[Samba] Samba4 Disable USB ports

Achim Gottinger achim at ag-web.biz
Fri May 22 07:40:33 MDT 2015 

Hello Gabriel,


Am 22.05.2015 um 15:23 schrieb Gabriel Franca:
> Good morning people,
>
> I make the case that Achim Gottinger passed.
>
> samba-tool ntacl sysvolreset and received the following information:
> Segmentation fault (core of the recorded image)
>
> then sent a samba-tool ntacl sysvolcheck and received the following:
> ERROR (<type 'exceptions.TypeError'>): uncaught exception - (61 'No 
> data available')
>   File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", 
> line 175, in _run
>     self.run return (* args, ** kwargs)
>   File "/usr/lib64/python2.7/site-packages/samba/netcmd/ntacl.py", 
> line 249, in run
>     lp)
>   File 
> "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line 
> 1717, in checksysvolacl
>     fsacl = getntacl (lp, dir_path, direct_db_access = 
> direct_db_access, service = SYSVOL_SERVICE)
>   File "/usr/lib64/python2.7/site-packages/samba/ntacls.py", line 73, 
> in getntacl
>     xattr.XATTR_NTACL_NAME)
>
> Will there this the source of my problem? hehehehe
>
> Remembering that I'm using Centos 7 and Samba version 
> 4.1.17-Sernet-RedHat-11.el7
>
> Sincerely,
>
> Gabriel Franca
>
>
This error looks like you have not enabled xattrs on the partition 
sysvol resides. In case it is an ext3/4 partition do you have acl and 
user_xattr in the mount options?

What is the output of

attr -l /var/lib/samba/sysvol

use the localtion of the sysvol folder on your server in above example.
On my server i get

