[Samba] Strange GPO rights samba 4.2.1
L.P.H. van Belle
belle at bazuin.nl
Fri Apr 24 02:52:53 MDT 2015
Hai,
Im having a strange thing with sernet samba 4.2.1 on debian wheezy.
I installed 2 dc.s with my scripts.
i did setup the sysvol replication and now im seeing the following when i create new policies.
The default GPO's
drwxrwx---+ 4 root BUILTIN\administrators 4096 Apr 24 10:17 {31B2F340-016D-11D2-945F-00C04FB984F9}
drwxrwx---+ 4 root BUILTIN\administrators 4096 Apr 24 10:17 {6AC1786C-016F-11D2-945F-00C04FB984F9}
The new policy i created.
drwxrwx---+ 4 domain admins domain admins 4096 Apr 24 10:17 {B9C07E8F-54C3-4FA0-8C39-E357E068D393}
check these strange rights..
Because of the " domain admins domain admins " rights, and why is user root here created as "domain admins"
when i now run :
/usr/bin/rsync -XAavz --log-file /var/log/sysvol-sync.log --delete-after -f"+ */" -f"- *" /home/samba/sysvol root at dc2:/home/samba && /usr/bin/unison
im getting these errors:
rsync: set_acl: sys_acl_set_file(sysvol/internal.domain.tld/Policies/{B9C07E8F-54C3-4FA0-8C39-E357E068D393}, ACL_TYPE_ACCESS): Invalid argument (22)
sysvol/internal.domain.tld/Policies/{B9C07E8F-54C3-4FA0-8C39-E357E068D393}/Machine/
rsync: set_acl: sys_acl_set_file(sysvol/internal.domain.tld/Policies/{B9C07E8F-54C3-4FA0-8C39-E357E068D393}/Machine, ACL_TYPE_ACCESS): Invalid argument (22)
sysvol/internal.domain.tld/Policies/{B9C07E8F-54C3-4FA0-8C39-E357E068D393}/User/
rsync: set_acl: sys_acl_set_file(sysvol/internal.domain.tld/Policies/{B9C07E8F-54C3-4FA0-8C39-E357E068D393}/User, ACL_TYPE_ACCESS): Invalid argument (22)
sysvol/internal.domain.tld/scripts/
I created the new policy with the user "Domain\Administrator" from within the windows tools from a windows 7 pc as normal..
Anyone else seen this behaivor?
this is the conf im using atm.:
[global]
workgroup = INTERNAL
realm = INTERNAL.DOMAIN.TLD
netbios name = DC1
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver, remote, winreg, srvsvc
auth methods = sam, winbind, ntdomain, ntdomain:winbind
## KEEP THIS OFF !! Only used for modify-ing the AD Schema
## ONLY DONE ONES ON THE DC WITH THE FSMO Roles
sdb:schema update allowed = no
## Dont forget to set the idmap_ldb on ALL DC's if you use it
idmap_ldb:use rfc2307 = yes
## map id's outside to domain to tdb files.
idmap config * : backend = tdb
idmap config * : range = 2000-9999
## map ids from the domain and (*) the range may not overlap !
idmap config BAZRTD : backend = ad
idmap config BAZRTD : schema_mode = rfc2307
idmap config BAZRTD : range = 10000-3999999
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind expand groups = 3
## When using idmap backend RID enable these
## ( or for users without UID/GID for example adminsitrator )
#template shell = /bin/bash
#template homedir = /home/users/%ACCOUNTNAME%
interfaces = 127.0.0.1 192.168.249.211
bind interfaces only = yes
time server = yes
wins support = yes
## Disable printing completely
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
[netlogon]
path = /home/samba/sysvol/rotterdam.bazuin.nl/scripts
read only = No
[sysvol]
path = /home/samba/sysvol
read only = No
[backups]
path = /home/samba/backups
Browsable = No
read only = No
acl_xattr:ignore system acl = yes
Greetz,
Louis
More information about the samba
mailing list