[Samba] Strange GPO rights samba 4.2.1
Rowland Penny
rowlandpenny at googlemail.com
Fri Apr 24 03:06:25 MDT 2015
On 24/04/15 09:52, L.P.H. van Belle wrote:
> Hai,
>
> Im having a strange thing with sernet samba 4.2.1 on debian wheezy.
>
> I installed 2 dc.s with my scripts.
>
> i did setup the sysvol replication and now im seeing the following when i create new policies.
>
> The default GPO's
> drwxrwx---+ 4 root BUILTIN\administrators 4096 Apr 24 10:17 {31B2F340-016D-11D2-945F-00C04FB984F9}
> drwxrwx---+ 4 root BUILTIN\administrators 4096 Apr 24 10:17 {6AC1786C-016F-11D2-945F-00C04FB984F9}
>
> The new policy i created.
> drwxrwx---+ 4 domain admins domain admins 4096 Apr 24 10:17 {B9C07E8F-54C3-4FA0-8C39-E357E068D393}
>
> check these strange rights..
> Because of the " domain admins domain admins " rights, and why is user root here created as "domain admins"
>
> when i now run :
> /usr/bin/rsync -XAavz --log-file /var/log/sysvol-sync.log --delete-after -f"+ */" -f"- *" /home/samba/sysvol root at dc2:/home/samba && /usr/bin/unison
>
> im getting these errors:
>
> rsync: set_acl: sys_acl_set_file(sysvol/internal.domain.tld/Policies/{B9C07E8F-54C3-4FA0-8C39-E357E068D393}, ACL_TYPE_ACCESS): Invalid argument (22)
> sysvol/internal.domain.tld/Policies/{B9C07E8F-54C3-4FA0-8C39-E357E068D393}/Machine/
> rsync: set_acl: sys_acl_set_file(sysvol/internal.domain.tld/Policies/{B9C07E8F-54C3-4FA0-8C39-E357E068D393}/Machine, ACL_TYPE_ACCESS): Invalid argument (22)
> sysvol/internal.domain.tld/Policies/{B9C07E8F-54C3-4FA0-8C39-E357E068D393}/User/
> rsync: set_acl: sys_acl_set_file(sysvol/internal.domain.tld/Policies/{B9C07E8F-54C3-4FA0-8C39-E357E068D393}/User, ACL_TYPE_ACCESS): Invalid argument (22)
> sysvol/internal.domain.tld/scripts/
>
>
> I created the new policy with the user "Domain\Administrator" from within the windows tools from a windows 7 pc as normal..
>
> Anyone else seen this behaivor?
>
> this is the conf im using atm.:
>
> [global]
> workgroup = INTERNAL
> realm = INTERNAL.DOMAIN.TLD
> netbios name = DC1
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
> dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver, remote, winreg, srvsvc
> auth methods = sam, winbind, ntdomain, ntdomain:winbind
>
> ## KEEP THIS OFF !! Only used for modify-ing the AD Schema
> ## ONLY DONE ONES ON THE DC WITH THE FSMO Roles
> sdb:schema update allowed = no
>
> ## Dont forget to set the idmap_ldb on ALL DC's if you use it
> idmap_ldb:use rfc2307 = yes
>
> ## map id's outside to domain to tdb files.
> idmap config * : backend = tdb
> idmap config * : range = 2000-9999
>
> ## map ids from the domain and (*) the range may not overlap !
> idmap config BAZRTD : backend = ad
> idmap config BAZRTD : schema_mode = rfc2307
> idmap config BAZRTD : range = 10000-3999999
>
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind expand groups = 3
>
> ## When using idmap backend RID enable these
> ## ( or for users without UID/GID for example adminsitrator )
> #template shell = /bin/bash
> #template homedir = /home/users/%ACCOUNTNAME%
>
> interfaces = 127.0.0.1 192.168.249.211
> bind interfaces only = yes
> time server = yes
> wins support = yes
>
> ## Disable printing completely
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
> [netlogon]
> path = /home/samba/sysvol/rotterdam.bazuin.nl/scripts
> read only = No
>
> [sysvol]
> path = /home/samba/sysvol
> read only = No
>
> [backups]
> path = /home/samba/backups
> Browsable = No
> read only = No
> acl_xattr:ignore system acl = yes
>
>
>
> Greetz,
>
> Louis
>
Hi Louis, I wonder if this is down to the use of 'winbindd' , there have
been a couple of problems reported that seem to be caused by the use of
it. Do you want to try using the old 'winbind' instead and see if this
cures the problem ?
Rowland
More information about the samba
mailing list