[Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies

lingpanda101 lingpanda101 at gmail.com
Thu Jan 12 19:07:47 UTC 2017 

On 1/12/2017 1:46 PM, Richard via samba wrote:
> Hi James
>
> The output is as follows...
>
> wbinfo --gid-info=10013    =>  CT\domain admins:x:10013:
>
> wbinfo --gid-info=10014   => CT\domain users:x:10014:
>
> wbinfo --uid-info=3000000 => BUILTIN\administrators:*:3000000:3000000::/home/BUILTIN/administrators:/bin/false
>
> wbinfo --uid-info=3000008 => CT\domain admins:*:3000008:3000008::/home/CT/domain admins:/bin/false
>
> Yes I have set "domain admins" to have NIS domain "CT" and GID "10013"  - I can remove this no problem
>
> Yes I have set "domain users" to have NIS domain "CT" and GID "10014"  - I can remove this no problem
>
> No I haven't set a UID or GID for Administrator
>
> I do indeed have 'idmap_ldb:use rfc2307 = Yes' - should I remove this from smb.conf?
>
> Please let me know if I should go ahead and remove the GIDs from "domain admins" and "domain users"
>
> thanks again!
>
> Richard
>
> -----Original Message-----
> From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of lingpanda101 via samba
> Sent: 12 January 2017 19:09
> To: samba at lists.samba.org
> Subject: Re: [Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies
>
> On 1/12/2017 11:41 AM, Richard via samba wrote:
>> Hi Andrew,
>>
>> thanks so much for the feedback.
>>
>> Yes, you're 100% right.  I'm new at this and originally changed the
>> default GPO, however subsequently reset the default and created a new
>> GPO. (so this getfacl output is post creation of a new GPO)
>>
>> The getfacl output is shown here:
>>
>> # getfacl
>> /usr/local/samba/var/locks/sysvol/mydomain.com/Policies/{31B2F340-016D
>> -11D2-945F-00C04FB984F9}
>> getfacl: Removing leading '/' from absolute path names # file:
>> usr/local/samba/var/locks/sysvol/mydomain.com/Policies/{31B2F340-016D-
>> 11D2-945F-00C04FB984F9}
>> # owner: root
>> # group: 10013
>> user::rwx
>> user:root:rwx
>> user:3000002:rwx
>> user:3000003:r-x
>> user:3000006:rwx
>> user:3000010:r-x
>> group::rwx
>> group:10013:rwx
>> group:10014:r-x
>> group:3000002:rwx
>> group:3000003:r-x
>> group:3000006:rwx
>> group:3000010:r-x
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:root:rwx
>> default:user:3000002:rwx
>> default:user:3000003:r-x
>> default:user:3000006:rwx
>> default:user:3000010:r-x
>> default:group::---
>> default:group:10013:rwx
>> default:group:10014:r-x
>> default:group:3000002:rwx
>> default:group:3000003:r-x
>> default:group:3000006:rwx
>> default:group:3000010:r-x
>> default:mask::rwx
>> default:other::---
>>
>> -----Original Message-----
>> From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of
>> lingpanda101 via samba
>> Sent: 12 January 2017 18:07
>> To: samba at lists.samba.org
>> Subject: Re: [Samba] Samba 4.5.3 AD DC - issues with sysvol when
>> setting up Group Policies
>>
>> On 1/12/2017 7:07 AM, Richard via samba wrote:
>>> I have Samba 4.5.3 working fine as an AD DC and DNS provider.
>>>
>>> I now need to set up a group policy on the DC but I am having
>>> problems with the internal sysvol and netlogon shares.
>>>
>>> Via the Windows Group Policy Manager snap-in I successfully created a
>>> GPO specifying the DC as the primary time source for all clients,
>>> using the Administrator user
>>>
>>> ...but my windows domain test client "ignores" the new policy
>>> completely and in the event log on the client I see the following:
>>>
>>>     
>>>
>>> The processing of Group Policy failed. Windows attempted to read the
>>> file
>>> \\mydomain.com\sysvol\mydomain.com\Policies\{31B2F340-016D-11D2-945F-
>>> 0
>>> 0C04FB
>>> 984F9}\gpt.ini
>>> <file://mydomain.com/sysvol/mydomain.com/Policies/%7b31B2F340-016D-11
>>> D 2-945F -00C04FB984F9%7d/gpt.ini>  from a domain controller and was
>>> not successful.
>>> Group Policy settings may not be applied until this event is resolved.
>>> This issue may be transient and could be caused by one or more of the following:
>>>
>>> a) Name Resolution/Network Connectivity to the current domain controller.
>>>
>>> b) File Replication Service Latency (a file created on another domain
>>> controller has not replicated to the current domain controller).
>>>
>>> c) The Distributed File System (DFS) client has been disabled.
>>>
>>>     
>>>
>>>     
>>>
>>> On further investigation on the domain controller itself:
>>>
>>>     
>>>
>>> smbclient //localhost/sysvol -UAdministrator -c 'ls'
>>>
>>>     
>>>
>>> returns a valid directory listing, but running the same command for
>>> any other valid domain account returns:
>>>
>>>     
>>>
>>> Domain=[mydomain] OS=[Windows 6.1] Server=[Samba 4.5.3]
>>>
>>> NT_STATUS_ACCESS_DENIED listing \*
>>>
>>>     
>>>
>>> .so it appears that normal domain accounts are unable to access the
>>> sysvol share, which would explain the error returned by the windows
>>> client. (the same applies to the netlogon share)
>>>
>>>     
>>>
>>> Among other things, I have run:
>>>
>>>     
>>>
>>> samba-tool ntacl sysvolreset
>>>
>>>     
>>>
>>> but the problem persists.
>>>
>>>     
>>>
>>> So it appears there is something wrong with the permissions on these
>>> shares but I am at my wits end trying to correct the issue.
>>>
>>>     
>>>
>>> Any help would be greatly appreciated!
>>>
>>>     
>>>
>>> Thanks in advance
>>>
>>>     
>>>
>>> Richard
>>>
>>>     
>>>
>>>     
>>>
>>>     
>>>
>> It looks as if you are trying to modify the default domain policy GPO?
>> I normally don't touch that policy but create additional ones. What is
>> the output of
>>
>> getfacl
>> /usr/local/samba/var/locks/sysvol/mydomain.com/Policies/\{31B2F340-016
>> D-11D2-945F-00C04FB984F9\}/
>>
>> Can you create a new GPO with your settings and check the permissions again?
>>
>> --
>> - James
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
> It looks as if you are using 'idmap_ldb:use rfc2307 = Yes' in your smb.conf? It also looks as if you have given 'Domain Admins' a GID number? I have noticed problems in the past if I gave Domain Admins a GID. I would remove it.  It also looks as if you may have given Administrator a UID? After removing the UID and GID attempt to reset your sysvol. What is the output of the following before you do though?
>
> wbinfo --gid-info=10013
>
> wbinfo --gid-info=10014
>
> wbinfo --uid-info=3000000
>
> wbinfo --uid-info=3000008
>
>
>
>
>
> --
> - James
>
>

Just remove the domain admins GID. Afterwords run sysvolreset and post 
the getfacl command again on GPO.

-- 
- James

More information about the samba mailing list