[Samba] Strange GPO rights samba 4.2.1

Rowland Penny rowlandpenny at googlemail.com
Fri Apr 24 04:30:26 MDT 2015


On 24/04/15 10:22, L.P.H. van Belle wrote:
>> -----Oorspronkelijk bericht-----
>> Van: rowlandpenny at googlemail.com
>> [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>> Verzonden: vrijdag 24 april 2015 11:06
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Strange GPO rights samba 4.2.1
>>
>> On 24/04/15 09:52, L.P.H. van Belle wrote:
>>> Hai,
>>>    
>>> Im having a strange thing with sernet samba 4.2.1 on debian wheezy.
>>>    
>>> I installed 2 dc.s with my scripts.
>>>    
>>> i did setup the sysvol replication and now im seeing the
>> following when i create new policies.
>>>    
>>> The default GPO's
>>> drwxrwx---+ 4 root          BUILTIN\administrators 4096 Apr
>> 24 10:17 {31B2F340-016D-11D2-945F-00C04FB984F9}
>>> drwxrwx---+ 4 root          BUILTIN\administrators 4096 Apr
>> 24 10:17 {6AC1786C-016F-11D2-945F-00C04FB984F9}
>>>    
>>> The new policy i created.
>>> drwxrwx---+ 4 domain admins domain admins          4096 Apr
>> 24 10:17 {B9C07E8F-54C3-4FA0-8C39-E357E068D393}
>>> check these strange rights..
>>> Because of the " domain admins domain admins "  rights, and
>> why is user root here created as "domain admins"
>>>    
>>> when i now run :
>>> /usr/bin/rsync -XAavz --log-file /var/log/sysvol-sync.log
>> --delete-after -f"+ */" -f"- *"  /home/samba/sysvol
>> root at dc2:/home/samba  &&  /usr/bin/unison
>>>    
>>> im getting these errors:
>>>    
>>> rsync: set_acl:
>> sys_acl_set_file(sysvol/internal.domain.tld/Policies/{B9C07E8F-
>> 54C3-4FA0-8C39-E357E068D393}, ACL_TYPE_ACCESS): Invalid argument (22)
>> sysvol/internal.domain.tld/Policies/{B9C07E8F-54C3-4FA0-8C39-E3
>> 57E068D393}/Machine/
>>> rsync: set_acl:
>> sys_acl_set_file(sysvol/internal.domain.tld/Policies/{B9C07E8F-
>> 54C3-4FA0-8C39-E357E068D393}/Machine, ACL_TYPE_ACCESS):
>> Invalid argument (22)
>> sysvol/internal.domain.tld/Policies/{B9C07E8F-54C3-4FA0-8C39-E3
>> 57E068D393}/User/
>>> rsync: set_acl:
>> sys_acl_set_file(sysvol/internal.domain.tld/Policies/{B9C07E8F-
>> 54C3-4FA0-8C39-E357E068D393}/User, ACL_TYPE_ACCESS): Invalid
>> argument (22)
>>> sysvol/internal.domain.tld/scripts/
>>>
>>>
>>> I created the new policy with the user
>> "Domain\Administrator" from within the windows tools from a
>> windows 7 pc as normal..
>>>    
>>> Anyone else seen this behaivor?
>>>    
>>> this is the conf im using atm.:
>>>    
>>> [global]
>>>           workgroup = INTERNAL
>>>           realm = INTERNAL.DOMAIN.TLD
>>>           netbios name = DC1
>>>           server role = active directory domain controller
>>>           server services = s3fs, rpc, nbt, wrepl, ldap,
>> cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
>>>           dcerpc endpoint servers = epmapper, wkssvc,
>> rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup,
>> unixinfo, browser, eventlog6, backupkey, dnsserver, remote,
>> winreg, srvsvc
>>>           auth methods = sam, winbind, ntdomain, ntdomain:winbind
>>>    
>>>           ## KEEP THIS OFF !! Only used for modify-ing the AD Schema
>>>           ## ONLY DONE ONES ON THE DC WITH THE FSMO Roles
>>>           sdb:schema update allowed = no
>>>    
>>>           ## Dont forget to set the idmap_ldb on ALL DC's if
>> you use it
