[Samba] Strange GPO rights samba 4.2.1
L.P.H. van Belle
belle at bazuin.nl
Fri Apr 24 03:22:34 MDT 2015
>-----Oorspronkelijk bericht-----
>Van: rowlandpenny at googlemail.com
>[mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>Verzonden: vrijdag 24 april 2015 11:06
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] Strange GPO rights samba 4.2.1
>
>On 24/04/15 09:52, L.P.H. van Belle wrote:
>> Hai,
>>
>> Im having a strange thing with sernet samba 4.2.1 on debian wheezy.
>>
>> I installed 2 dc.s with my scripts.
>>
>> i did setup the sysvol replication and now im seeing the
>following when i create new policies.
>>
>> The default GPO's
>> drwxrwx---+ 4 root BUILTIN\administrators 4096 Apr
>24 10:17 {31B2F340-016D-11D2-945F-00C04FB984F9}
>> drwxrwx---+ 4 root BUILTIN\administrators 4096 Apr
>24 10:17 {6AC1786C-016F-11D2-945F-00C04FB984F9}
>>
>> The new policy i created.
>> drwxrwx---+ 4 domain admins domain admins 4096 Apr
>24 10:17 {B9C07E8F-54C3-4FA0-8C39-E357E068D393}
>>
>> check these strange rights..
>> Because of the " domain admins domain admins " rights, and
>why is user root here created as "domain admins"
>>
>> when i now run :
>> /usr/bin/rsync -XAavz --log-file /var/log/sysvol-sync.log
>--delete-after -f"+ */" -f"- *" /home/samba/sysvol
>root at dc2:/home/samba && /usr/bin/unison
>>
>> im getting these errors:
>>
>> rsync: set_acl:
>sys_acl_set_file(sysvol/internal.domain.tld/Policies/{B9C07E8F-
>54C3-4FA0-8C39-E357E068D393}, ACL_TYPE_ACCESS): Invalid argument (22)
>>
>sysvol/internal.domain.tld/Policies/{B9C07E8F-54C3-4FA0-8C39-E3
>57E068D393}/Machine/
>> rsync: set_acl:
>sys_acl_set_file(sysvol/internal.domain.tld/Policies/{B9C07E8F-
>54C3-4FA0-8C39-E357E068D393}/Machine, ACL_TYPE_ACCESS):
>Invalid argument (22)
>>
>sysvol/internal.domain.tld/Policies/{B9C07E8F-54C3-4FA0-8C39-E3
>57E068D393}/User/
>> rsync: set_acl:
>sys_acl_set_file(sysvol/internal.domain.tld/Policies/{B9C07E8F-
>54C3-4FA0-8C39-E357E068D393}/User, ACL_TYPE_ACCESS): Invalid
>argument (22)
>> sysvol/internal.domain.tld/scripts/
>>
>>
>> I created the new policy with the user
>"Domain\Administrator" from within the windows tools from a
>windows 7 pc as normal..
>>
>> Anyone else seen this behaivor?
>>
>> this is the conf im using atm.:
>>
>> [global]
>> workgroup = INTERNAL
>> realm = INTERNAL.DOMAIN.TLD
>> netbios name = DC1
>> server role = active directory domain controller
>> server services = s3fs, rpc, nbt, wrepl, ldap,
>cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
>> dcerpc endpoint servers = epmapper, wkssvc,
>rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup,
>unixinfo, browser, eventlog6, backupkey, dnsserver, remote,
>winreg, srvsvc
>> auth methods = sam, winbind, ntdomain, ntdomain:winbind
>>
>> ## KEEP THIS OFF !! Only used for modify-ing the AD Schema
>> ## ONLY DONE ONES ON THE DC WITH THE FSMO Roles
>> sdb:schema update allowed = no
>>
>> ## Dont forget to set the idmap_ldb on ALL DC's if
>you use it
>> idmap_ldb:use rfc2307 = yes
>>
>> ## map id's outside to domain to tdb files.
>> idmap config * : backend = tdb
>> idmap config * : range = 2000-9999
>>
>> ## map ids from the domain and (*) the range may
>not overlap !
>> idmap config BAZRTD : backend = ad
>> idmap config BAZRTD : schema_mode = rfc2307
>> idmap config BAZRTD : range = 10000-3999999
>>
>> winbind nss info = rfc2307
>> winbind trusted domains only = no
>> winbind use default domain = yes
>> winbind expand groups = 3
>>
>> ## When using idmap backend RID enable these
>> ## ( or for users without UID/GID for example
>adminsitrator )
>> #template shell = /bin/bash
>> #template homedir = /home/users/%ACCOUNTNAME%
>>
>> interfaces = 127.0.0.1 192.168.249.211
>> bind interfaces only = yes
>> time server = yes
>> wins support = yes
>>
>> ## Disable printing completely
>> load printers = no
>> printing = bsd
>> printcap name = /dev/null
>> disable spoolss = yes
>>
>> [netlogon]
>> path = /home/samba/sysvol/rotterdam.bazuin.nl/scripts
>> read only = No
>>
>> [sysvol]
>> path = /home/samba/sysvol
>> read only = No
>>
>> [backups]
>> path = /home/samba/backups
>> Browsable = No
>> read only = No
>> acl_xattr:ignore system acl = yes
>>
>>
>>
>> Greetz,
>>
>> Louis
>>
>
>Hi Louis, I wonder if this is down to the use of 'winbindd' ,
>there have
>been a couple of problems reported that seem to be caused by
>the use of
>it. Do you want to try using the old 'winbind' instead and see if this
>cures the problem ?
>
>Rowland
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
>
>
ok the following in seen.
only changed winbindd to winbind in the smb.conf
## samba 4.2.1 : winbindd
id administrator
uid=0(root) gid=100(users) groups=0(root),100(users),3000004(group policy creator owners),3000006(enterprise admins),3000008(domain admins),3000007(schema admins),3000005(denied rodc password replication group),3000009(BUILTIN\users),3000000(BUILTIN\administrators)
## samba 4.2.1 : winbind
id administrator
uid=0(root) gid=100(users) groups=0(root),100(users),3000004(INTERNAL\Group Policy Creator Owners),3000006(INTERNAL\Enterprise Admins),3000008(INTERNAL\Domain Admins),3000007(INTERNAL\Schema Admins)
ls -al in the policies folder now gives.. (## samba 4.2.1 : winbind)
drwxrwx---+ 4 3000008 BAZRTD\Domain Admins 4096 Apr 24 11:18 {1AA13E10-F89C-44FA-82B1-8FBCF5E4099C}
drwxrwx---+ 4 root 3000000 4096 Apr 24 10:17 {31B2F340-016D-11D2-945F-00C04FB984F9}
drwxrwx---+ 4 root 3000000 4096 Apr 24 10:17 {6AC1786C-016F-11D2-945F-00C04FB984F9}
drwxrwx---+ 4 3000008 BAZRTD\Domain Admins 4096 Apr 24 10:17 {B9C07E8F-54C3-4FA0-8C39-E357E068D393}
This does not look right to me.. :-/
More information about the samba
mailing list