>>
>>>>>>
>>>>>>
>>>>>> 2015-05-22 13:32 GMT+02:00 Gabriel Franca 
>>>>>> <gabriel.franca at gmail.com 
>>>>>> <mailto:gabriel.franca at gmail.com><mailto:gabriel.franca at gmail.com>>:
>>>>>>
>>>>>> I found it strange more and something I have already noticed a while.
>>>>>>
>>>>>> No GPO is applied when the User is the "Domain Users", so I 
>>>>>> wonder if I'm doing something wrong or I have to change something.
>>>>>>
>>>>>> I believe the "Domain Users" are not allowed to change the 
>>>>>> Windows registry so the issue.
>>>>>>
>>>>>> Sincerely,
>>>>>>
>>>>>> Gabriel Franca
>>>>>>
>>>>>>
>>>>>> I don't know if is a Windows problem, but i've got the same 
>>>>>> behavior trying to set Firewall rules. I've fixed the problem 
>>>>>> changing the "Domain Users" in GPO "Security Filter" for 
>>>>>> "Authenticated Users" and now is working fine.
>>>>>>
>>>>>> I hope this help.
>>>>>>
>>>>>> Greetings!!
>>>>>>
>>>>>>> Em 22/05/2015, à(s) 02:31, Neil <nwilson123 at gmail.com 
>>>>>>> <mailto:nwilson123 at gmail.com><mailto:nwilson123 at gmail.com>> 
>>>>>>> escreveu:
>>>>>>>
>>>>>>> Good morning everyone,
>>>>>>>
>>>>>>> Gabriel: I haven't had a chance to test this yet, but I'm also 
>>>>>>> needing the same IE: Domain Users to have the GPO applied. Did 
>>>>>>> you come right with this?
>>>>>>>
>>>>>>> Andrey: Thank you for letting me know about the SysVol 
>>>>>>> replication across DC's, I haven't enabled this yet and will be 
>>>>>>> doing so, is there anything I should watch out for? I'll just be 
>>>>>>> using the 
>>>>>>> "https://wiki.samba.org/index.php/SysVol_Replication<https://wiki.samba.org/index.php/SysVol_Replication> 
>>>>>>> <https://wiki.samba.org/index.php/SysVol_Replication<https://wiki.samba.org/index.php/SysVol_Replication>>" 
>>>>>>> because I don't require Bi-Directional Replication.
>>>>>>>
>>>>>>> Thank you.
>>>>>>>
>>>>>>> Regards.
>>>>>>>
>>>>>>> Neil Wilson.
>>>>>>>
>>>>>>>
>>>>>>> On Thu, May 21, 2015 at 1:22 PM, Gabriel Franca 
>>>>>>> <gabriel.franca at gmail.com 
>>>>>>> <mailto:gabriel.franca at gmail.com><mailto:gabriel.franca at gmail.com> 
>>>>>>> <mailto:gabriel.franca at gmail.com<mailto:gabriel.franca at gmail.com>>> 
>>>>>>> wrote:
>>>>>>> Good morning friends !!!
>>>>>>>
>>>>>>> I am following this topic and performed some tests to validate 
>>>>>>> the process and noted the following.
>>>>>>>
>>>>>>> 1) when the User is the "Domain Users" GPO is not applied.
>>>>>>>
>>>>>>> 2) when the user is the "Domain Admins" the GPO is applied.
>>>>>>>
>>>>>>> Is there any way to apply the GPOS "Domain Users" ???
>>>>>>>
>>>>>>> Sincerely,
>>>>>>>
>>>>>>> Gabriel Franca
>>>>>>>
>>>>>>>
>>>>>>>> Em 20/05/2015, à(s) 09:37, Neil <nwilson123 at gmail.com 
>>>>>>>> <mailto:nwilson123 at gmail.com><mailto:nwilson123 at gmail.com> 
>>>>>>>> <mailto:nwilson123 at gmail.com<mailto:nwilson123 at gmail.com>>> 
>>>>>>>> escreveu:
>>>>>>>>
>>>>>>>> Hi Louis,
>>>>>>>>
>>>>>>>> Thank you very much for your speedy response. I'll definitely 
>>>>>>>> go ahead and
>>>>>>>> investigate further.
>>>>>>>>
>>>>>>>> Much appreciated.
