[Samba] Clients unable to get group policy...

Rowland Penny rowlandpenny241155 at gmail.com
Tue Jun 30 13:50:40 MDT 2015 

On 30/06/15 17:18, Ryan Ashley wrote:
> I hate to revive this, but before I push my client through an upgrade, I
> have to be sure my issue is with ACLs not being supported, as suggested.
> Squeeze does have ACL support.
>
> root at dc01:/samba/var/locks# getfacl sysvol
> # file: sysvol
> # owner: root
> # group: 3000000
> user::rwx
> user:root:rwx
> user:3000000:rwx
> user:3000001:r-x
> user:3000002:rwx
> user:3000003:r-x
> group::rwx
> group:3000000:rwx
> group:3000001:r-x
> group:3000002:rwx
> group:3000003:r-x
> mask::rwx
> other::rwx
> default:user::rwx
> default:user:root:rwx
> default:user:3000000:rwx
> default:user:3000001:r-x
> default:user:3000002:rwx
> default:user:3000003:r-x
> default:group::---
> default:group:3000000:rwx
> default:group:3000001:r-x
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:mask::rwx
> default:other::---
>
> root at dc01:/samba/var/locks# uname -r
> 2.6.32-5-amd64
>
> With this information, are we absolutely sure that my issue is somehow
> related to ACL's in Squeeze? The client is against upgrading unless we
> have no other option, but now the problem has spread and is affecting a
> large number, but not all PCs at their location.
>
> Lead IT/IS Specialist
> Reach Technology FP, Inc
>
> On 06/15/2015 09:59 AM, Ryan Ashley wrote:
>> Well, here is my plan of action. I will migrate the VMs on the secondary
>> server to the primary one. Then I will zero the RAID10 array, install
>> the latest XenServer, and load a Gentoo VM to build the needed binary
>> packages. I can then create a new DC, promote it to the primary server,
>> move the Windows VMs back to the secondary server, and then wipe and
>> reload the primary box. This way I have an evolving OS which shouldn't
>> be left behind, no systemd, and my problems with Samba should go away.
>> Oh, and I am not blaming Samba for the issues. It has evolved and become
>> better. Debian 6 (Squeeze) has NOT, due to being oldstable and now obsolete.
>>
>> Hey, it will be a learning experience for my assistant. Besides, if I
>> screw something up I can get great help on this list and worst case
>> scenario is I get to build a new domain. Thanks for the help, Rowland
>> and Louis.
>>
>> Lead IT/IS Specialist
>> Reach Technology FP, Inc
>>
>> On 06/12/2015 11:03 AM, Rowland Penny wrote:
>>> On 12/06/15 15:54, L.P.H. van Belle wrote:
>>>> Ok, so if i understand right,
>>>> your sysvol is on a shared folder which is a debian squeeze server.
>>>> i think you problem is that the needed acl cant be set on the queeze
>>>> server.
>>> You are probably right Louis.
>>>
>>>> and why not systemd, since gentoo also does systemd
>>>> https://wiki.gentoo.org/wiki/Systemd
>>> Ah but Gentoo only does systemd if you want to, systemd is a cure
>>> looking for a problem, or to put it another way, it is like using a
>>> sledgehammer to crack a nut.
>>>
>>>> and if you really want, just run your install with
>>>>
>>>> preseed/late_command="in-target apt-get install -y sysvinit-core"
>>>> ( see https://wiki.debian.org/systemd#Installing_without_systemd  )
>>> :-D :-D :-D ROFL ROFL
>>>
>>> Have you tried NOT using systemd on Jessie!
>>>
>>>> I've a running debian jessie as fileserver, proxy server and mail
>>>> server and im really happy with it. ( yes, with systemd )
>>>> much faster boot, well much faster whole os.. ;-) but thats not on
>>>> debated here..
>>>> choose what you like.
>>> 99% of your speed gain has nothing to do with systemd.
>>>
>>> Rowland
>>>
>>>> Greetz,
>>>>
>>>> Louis
>>>>
>>>>
>>>>> -----Oorspronkelijk bericht-----
>>>>> Van: ryana at reachtechfp.com
>>>>> [mailto:samba-bounces at lists.samba.org] Namens Ryan Ashley
>>>>> Verzonden: vrijdag 12 juni 2015 16:17
>>>>> Aan: samba at lists.samba.org
>>>>> Onderwerp: Re: [Samba] Clients unable to get group policy...
>>>>>
>>>>> Louis, 4.2.2 (git clone method for 4-2-stable branch) is what I am
