[Samba] Strange GPO rights samba 4.2.1

Harry Jede walk2sun at arcor.de
Fri Apr 24 05:16:28 MDT 2015 

On 12:41:23 wrote L.P.H. van Belle:
> >-----Oorspronkelijk bericht-----
> >Van: rowlandpenny at googlemail.com
> >[mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
> >Verzonden: vrijdag 24 april 2015 11:06
> >Aan: samba at lists.samba.org
> >Onderwerp: Re: [Samba] Strange GPO rights samba 4.2.1
> >
> >On 24/04/15 09:52, L.P.H. van Belle wrote:
> >> Hai,
> >> 
> >> Im having a strange thing with sernet samba 4.2.1 on debian
> >> wheezy.
> >> 
> >> I installed 2 dc.s with my scripts.
> >> 
> >> i did setup the sysvol replication and now im seeing the
> >
> >following when i create new policies.
> >
> >> The default GPO's
> >> drwxrwx---+ 4 root          BUILTIN\administrators 4096 Apr
> >
> >24 10:17 {31B2F340-016D-11D2-945F-00C04FB984F9}
> >
> >> drwxrwx---+ 4 root          BUILTIN\administrators 4096 Apr
> >
> >24 10:17 {6AC1786C-016F-11D2-945F-00C04FB984F9}
> >
> >> The new policy i created.
> >> drwxrwx---+ 4 domain admins domain admins          4096 Apr
> >
> >24 10:17 {B9C07E8F-54C3-4FA0-8C39-E357E068D393}
> >
> >> check these strange rights..
> >> Because of the " domain admins domain admins "  rights, and
> >
> >why is user root here created as "domain admins"
> >
> >> when i now run :
> >> /usr/bin/rsync -XAavz --log-file /var/log/sysvol-sync.log
> >
> >--delete-after -f"+ */" -f"- *"  /home/samba/sysvol
> >root at dc2:/home/samba  &&  /usr/bin/unison
> >
> >> im getting these errors:
> >
> >> rsync: set_acl:
> >sys_acl_set_file(sysvol/internal.domain.tld/Policies/{B9C07E8F-
> >54C3-4FA0-8C39-E357E068D393}, ACL_TYPE_ACCESS): Invalid argument
> >(22)
> >
> >sysvol/internal.domain.tld/Policies/{B9C07E8F-54C3-4FA0-8C39-E3
> >57E068D393}/Machine/
> >
> >> rsync: set_acl:
> >sys_acl_set_file(sysvol/internal.domain.tld/Policies/{B9C07E8F-
> >54C3-4FA0-8C39-E357E068D393}/Machine, ACL_TYPE_ACCESS):
> >Invalid argument (22)
> >
> >sysvol/internal.domain.tld/Policies/{B9C07E8F-54C3-4FA0-8C39-E3
> >57E068D393}/User/
> >
> >> rsync: set_acl:
> >sys_acl_set_file(sysvol/internal.domain.tld/Policies/{B9C07E8F-
> >54C3-4FA0-8C39-E357E068D393}/User, ACL_TYPE_ACCESS): Invalid
> >argument (22)
> >
> >> sysvol/internal.domain.tld/scripts/
> >> 
> >> 
> >> I created the new policy with the user
> >
> >"Domain\Administrator" from within the windows tools from a
> >windows 7 pc as normal..
> >
> >> Anyone else seen this behaivor?
> >> 
> >> this is the conf im using atm.:
> >> 
> >> [global]
> >> 
> >>          workgroup = INTERNAL
> >>          realm = INTERNAL.DOMAIN.TLD
> >>          netbios name = DC1
> >>          server role = active directory domain controller
> >>          server services = s3fs, rpc, nbt, wrepl, ldap,
> >
> >cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
> >
> >>          dcerpc endpoint servers = epmapper, wkssvc,
> >
> >rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup,
> >unixinfo, browser, eventlog6, backupkey, dnsserver, remote,
> >winreg, srvsvc
> >
> >>          auth methods = sam, winbind, ntdomain, ntdomain:winbind
> >>          
> >>          ## KEEP THIS OFF !! Only used for modify-ing the AD
> >>          Schema ## ONLY DONE ONES ON THE DC WITH THE FSMO Roles
> >>          sdb:schema update allowed = no
> >>          
> >>          ## Dont forget to set the idmap_ldb on ALL DC's if
> >
> >you use it
> >
> >>          idmap_ldb:use rfc2307 = yes
> >>          
> >>          ## map id's outside to domain to tdb files.
> >>          idmap config * : backend = tdb
> >>          idmap config * : range = 2000-9999
> >>          
> >>          ## map ids from the domain and (*) the range may
> >
> >not overlap !
> >
> >>          idmap config BAZRTD : backend = ad
> >>          idmap config BAZRTD : schema_mode = rfc2307
> >>          idmap config BAZRTD : range = 10000-3999999
> >>          
> >>          winbind nss info = rfc2307
> >>          winbind trusted domains only = no
> >>          winbind use default domain = yes
> >>          winbind expand groups = 3
> >>          
> >>          ## When using idmap backend RID enable these
> >>          ## ( or for users without UID/GID for example
> >
> >adminsitrator )
> >
> >>          #template shell = /bin/bash
> >>          #template homedir = /home/users/%ACCOUNTNAME%
> >>          
> >>          interfaces = 127.0.0.1 192.168.249.211
> >>          bind interfaces only = yes
> >>          time server = yes
> >>          wins support = yes
> >>          
> >>          ## Disable printing completely
> >>          load printers = no
> >>          printing = bsd
> >>          printcap name = /dev/null
> >>          disable spoolss = yes
> >> 
> >> [netlogon]
> >> 
> >>          path = /home/samba/sysvol/rotterdam.bazuin.nl/scripts
> >>          read only = No
> >> 
> >> [sysvol]
> >> 
> >>          path = /home/samba/sysvol
> >>          read only = No
> >> 
> >> [backups]
> >> 
> >>          path = /home/samba/backups
> >>          Browsable = No
> >>          read only = No
> >>          acl_xattr:ignore system acl = yes
> >> 
> >> Greetz,
> >> 
> >> Louis
> >
> >Hi Louis, I wonder if this is down to the use of 'winbindd' ,
> >there have
> >been a couple of problems reported that seem to be caused by
> >the use of
> >it. Do you want to try using the old 'winbind' instead and see if
> >this cures the problem ?
> >
> >Rowland
> 
> ok the following in seen.
> only changed winbindd to winbind in the smb.conf

