[Samba] Strange GPO rights samba 4.2.1

L.P.H. van Belle belle at bazuin.nl
Fri Apr 24 04:41:51 MDT 2015 

 

>-----Oorspronkelijk bericht-----
>Van: rowlandpenny at googlemail.com 
>[mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>Verzonden: vrijdag 24 april 2015 12:30
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] Strange GPO rights samba 4.2.1
>
>On 24/04/15 10:22, L.P.H. van Belle wrote:
>>> -----Oorspronkelijk bericht-----
>>> Van: rowlandpenny at googlemail.com
>>> [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>>> Verzonden: vrijdag 24 april 2015 11:06
>>> Aan: samba at lists.samba.org
>>> Onderwerp: Re: [Samba] Strange GPO rights samba 4.2.1
>>>
>>> On 24/04/15 09:52, L.P.H. van Belle wrote:
>>>> Hai,
>>>>    
>>>> Im having a strange thing with sernet samba 4.2.1 on debian wheezy.
>>>>    
>>>> I installed 2 dc.s with my scripts.
>>>>    
>>>> i did setup the sysvol replication and now im seeing the
>>> following when i create new policies.
>>>>    
>>>> The default GPO's
>>>> drwxrwx---+ 4 root          BUILTIN\administrators 4096 Apr
>>> 24 10:17 {31B2F340-016D-11D2-945F-00C04FB984F9}
>>>> drwxrwx---+ 4 root          BUILTIN\administrators 4096 Apr
>>> 24 10:17 {6AC1786C-016F-11D2-945F-00C04FB984F9}
>>>>    
>>>> The new policy i created.
>>>> drwxrwx---+ 4 domain admins domain admins          4096 Apr
>>> 24 10:17 {B9C07E8F-54C3-4FA0-8C39-E357E068D393}
>>>> check these strange rights..
>>>> Because of the " domain admins domain admins "  rights, and
>>> why is user root here created as "domain admins"
>>>>    
>>>> when i now run :
>>>> /usr/bin/rsync -XAavz --log-file /var/log/sysvol-sync.log
>>> --delete-after -f"+ */" -f"- *"  /home/samba/sysvol
>>> root at dc2:/home/samba  &&  /usr/bin/unison
>>>>    
>>>> im getting these errors:
>>>>    
>>>> rsync: set_acl:
>>> sys_acl_set_file(sysvol/internal.domain.tld/Policies/{B9C07E8F-
>>> 54C3-4FA0-8C39-E357E068D393}, ACL_TYPE_ACCESS): Invalid 
>argument (22)
>>> sysvol/internal.domain.tld/Policies/{B9C07E8F-54C3-4FA0-8C39-E3
>>> 57E068D393}/Machine/
>>>> rsync: set_acl:
>>> sys_acl_set_file(sysvol/internal.domain.tld/Policies/{B9C07E8F-
>>> 54C3-4FA0-8C39-E357E068D393}/Machine, ACL_TYPE_ACCESS):
>>> Invalid argument (22)
>>> sysvol/internal.domain.tld/Policies/{B9C07E8F-54C3-4FA0-8C39-E3
>>> 57E068D393}/User/
>>>> rsync: set_acl:
>>> sys_acl_set_file(sysvol/internal.domain.tld/Policies/{B9C07E8F-
>>> 54C3-4FA0-8C39-E357E068D393}/User, ACL_TYPE_ACCESS): Invalid
>>> argument (22)
>>>> sysvol/internal.domain.tld/scripts/
>>>>
>>>>
>>>> I created the new policy with the user
>>> "Domain\Administrator" from within the windows tools from a
>>> windows 7 pc as normal..
>>>>    
>>>> Anyone else seen this behaivor?
>>>>    
>>>> this is the conf im using atm.:
>>>>    
>>>> [global]
>>>>           workgroup = INTERNAL
>>>>           realm = INTERNAL.DOMAIN.TLD
>>>>           netbios name = DC1
>>>>           server role = active directory domain controller
>>>>           server services = s3fs, rpc, nbt, wrepl, ldap,
>>> cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
>>>>           dcerpc endpoint servers = epmapper, wkssvc,
>>> rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup,
>>> unixinfo, browser, eventlog6, backupkey, dnsserver, remote,
>>> winreg, srvsvc
>>>>           auth methods = sam, winbind, ntdomain, ntdomain:winbind
>>>>    
>>>>           ## KEEP THIS OFF !! Only used for modify-ing the 
>AD Schema
>>>>           ## ONLY DONE ONES ON THE DC WITH THE FSMO Roles
>>>>           sdb:schema update allowed = no
>>>>    
>>>>           ## Dont forget to set the idmap_ldb on ALL DC's if