>>>>> running. I will NOT be using Debian 8 due to systemd. If I have to do
>>>>> this, we're going to plan a down-time for the client, zero everything,
>>>>> do a fresh XenServer install and install Gentoo 64bit under XS. If that
>>>>> is what must be done, so be it. I can do that. I'll simply have one VM
>>>>> on each physical server which builds the source packages into binary
>>>>> ones for the others to pull. This way Gentoo doesn't bog things down
>>>>> during business hours with compiling updates.
>>>>>
>>>>> Lead IT/IS Specialist
>>>>> Reach Technology FP, Inc
>>>>>
>>>>> On 06/12/2015 09:14 AM, L.P.H. van Belle wrote:
>>>>>> Or upgrade you xen servers and a tip for a jessie install on
>>>>> xen 6.2 choose other linux
>>>>>> or upgrade to Xen 6.5. for jessie support.
>>>>>>
>>>>>> or you can try upgradeing to latest 3.6 version on squeeze.
>>>>> ( 3.6.25 )
>>>>>> http://www.enterprisesamba.com/samba-packages/debian-linux/squeeze/
>>>>>> or even better move up to 4.2.2. ( i advice a wheezy install
>>>>> with sernet samba )
>>>>>> and member servers can be debian jessie with 4.1.17. thats
>>>>> what you want.
>>>>>> which samba are you using on squeeze. 3.5.x of the
>>>>> backported 3.6.6 ?
>>>>>> Greetz,
>>>>>>
>>>>>> Louis
>>>>>>
>>>>>>> -----Oorspronkelijk bericht-----
>>>>>>> Van: ryana at reachtechfp.com
>>>>>>> [mailto:samba-bounces at lists.samba.org] Namens Ryan Ashley
>>>>>>> Verzonden: vrijdag 12 juni 2015 14:47
>>>>>>> Aan: samba at lists.samba.org
>>>>>>> Onderwerp: Re: [Samba] Clients unable to get group policy...
>>>>>>>
>>>>>>> Anybody? Is my problem that this client is still on Debian 6?
>>>>>>>
>>>>>>> Lead IT/IS Specialist
>>>>>>> Reach Technology FP, Inc
>>>>>>>
>>>>>>> On 06/08/2015 11:25 AM, Ryan Ashley wrote:
>>>>>>>> Rowland, you are correct. I remember now. When we started using
>>>>>>>> XenServer, Wheezy would not work under it. This is a Squeeze
>>>>>>>> installation, not Wheezy. Will Samba no longer work with
>>>>>>> Squeeze? If so
>>>>>>>> it may be an excuse to upgrade the domain after all these years.
>>>>>>>>
>>>>>>>> On 06/05/2015 11:23 AM, Rowland Penny wrote:
>>>>>>>>> On 05/06/15 16:07, Ryan Ashley wrote:
>>>>>>>>>> I noticed something different on the page you linked. It must be
>>>>>>>>>> outdated or maybe it is setup for a different version of
>>>>>>> Debian. The
>>>>>>>>>> system runs Debian Wheezy AMD64. The paths referenced do
>>>>>>> not exist. I
>>>>>>>>>> also checked several other Debian systems and NONE have the
>>>>>>>>>> "x86_64-linux-gnu" directories.
>>>>>>>>>>
>>>>>>>>>> root at dc01:~# uname -r
>>>>>>>>>> 2.6.32-5-amd64
>>>>>>>>>> root at dc01:~# l /lib | grep x86
>>>>>>>>>> lrwxrwxrwx  1 root root      12 Dec 27  2012
>>>>>>> ld-linux-x86-64.so.2 ->
>>>>>>>>>> ld-2.11.3.so
>>>>>>>>>> root at dc01:~# l /usr/lib | grep x86
>>>>>>>>>> root at dc01:~#
>>>>>>>>>>
>>>>>>>>>> Is this the problem? What version of Debian is the guide
>>>>>>> for? I believe
>>>>>>>>>> Debian 8 was released recently but cannot be sure since it
>>>>>>> is a systemd
>>>>>>>>>> distro I now use Gentoo. If the guide is for 8, maybe we
>>>>>>> need one for 7
>>>>>>>>>> since it is supported until the release of 9.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> Are you sure it is running wheezy ?
>>>>>>>>>
>>>>>>>>> On my DC:
>>>>>>>>>
>>>>>>>>> root at dc01:~# cat /etc/os-release
>>>>>>>>> PRETTY_NAME="Debian GNU/Linux 7 (wheezy)"
>>>>>>>>> NAME="Debian GNU/Linux"
>>>>>>>>> VERSION_ID="7"
>>>>>>>>> VERSION="7 (wheezy)"
>>>>>>>>> ID=debian
>>>>>>>>> ANSI_COLOR="1;31"
>>>>>>>>> HOME_URL="http://www.debian.org/"
>>>>>>>>> SUPPORT_URL="http://www.debian.org/support/"
>>>>>>>>> BUG_REPORT_URL="http://bugs.debian.org/"
>>>>>>>>>
>>>>>>>>> root at dc01:~# uname -r
>>>>>>>>> 3.2.0-4-amd64
>>>>>>>>>
>>>>>>>>> root at dc01:~# ls /lib | grep x86
>>>>>>>>> x86_64-linux-gnu
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>> -- 
>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>>>>
>>>>>>>
>>>>> -- 
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>>
>>>>>

