[Samba] Strange GPO rights samba 4.2.1
Rowland Penny
rowlandpenny at googlemail.com
Fri Apr 24 04:30:26 MDT 2015
On 24/04/15 10:22, L.P.H. van Belle wrote:
>> -----Oorspronkelijk bericht-----
>> Van: rowlandpenny at googlemail.com
>> [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>> Verzonden: vrijdag 24 april 2015 11:06
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Strange GPO rights samba 4.2.1
>>
>> On 24/04/15 09:52, L.P.H. van Belle wrote:
>>> Hai,
>>>
>>> Im having a strange thing with sernet samba 4.2.1 on debian wheezy.
>>>
>>> I installed 2 dc.s with my scripts.
>>>
>>> i did setup the sysvol replication and now im seeing the
>> following when i create new policies.
>>>
>>> The default GPO's
>>> drwxrwx---+ 4 root BUILTIN\administrators 4096 Apr
>> 24 10:17 {31B2F340-016D-11D2-945F-00C04FB984F9}
>>> drwxrwx---+ 4 root BUILTIN\administrators 4096 Apr
>> 24 10:17 {6AC1786C-016F-11D2-945F-00C04FB984F9}
>>>
>>> The new policy i created.
>>> drwxrwx---+ 4 domain admins domain admins 4096 Apr
>> 24 10:17 {B9C07E8F-54C3-4FA0-8C39-E357E068D393}
>>> check these strange rights..
>>> Because of the " domain admins domain admins " rights, and
>> why is user root here created as "domain admins"
>>>
>>> when i now run :
>>> /usr/bin/rsync -XAavz --log-file /var/log/sysvol-sync.log
>> --delete-after -f"+ */" -f"- *" /home/samba/sysvol
>> root at dc2:/home/samba && /usr/bin/unison
>>>
>>> im getting these errors:
>>>
>>> rsync: set_acl:
>> sys_acl_set_file(sysvol/internal.domain.tld/Policies/{B9C07E8F-
>> 54C3-4FA0-8C39-E357E068D393}, ACL_TYPE_ACCESS): Invalid argument (22)
>> sysvol/internal.domain.tld/Policies/{B9C07E8F-54C3-4FA0-8C39-E3
>> 57E068D393}/Machine/
>>> rsync: set_acl:
>> sys_acl_set_file(sysvol/internal.domain.tld/Policies/{B9C07E8F-
>> 54C3-4FA0-8C39-E357E068D393}/Machine, ACL_TYPE_ACCESS):
>> Invalid argument (22)
>> sysvol/internal.domain.tld/Policies/{B9C07E8F-54C3-4FA0-8C39-E3
>> 57E068D393}/User/
>>> rsync: set_acl:
>> sys_acl_set_file(sysvol/internal.domain.tld/Policies/{B9C07E8F-
>> 54C3-4FA0-8C39-E357E068D393}/User, ACL_TYPE_ACCESS): Invalid
>> argument (22)
>>> sysvol/internal.domain.tld/scripts/
>>>
>>>
>>> I created the new policy with the user
>> "Domain\Administrator" from within the windows tools from a
>> windows 7 pc as normal..
>>>
>>> Anyone else seen this behaivor?
>>>
>>> this is the conf im using atm.:
>>>
>>> [global]
>>> workgroup = INTERNAL
>>> realm = INTERNAL.DOMAIN.TLD
>>> netbios name = DC1
>>> server role = active directory domain controller
>>> server services = s3fs, rpc, nbt, wrepl, ldap,
>> cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
>>> dcerpc endpoint servers = epmapper, wkssvc,
>> rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup,
>> unixinfo, browser, eventlog6, backupkey, dnsserver, remote,
>> winreg, srvsvc
>>> auth methods = sam, winbind, ntdomain, ntdomain:winbind
>>>
>>> ## KEEP THIS OFF !! Only used for modify-ing the AD Schema
>>> ## ONLY DONE ONES ON THE DC WITH THE FSMO Roles
>>> sdb:schema update allowed = no
>>>
>>> ## Dont forget to set the idmap_ldb on ALL DC's if
>> you use it
>>> idmap_ldb:use rfc2307 = yes
>>>
>>> ## map id's outside to domain to tdb files.
>>> idmap config * : backend = tdb
>>> idmap config * : range = 2000-9999
>>>
>>> ## map ids from the domain and (*) the range may
>> not overlap !
>>> idmap config BAZRTD : backend = ad
>>> idmap config BAZRTD : schema_mode = rfc2307
>>> idmap config BAZRTD : range = 10000-3999999
>>>
>>> winbind nss info = rfc2307
>>> winbind trusted domains only = no
>>> winbind use default domain = yes
>>> winbind expand groups = 3
>>>
>>> ## When using idmap backend RID enable these
>>> ## ( or for users without UID/GID for example
>> adminsitrator )
>>> #template shell = /bin/bash
>>> #template homedir = /home/users/%ACCOUNTNAME%
>>>
>>> interfaces = 127.0.0.1 192.168.249.211
>>> bind interfaces only = yes
>>> time server = yes
>>> wins support = yes
>>>
>>> ## Disable printing completely
>>> load printers = no
>>> printing = bsd
>>> printcap name = /dev/null
>>> disable spoolss = yes
>>>
>>> [netlogon]
>>> path = /home/samba/sysvol/rotterdam.bazuin.nl/scripts
>>> read only = No
>>>
>>> [sysvol]
>>> path = /home/samba/sysvol
>>> read only = No
>>>
>>> [backups]
>>> path = /home/samba/backups
>>> Browsable = No
>>> read only = No
>>> acl_xattr:ignore system acl = yes
>>>
>>>
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>> Hi Louis, I wonder if this is down to the use of 'winbindd' ,
>> there have
>> been a couple of problems reported that seem to be caused by
>> the use of
>> it. Do you want to try using the old 'winbind' instead and see if this
>> cures the problem ?
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
> ok the following in seen.
> only changed winbindd to winbind in the smb.conf
>
>
> ## samba 4.2.1 : winbindd
> id administrator
> uid=0(root) gid=100(users) groups=0(root),100(users),3000004(group policy creator owners),3000006(enterprise admins),3000008(domain admins),3000007(schema admins),3000005(denied rodc password replication group),3000009(BUILTIN\users),3000000(BUILTIN\administrators)
>
>
> ## samba 4.2.1 : winbind
> id administrator
> uid=0(root) gid=100(users) groups=0(root),100(users),3000004(INTERNAL\Group Policy Creator Owners),3000006(INTERNAL\Enterprise Admins),3000008(INTERNAL\Domain Admins),3000007(INTERNAL\Schema Admins)
>
>
> ls -al in the policies folder now gives.. (## samba 4.2.1 : winbind)
>
> drwxrwx---+ 4 3000008 BAZRTD\Domain Admins 4096 Apr 24 11:18 {1AA13E10-F89C-44FA-82B1-8FBCF5E4099C}
> drwxrwx---+ 4 root 3000000 4096 Apr 24 10:17 {31B2F340-016D-11D2-945F-00C04FB984F9}
> drwxrwx---+ 4 root 3000000 4096 Apr 24 10:17 {6AC1786C-016F-11D2-945F-00C04FB984F9}
> drwxrwx---+ 4 3000008 BAZRTD\Domain Admins 4096 Apr 24 10:17 {B9C07E8F-54C3-4FA0-8C39-E357E068D393}
>
>
> This does not look right to me.. :-/
>
>
>
>
Strange, do want to try creating another GPO whilst still using 'winbind' ?
Rowland
More information about the samba
mailing list