>>> you use it
>>>>           idmap_ldb:use rfc2307 = yes
>>>>    
>>>>           ## map id's outside to domain to tdb files.
>>>>           idmap config * : backend = tdb
>>>>           idmap config * : range = 2000-9999
>>>>    
>>>>           ## map ids from the domain and (*) the range may
>>> not overlap !
>>>>           idmap config BAZRTD : backend = ad
>>>>           idmap config BAZRTD : schema_mode = rfc2307
>>>>           idmap config BAZRTD : range = 10000-3999999
>>>>    
>>>>           winbind nss info = rfc2307
>>>>           winbind trusted domains only = no
>>>>           winbind use default domain = yes
>>>>           winbind expand groups = 3
>>>>    
>>>>           ## When using idmap backend RID enable these
>>>>           ## ( or for users without UID/GID for example
>>> adminsitrator )
>>>>           #template shell = /bin/bash
>>>>           #template homedir = /home/users/%ACCOUNTNAME%
>>>>    
>>>>           interfaces = 127.0.0.1 192.168.249.211
>>>>           bind interfaces only = yes
>>>>           time server = yes
>>>>           wins support = yes
>>>>    
>>>>           ## Disable printing completely
>>>>           load printers = no
>>>>           printing = bsd
>>>>           printcap name = /dev/null
>>>>           disable spoolss = yes
>>>>    
>>>> [netlogon]
>>>>           path = /home/samba/sysvol/rotterdam.bazuin.nl/scripts
>>>>           read only = No
>>>>
>>>> [sysvol]
>>>>           path = /home/samba/sysvol
>>>>           read only = No
>>>>
>>>> [backups]
>>>>           path = /home/samba/backups
>>>>           Browsable = No
>>>>           read only = No
>>>>           acl_xattr:ignore system acl = yes
>>>>
>>>>    
>>>>    
>>>> Greetz,
>>>>    
>>>> Louis
>>>>    
>>> Hi Louis, I wonder if this is down to the use of 'winbindd' ,
>>> there have
>>> been a couple of problems reported that seem to be caused by
>>> the use of
>>> it. Do you want to try using the old 'winbind' instead and 
>see if this
>>> cures the problem ?
>>>
>>> Rowland
>>>
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>>
>> ok the following in seen.
>> only changed winbindd to winbind in the smb.conf
>>
>>
>> ## samba 4.2.1  :  winbindd
>> id administrator
>> uid=0(root) gid=100(users) 
>groups=0(root),100(users),3000004(group policy creator 
>owners),3000006(enterprise admins),3000008(domain 
>admins),3000007(schema admins),3000005(denied rodc password 
>replication 
>group),3000009(BUILTIN\users),3000000(BUILTIN\administrators)
>>
>>
>> ## samba 4.2.1  :  winbind
>> id administrator
>> uid=0(root) gid=100(users) 
>groups=0(root),100(users),3000004(INTERNAL\Group Policy 
>Creator Owners),3000006(INTERNAL\Enterprise 
>Admins),3000008(INTERNAL\Domain Admins),3000007(INTERNAL\Schema Admins)
>>
>>
>> ls -al in the policies folder now gives..  (## samba 4.2.1  
>:  winbind)
>>
>> drwxrwx---+ 4 3000008 BAZRTD\Domain Admins 4096 Apr 24 11:18 
>{1AA13E10-F89C-44FA-82B1-8FBCF5E4099C}
>> drwxrwx---+ 4 root                 3000000 4096 Apr 24 10:17 
>{31B2F340-016D-11D2-945F-00C04FB984F9}
>> drwxrwx---+ 4 root                 3000000 4096 Apr 24 10:17 
>{6AC1786C-016F-11D2-945F-00C04FB984F9}
>> drwxrwx---+ 4 3000008 BAZRTD\Domain Admins 4096 Apr 24 10:17 
>{B9C07E8F-54C3-4FA0-8C39-E357E068D393}
>>
>>
>> This does not look right to me..  :-/
>>
>>
>>
>>
>
>Strange, do want to try creating another GPO whilst still 
>using 'winbind' ?
>
>Rowland
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

this one was created with winbind 
drwxrwx---+ 4 3000008 BAZRTD\Domain Admins 4096 Apr 24 10:17 {B9C07E8F-54C3-4FA0-8C39-E357E068D393}

More information about the samba mailing list