Sorry about this, but I think we are going to have to start again, I 
cannot remember just exactly what your problem is.

This is the result of running 'getfacl /var/lib/samba/sysvol' on my 
second DC:

root at dc03:~# getfacl /var/lib/samba/sysvol/
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol/
# owner: root
# group: 3000000 --> dn: CN=S-1-5-32-544
user::rwx
user:root:rwx
user:3000000:rwx --> dn: CN=S-1-5-32-544
user:3000009:r-x --> dn: CN=S-1-5-11
user:3000016:r-x --> dn: CN=S-1-5-32-549
user:3000017:rwx --> dn: CN=S-1-5-18
group::rwx
group:3000000:rwx --> dn: CN=S-1-5-32-544
group:3000009:r-x --> dn: CN=S-1-5-11
group:3000016:r-x --> dn: CN=S-1-5-32-549
group:3000017:rwx --> dn: CN=S-1-5-18
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx --> dn: CN=S-1-5-32-544
default:user:3000009:r-x --> dn: CN=S-1-5-11
default:user:3000016:r-x --> dn: CN=S-1-5-32-549
default:user:3000017:rwx --> dn: CN=S-1-5-18
default:group::---
default:group:3000000:rwx --> dn: CN=S-1-5-32-544
default:group:3000009:r-x --> dn: CN=S-1-5-11
default:group:3000016:r-x --> dn: CN=S-1-5-32-549
default:group:3000017:rwx --> dn: CN=S-1-5-18
default:mask::rwx
default:other::---

As you can see, I have added some extra info, this is what the 
xidNumbers are mapped from, so if your xidNumbers map to the same 'well 
known SIDs' , then there doesn't seem to be much wrong.

You can check your 'idmap.ldb' file with: ldbedit -e nano -H 
/var/lib/samba/private/idmap.ldb

Rowland

More information about the samba mailing list