[Samba] Sysvol GPO ACLs problem
Pablo Sanz Fernández
psanz at empre.es
Mon May 11 11:33:55 UTC 2020
Sorry Rowland, didn't read that part.
Yes, the 'Domain Admins' group has the gidNumber attribute the value "512", and 'BUILTIN\Server Operators' value "549".
Regards,
Pablo Sanz Fernández
-----Mensaje original-----
On 11/05/2020 11:09, Pablo Sanz Fernández wrote:
> Hi Rowland.
>
> It's CentOS 6.10 with Python 2.6.6.
>
> I guess then we must update to CentOS 8 and use Python 3?
That is what I would do. As I said, your problem may have been fixed in
a later version.
What you haven't answered, have you given any of the Windows groups
(apart from Domain Users) a gidNumber attribute ?
> We are worried with the compability of lastest versions of Samba and our Dell EMC Unity storage. We did have to put the smb.conf option "server schannel" to keep it working with the samba AD. Does this smb.conf option still valid, despite the deprecated warning, in the lastest samba versions?
It was deprecated from 4.8.0 , but luckily it hasn't been removed yet.
Rowland
On 11/05/2020 11:09, Pablo Sanz Fernández wrote:
> Hi Rowland.
>
> It's CentOS 6.10 with Python 2.6.6.
>
> I guess then we must update to CentOS 8 and use Python 3?
That is what I would do. As I said, your problem may have been fixed in
a later version.
What you haven't answered, have you given any of the Windows groups
(apart from Domain Users) a gidNumber attribute ?
> We are worried with the compability of lastest versions of Samba and our Dell EMC Unity storage. We did have to put the smb.conf option "server schannel" to keep it working with the samba AD. Does this smb.conf option still valid, despite the deprecated warning, in the lastest samba versions?
It was deprecated from 4.8.0 , but luckily it hasn't been removed yet.
Rowland
De: Pablo Sanz Fernández
Enviado el: lunes, 11 de mayo de 2020 12:09
Para: 'samba at lists.samba.org' <samba at lists.samba.org>
CC: 'rpenny at samba.org' <rpenny at samba.org>
Asunto: RE: Sysvol GPO ACLs problem
Hi Rowland.
It's CentOS 6.10 with Python 2.6.6.
I guess then we must update to CentOS 8 and use Python 3?
We are worried with the compability of lastest versions of Samba and our Dell EMC Unity storage. We did have to put the smb.conf option "server schannel" to keep it working with the samba AD. Does this smb.conf option still valid, despite the deprecated warning, in the lastest samba versions?
Regards,
Pablo Sanz Fernández
On 11/05/2020 08:31, Pablo Sanz Fernández via samba wrote:
> Hi,
>
> We are having problems with sysvol AD shared folder in a Samba 4.9.13 AD.
>
> Has been running smoothly until recently, and we don't know how to fix it. We detected the problem trying to create a new AD GPO, it fails with the message (sorry, we have windows in Spanish, it's not literal translation): "this security identifier cannot be assigned as object owner".
>
> If we execute in the linux DC a sysvol check (samba-tool ntacl sysvolcheck), we get this error:
>
> [https://lists.samba.org/mailman/listinfo/samba ~]# samba-tool ntacl
> sysvolcheck O:LAG:DAD:P does not match expected value O:DAG:DAD:P
I have stripped that down to the difference, have you given the Domain Admins group a gidNumber attribute ?
>
>
> And, if we execute a sysvol acl reset, we get this:
>
> [https://lists.samba.org/mailman/listinfo/samba ~]# samba-tool ntacl
> sysvolreset
> WARNING: The "server schannel" option is deprecated
> WARNING: The "server schannel" option is deprecated
> ===============================================================
> INTERNAL ERROR: Signal 11 in pid 22555 (4.9.13) Please read the
> Trouble-Shooting section of the Samba HOWTO
> ===============================================================
> PANIC (pid 22555): internal error
It shouldn't panic
> We also tried to use the sysvol repair permissions script (https://github.com/thctlo/samba4/blob/master/samba-check-set-sysvol.sh):
>
> [https://lists.samba.org/mailman/listinfo/samba ~]#
> /usr/oper/samba-check-set-sysvol.sh
> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert
> sid S-1-5-32-549 to uid
Hmm, have you also given 'BUILTIN\Server Operators' a gidNumber ?
> Please, do you know how to fix this, or at least were to begin?
What OS is this ?
4.9.x is EOL as far as Samba is concerned, so can you upgrade Samba ?
your problem may already have been fixed.
Rowland
More information about the samba
mailing list