I've reformated and ordered the output from your "id administrator"
command. One may see, that a lot of things are broken now.

> ## samba 4.2.1  :  winbindd
id administrator 
uid=0(root) gid=100(users)
 groups=
0(root),
100(users),
3000000(BUILTIN\administrators)
3000004(group policy creator owners),
3000005(denied rodc password replication group),
3000006(enterprise admins),
3000007(schema admins),
3000008(domain admins),
3000009(BUILTIN\users),


> ## samba 4.2.1  :  winbind
id administrator
uid=0(root) gid=100(users)
 groups=
0(root),
100(users),
3000004(INTERNAL\Group Policy Creator Owners),
3000006(INTERNAL\Enterprise Admins),
3000007(INTERNAL\Schema Admins)
3000008(INTERNAL\Domain Admins),

"winbind" shows less groups then "winbindd".
"winbind" has changed the name from BUILTIN to INTERNAL.

"winbindd" uses lower case names, probably unix names instead of windows names.
"winbindd" dropes sometimes BUILTIN.
 
> ls -al in the policies folder now gives..  (## samba 4.2.1  :  winbind) 

drwxrwx---+ 4 3000008 BAZRTD\Domain Admins 4096 Apr 24 11:18 {1AA13E10-F89C-44FA-82B1-8FBCF5E4099C}
drwxrwx---+ 4 root                 3000000 4096 Apr 24 10:17 {31B2F340-016D-11D2-945F-00C04FB984F9}
drwxrwx---+ 4 root                 3000000 4096 Apr 24 10:17 {6AC1786C-016F-11D2-945F-00C04FB984F9}
drwxrwx---+ 4 3000008 BAZRTD\Domain Admins 4096 Apr 24 10:17 {B9C07E8F-54C3-4FA0-8C39-E357E068D393}

According to the above outputs from id:
 3000008 is a group, not a person!
 Administrator should be the owner here, not root.

> This does not look right to me..  :-/


-- 

Regards
	Harry Jede

More information about the samba mailing list