>>>>>>>>
>>>>>>>> Regards.
>>>>>>>>
>>>>>>>> Neil Wilson.
>>>>>>>>
>>>>>>>> On Wed, May 20, 2015 at 1:24 PM, L.P.H. van Belle 
>>>>>>>> <belle at bazuin.nl 
>>>>>>>> <mailto:belle at bazuin.nl><mailto:belle at bazuin.nl> 
>>>>>>>> <mailto:belle at bazuin.nl<mailto:belle at bazuin.nl>>> wrote:
>>>>>>>>
>>>>>>>>> yes, this is possible, by GPO.
>>>>>>>>>
>>>>>>>>> In GPO, go to:
>>>>>>>>> (user or computer )Configuration
>>>>>>>>>        - Policy
>>>>>>>>>                – Administrative template
>>>>>>>>>                        – System
>>>>>>>>>                                – Removable storage Access
>>>>>>>>>
>>>>>>>>> Play with these settings to get what you want.
>>>>>>>>>
>>>>>>>>> for Managing Hardware Restrictions via Group Policy read :
>>>>>>>>> http://technet.microsoft.com/en-us/magazine/cc138012.aspx<http://technet.microsoft.com/en-us/magazine/cc138012.aspx> 
>>>>>>>>> <http://technet.microsoft.com/en-us/magazine/cc138012.aspx<http://technet.microsoft.com/en-us/magazine/cc138012.aspx>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Greetz,
>>>>>>>>>
>>>>>>>>> Louis
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> -----Oorspronkelijk bericht-----
>>>>>>>>>> Van:nwilson123 at gmail.com 
>>>>>>>>>> <mailto:nwilson123 at gmail.com><mailto:nwilson123 at gmail.com> 
>>>>>>>>>> <mailto:nwilson123 at gmail.com<mailto:nwilson123 at gmail.com>>
>>>>>>>>>> [mailto:samba-bounces at lists.samba.org<mailto:samba-bounces at lists.samba.org> 
>>>>>>>>>> <mailto:samba-bounces at lists.samba.org<mailto:samba-bounces at lists.samba.org>>] 
>>>>>>>>>> Namens Neil
>>>>>>>>>> Verzonden: woensdag 20 mei 2015 12:10
>>>>>>>>>> Aan: samba
>>>>>>>>>> Onderwerp: [Samba] Samba4 Disable USB ports
>>>>>>>>>>
>>>>>>>>>> Hi guys,
>>>>>>>>>>
>>>>>>>>>> I'm running a Sernet-samba-ad-4.1.17-11.el6.x86_64 PDC with 
>>>>>>>>>> another 4
>>>>>>>>>> Samba4 DC's all joined to the same AD domain myorg.local
>>>>>>>>>>
>>>>>>>>>> My client wants me to disable all USB ports for all the users
>>>>>>>>>> joined to the
>>>>>>>>>> domain.
>>>>>>>>>>
>>>>>>>>>> Is it possible to do this via a group policy so that users
>>>>>>>>>> logging onto any
>>>>>>>>>> of the DC's will not be able to use their USB ports?
>>>>>>>>>>
>>>>>>>>>> I currently admin my AD with a combination of the samba-tool
>>>>>>>>>> as well as the
>>>>>>>>>> AD Users and Groups MMC Windows utility.
>>>>>>>>>>
>>>>>>>>>> Any guidance is greatly appreciated.
>>>>>>>>>>
>>>>>>>>>> Thank you.
>>>>>>>>>>
>>>>>>>>>> Regards.
>>>>>>>>>>
>>>>>>>>>> Neil Wilson
>>>>>>>>>> --
>>>>>>>>>> To unsubscribe from this list go to the following URL and 
>>>>>>>>>> read the
>>>>>>>>>> instructions: 
>>>>>>>>>> https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba> 
>>>>>>>>>> <https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>>>> instructions: 
>>>>>>>>> https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba> 
>>>>>>>>> <https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba>>
>>>>>>>>>
>>>>>>>> --
>>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>>> instructions: 
>>>>>>>> https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba> 
>>>>>>>> <https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba>>
>>>>>>>
>>>>>> --
>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>> instructions: 
>>>>>> https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba>
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>
>

More information about the samba mailing list