Attribute "NTACL" has a 320 byte value for /var/lib/samba/sysvol

achim~
>
>> Em 22/05/2015, à(s) 11:22, Achim Gottinger <achim at ag-web.biz 
>> <mailto:achim at ag-web.biz>> escreveu:
>>
>> Hello Gabriel,
>>
>> I recommend you use
>>
>> gpupdate /force
>>
>> on the windows command line after login.
>> The results of above command can be checked afterwards with the 
>> "gpresults"  command.
>>
>> Can be you have an permission problem on your samba server. Only 
>> skimmed ofver the thread but did you try
>> samba-tools ntacl sysvolreset
>> on your samba server?
>>
>> achim~
>>
>> Am 22.05.2015 um 12:08 schrieb Gabriel Franca:
>>> Good morning Daniel,
>>>
>>> The amendment that I spoke have to be done on the server.
>>>
>>> All user created in Samba4 receives the "Domain Users" group as primary.
>>>
>>> I did several tests on the GPO to no avail.
>>>
>>> When I took the User of the "Domain Users" and put in "Domain 
>>> Admins" the GPO to make any changes now operates.
>>>
>>> I believe that because of the "Domain Users" did not have privileges 
>>> to edit the GPO record in the station can not be applied.
>>>
>>> I wonder if the guys who are using Samba 4, is using successfully 
>>> GPOS the "Domain Users"
>>>
>>> Sincerely,
>>>
>>> Gabriel Franca
>>>
>>>
>>>
>>>> Em 22/05/2015, à(s) 09:01, Daniel Carrasco Marín 
>>>> <danielmadrid19 at gmail.com <mailto:danielmadrid19 at gmail.com>> escreveu:
>>>>
>>>>
>>>>
>>>> 2015-05-22 13:32 GMT+02:00 Gabriel Franca <gabriel.franca at gmail.com 
>>>> <mailto:gabriel.franca at gmail.com><mailto:gabriel.franca at gmail.com>>:
>>>>
>>>> I found it strange more and something I have already noticed a while.
>>>>
>>>> No GPO is applied when the User is the "Domain Users", so I wonder 
>>>> if I'm doing something wrong or I have to change something.
>>>>
>>>> I believe the "Domain Users" are not allowed to change the Windows 
>>>> registry so the issue.
>>>>
>>>> Sincerely,
>>>>
>>>> Gabriel Franca
>>>>
>>>>
>>>> I don't know if is a Windows problem, but i've got the same 
>>>> behavior trying to set Firewall rules. I've fixed the problem 
>>>> changing the "Domain Users" in GPO "Security Filter" for 
>>>> "Authenticated Users" and now is working fine.
>>>>
>>>> I hope this help.
>>>>
>>>> Greetings!!
>>>>
>>>>> Em 22/05/2015, à(s) 02:31, Neil <nwilson123 at gmail.com 
>>>>> <mailto:nwilson123 at gmail.com><mailto:nwilson123 at gmail.com>> escreveu:
>>>>>
>>>>> Good morning everyone,
>>>>>
>>>>> Gabriel: I haven't had a chance to test this yet, but I'm also 
>>>>> needing the same IE: Domain Users to have the GPO applied. Did you 
>>>>> come right with this?
>>>>>
>>>>> Andrey: Thank you for letting me know about the SysVol replication 
>>>>> across DC's, I haven't enabled this yet and will be doing so, is 
>>>>> there anything I should watch out for? I'll just be using the 
>>>>> "https://wiki.samba.org/index.php/SysVol_Replication<https://wiki.samba.org/index.php/SysVol_Replication> 
>>>>> <https://wiki.samba.org/index.php/SysVol_Replication<https://wiki.samba.org/index.php/SysVol_Replication>>" 
>>>>> because I don't require Bi-Directional Replication.
>>>>>
>>>>> Thank you.
>>>>>
>>>>> Regards.
>>>>>
>>>>> Neil Wilson.
>>>>>
>>>>>
>>>>> On Thu, May 21, 2015 at 1:22 PM, Gabriel Franca 
>>>>> <gabriel.franca at gmail.com 
>>>>> <mailto:gabriel.franca at gmail.com><mailto:gabriel.franca at gmail.com> 
>>>>> <mailto:gabriel.franca at gmail.com<mailto:gabriel.franca at gmail.com>>> wrote:
>>>>> Good morning friends !!!
>>>>>
>>>>> I am following this topic and performed some tests to validate the 
>>>>> process and noted the following.
>>>>>
>>>>> 1) when the User is the "Domain Users" GPO is not applied.
>>>>>
>>>>> 2) when the user is the "Domain Admins" the GPO is applied.
>>>>>
>>>>> Is there any way to apply the GPOS "Domain Users" ???
>>>>>
>>>>> Sincerely,
>>>>>
>>>>> Gabriel Franca
>>>>>
>>>>>
>>>>>> Em 20/05/2015, à(s) 09:37, Neil <nwilson123 at gmail.com 
>>>>>> <mailto:nwilson123 at gmail.com><mailto:nwilson123 at gmail.com> 
>>>>>> <mailto:nwilson123 at gmail.com<mailto:nwilson123 at gmail.com>>> escreveu:
>>>>>>
>>>>>> Hi Louis,
>>>>>>
>>>>>> Thank you very much for your speedy response. I'll definitely go 
>>>>>> ahead and
>>>>>> investigate further.
>>>>>>
>>>>>> Much appreciated.
>>>>>>
>>>>>> Regards.
>>>>>>
>>>>>> Neil Wilson.
>>>>>>
>>>>>> On Wed, May 20, 2015 at 1:24 PM, L.P.H. van Belle 
>>>>>> <belle at bazuin.nl <mailto:belle at bazuin.nl><mailto:belle at bazuin.nl> 
>>>>>> <mailto:belle at bazuin.nl<mailto:belle at bazuin.nl>>> wrote:
>>>>>>
>>>>>>> yes, this is possible, by GPO.
>>>>>>>
>>>>>>> In GPO, go to:
>>>>>>> (user or computer )Configuration
>>>>>>>        - Policy
>>>>>>>                – Administrative template
>>>>>>>                        – System
>>>>>>>                                – Removable storage Access
>>>>>>>
>>>>>>> Play with these settings to get what you want.
>>>>>>>
>>>>>>> for Managing Hardware Restrictions via Group Policy read :
>>>>>>> http://technet.microsoft.com/en-us/magazine/cc138012.aspx<http://technet.microsoft.com/en-us/magazine/cc138012.aspx> 
>>>>>>> <http://technet.microsoft.com/en-us/magazine/cc138012.aspx<http://technet.microsoft.com/en-us/magazine/cc138012.aspx>>
>>>>>>>
>>>>>>>
>>>>>>> Greetz,
>>>>>>>
>>>>>>> Louis
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> -----Oorspronkelijk bericht-----
>>>>>>>> Van:nwilson123 at gmail.com 
>>>>>>>> <mailto:nwilson123 at gmail.com><mailto:nwilson123 at gmail.com> 
>>>>>>>> <mailto:nwilson123 at gmail.com<mailto:nwilson123 at gmail.com>>
>>>>>>>> [mailto:samba-bounces at lists.samba.org<mailto:samba-bounces at lists.samba.org> 
>>>>>>>> <mailto:samba-bounces at lists.samba.org<mailto:samba-bounces at lists.samba.org>>] 
>>>>>>>> Namens Neil
>>>>>>>> Verzonden: woensdag 20 mei 2015 12:10
>>>>>>>> Aan: samba
>>>>>>>> Onderwerp: [Samba] Samba4 Disable USB ports
>>>>>>>>
>>>>>>>> Hi guys,
>>>>>>>>
>>>>>>>> I'm running a Sernet-samba-ad-4.1.17-11.el6.x86_64 PDC with 
>>>>>>>> another 4
>>>>>>>> Samba4 DC's all joined to the same AD domain myorg.local
>>>>>>>>
>>>>>>>> My client wants me to disable all USB ports for all the users
>>>>>>>> joined to the
>>>>>>>> domain.
>>>>>>>>
>>>>>>>> Is it possible to do this via a group policy so that users
>>>>>>>> logging onto any
>>>>>>>> of the DC's will not be able to use their USB ports?
>>>>>>>>
>>>>>>>> I currently admin my AD with a combination of the samba-tool
>>>>>>>> as well as the
>>>>>>>> AD Users and Groups MMC Windows utility.
>>>>>>>>
>>>>>>>> Any guidance is greatly appreciated.
>>>>>>>>
>>>>>>>> Thank you.
>>>>>>>>
>>>>>>>> Regards.
>>>>>>>>
>>>>>>>> Neil Wilson
>>>>>>>> --
>>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>>> instructions: 
>>>>>>>> https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba> 
>>>>>>>> <https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba>>
>>>>>>>>
>>>>>>>>
>>>>>>> --
>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>> instructions: 
>>>>>>> https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba> 
>>>>>>> <https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba>>
>>>>>>>
>>>>>> --
>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>> instructions: 
>>>>>> https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba> 
>>>>>> <https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba>>
>>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: 
>>>> https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list