>>>           idmap_ldb:use rfc2307 = yes
>>>    
>>>           ## map id's outside to domain to tdb files.
>>>           idmap config * : backend = tdb
>>>           idmap config * : range = 2000-9999
>>>    
>>>           ## map ids from the domain and (*) the range may
>> not overlap !
>>>           idmap config BAZRTD : backend = ad
>>>           idmap config BAZRTD : schema_mode = rfc2307
>>>           idmap config BAZRTD : range = 10000-3999999
>>>    
>>>           winbind nss info = rfc2307
>>>           winbind trusted domains only = no
>>>           winbind use default domain = yes
>>>           winbind expand groups = 3
>>>    
>>>           ## When using idmap backend RID enable these
>>>           ## ( or for users without UID/GID for example
>> adminsitrator )
>>>           #template shell = /bin/bash
>>>           #template homedir = /home/users/%ACCOUNTNAME%
>>>    
>>>           interfaces = 127.0.0.1 192.168.249.211
>>>           bind interfaces only = yes
>>>           time server = yes
>>>           wins support = yes
>>>    
>>>           ## Disable printing completely
>>>           load printers = no
>>>           printing = bsd
>>>           printcap name = /dev/null
>>>           disable spoolss = yes
>>>    
>>> [netlogon]
>>>           path = /home/samba/sysvol/rotterdam.bazuin.nl/scripts
>>>           read only = No
>>>
>>> [sysvol]
>>>           path = /home/samba/sysvol
>>>           read only = No
>>>
>>> [backups]
>>>           path = /home/samba/backups
>>>           Browsable = No
>>>           read only = No
>>>           acl_xattr:ignore system acl = yes
>>>
>>>    
>>>    
>>> Greetz,
>>>    
>>> Louis
>>>    
>> Hi Louis, I wonder if this is down to the use of 'winbindd' ,
>> there have
>> been a couple of problems reported that seem to be caused by
>> the use of
>> it. Do you want to try using the old 'winbind' instead and see if this
>> cures the problem ?
>>
>> Rowland
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
> ok the following in seen.
> only changed winbindd to winbind in the smb.conf
>
>
> ## samba 4.2.1  :  winbindd
> id administrator
> uid=0(root) gid=100(users) groups=0(root),100(users),3000004(group policy creator owners),3000006(enterprise admins),3000008(domain admins),3000007(schema admins),3000005(denied rodc password replication group),3000009(BUILTIN\users),3000000(BUILTIN\administrators)
>
>
> ## samba 4.2.1  :  winbind
> id administrator
> uid=0(root) gid=100(users) groups=0(root),100(users),3000004(INTERNAL\Group Policy Creator Owners),3000006(INTERNAL\Enterprise Admins),3000008(INTERNAL\Domain Admins),3000007(INTERNAL\Schema Admins)
>
>
> ls -al in the policies folder now gives..  (## samba 4.2.1  :  winbind)
>
> drwxrwx---+ 4 3000008 BAZRTD\Domain Admins 4096 Apr 24 11:18 {1AA13E10-F89C-44FA-82B1-8FBCF5E4099C}
> drwxrwx---+ 4 root                 3000000 4096 Apr 24 10:17 {31B2F340-016D-11D2-945F-00C04FB984F9}
> drwxrwx---+ 4 root                 3000000 4096 Apr 24 10:17 {6AC1786C-016F-11D2-945F-00C04FB984F9}
> drwxrwx---+ 4 3000008 BAZRTD\Domain Admins 4096 Apr 24 10:17 {B9C07E8F-54C3-4FA0-8C39-E357E068D393}
>
>
> This does not look right to me..  :-/
>
>
>
>

Strange, do want to try creating another GPO whilst still using 'winbind' ?

Rowland


More information about the samba mailing list