[Samba] Permission Issues with GPO

L.P.H. van Belle belle at bazuin.nl
Tue Nov 17 15:44:20 UTC 2015 

Hai Viktor, 

> 
> Before posting my share permissions, can you please elaborate what you
> mean with "have you removed authenticated users from your share"? I
> never had any rights for "authenticated users" on any of my shares.

Ah sorry, yes, that was "everybody" ( my error ) keep it

> 
> Maybe I'm setting up shares in the wrong way?
> .....   
> [packages]
>    path = /srv/samba/packages
>    read only = no
>    browsable = yes
>    comment = "Software Packages"
> 

Your config is ok, but i would add 
acl_xattr:ignore system acls = yes 
to the packages share. 

See man smb.conf for what it exact does, but for a "windows" only share, 
i would always set it. 

This is what i have for my distribution share. 

[public]
## chmod 755 on /home/samba/public
## rights root:root, but due to the ignore this is ignored.. 
## 
    browseable = yes
    path = /home/samba/public
    read only = no
    acl_xattr:ignore system acls = yes


and i added "veryfied users" to the security tab with read rights. 
Which the domain computers also need. 


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: Viktor Trojanovic [mailto:viktor at troja.ch]
> Verzonden: dinsdag 17 november 2015 16:18
> Aan: L.P.H. van Belle; samba at lists.samba.org
> Onderwerp: Re: [Samba] Permission Issues with GPO
> 
> Hi Louis,
> 
> As I mentioned, but maybe not clear enough, there is no problem
> accessing my Domain Controller, it works fine, even without using the
> whole domain.
> 
> Before posting my share permissions, can you please elaborate what you
> mean with "have you removed authenticated users from your share"? I
> never had any rights for "authenticated users" on any of my shares.
> 
> Maybe I'm setting up shares in the wrong way?
> 
> [global]
> 
>    netbios name = FILESERVER
>    workgroup = SAMDOM
>    security = ADS
>    realm = SAMDOM.EXAMPLE.COM
>    dedicated keytab file = /etc/krb5.keytab
>    kerberos method = secrets and keytab
> 
>    username map = /etc/samba/samba_usermap
> 
>    idmap config *:backend = tdb
>    idmap config *:range = 2000-9999
>    idmap config OFFICE:backend = ad
>    idmap config OFFICE:schema_mode = rfc2307
>    idmap config OFFICE:range = 10000-99999
> 
>    winbind nss info = rfc2307
>    winbind trusted domains only = no
>    winbind use default domain = yes
>    winbind enum users  = yes
>    winbind enum groups = yes
>    winbind refresh tickets = Yes
> 
>    vfs objects = acl_xattr
>    map acl inherit = Yes
>    store dos attributes = yes
> 
> 
> [packages]
>    path = /srv/samba/packages
>    read only = no
>    browsable = yes
>    comment = "Software Packages"
> 
> 
> 
> 
> On 17.11.2015 15:30, L.P.H. van Belle wrote:
> > Let me guess.
> >
> > You accessing your server like :
> >
> > \\servername\netlogon
> > of
> > \\servername\sysvol
> >
> > Well thats protected by windows these these days.
> >
> > Try with
> >
> > \\servername.domain.tld\netlogon
> > or
> > \\servername.domain.tld\sysvol
> >
> > Does that work? Yes,
> >
> > There is a whole chaper of this on the list somewhere..
> > Best is to read howto override this.
> > https://adsecurity.org/?p=1405
> >
> > and for you member server, how is you share setup.
> > did you remove "authenticated users" ?
> > if so best is that you add "domain computer" or authenticated users
> back.
> > And if you did not remove "authenticated users" from the share.
> >
> > Please post your share setup and rights for the shared folder.
> > AND the rights of the folder below the shared folder.
> >
> >
> > Greetz,
> >
> > Louis
> >
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Viktor
> Trojanovic
> >> Verzonden: dinsdag 17 november 2015 15:01
> >> Aan: mathias dufresne; samba at lists.samba.org
> >> Onderwerp: Re: [Samba] Permission Issues with GPO
> >>
> >> Hi Mathias,
> >>
> >> The problem is not the GPO itself. The GPO containers are stored, as
> >> they should be, in the file system under sysvol/AD-DOMAIN/Policies, and
> >> they are being accessed correctly by the respective users and
> computers.
> >>
> >> Maybe my question isn't phrased perfectly but my problem is that any
> >> *computer GPO* that is accessing my file server (Samba Member), fails
> >> with an access denied error. To give you an example. I might have a
> >> startup script that is supposed to copy a file from the file server,
> >> let's say an MS Word template, to the AD computer. The GPO itself is
> >> saved on the DC and it is called correctly but the access to my file
> >> server is being denied, the copy transaction is not happening.
> >>
> >> There is a permission problem and I'm trying to figure out what it is.
> >> The reason I'm posting this here is because I assume there is a link
> >> between my Samba settings on the file server, and their connection to
> >> the Samba DC that are responsible for this problem as this is not
> >> standard behavior.
> >>
> >> Viktor
> >>
> >>
> >>
> >> On 17.11.2015 13:30, mathias dufresne wrote:
> >>> Hey,
> >>>
> >>> If your GPO are stored in AD (they are not template GPO with all GPO
> >>> information in some file, I think this kind of non-pure-AD GPO are
> >> stored
> >>> in ADMX files, not sure).
> >>> In GPMC.msc you have to define which entities would receive the GPO.
> >> Once
> >>> created the GPO, once it is set up, you have in the right panel two
> >> parts.
> >>> The bottom part is to define to whom this GPO would be applied.
> >>>
> >>> In that case, GPO ownership should be reset by AD (don't asked me
> which
> >>> part of AD) if you modify GPO ACLs manually.
> >>>
> >>> In clear: you must use GPMC.msc to manage GPO ACLs. This if they are
> not
> >>> template.
> >>>
> >>> Hoping this could help to find a solution.
> >>>
> >>> mathias
> >>>
> >>> 2015-11-17 4:04 GMT+01:00 Viktor Trojanovic <viktor at troja.ch>:
> >>>
> >>>> I was experiencing problems with Group Policy Objects. The Windows
> >> Event
> >>>> Viewer spits out so many different errors, most of them less than
> >> helpful,
> >>>> so Iwas seeking help here with some of those messages.
> >>>>
> >>>> In the end, and after many hours and even days of researching this
> >>>> problem, I seem to have pin-pointed the main issue to some simple
> >>>> permission irregularities that I don't know how to solve.
> >>>>
> >>>> In my setup, I have an AD DC and a member server, the latter in the
> >>>> function of a file server. Both are a Samba-only implementation based
> >> on
> >>>> version 4.3.1 of the server.
> >>>>
> >>>> Everything seems to work well enough, I never noticed any issue when
> >>>> working in a user context - I can authenticate, and I can use the
> file
> >>>> server as intended. But evidently, any policies that require access
> to
> >> the
> >>>> file server in a machine context (computer configuration node of the
> >> GPO),
> >>>> fail. I was able to confirm that in multiple tests.
> >>>>
> >>>> I'm at my wit's end as it seems to me that all the necessary share
> >>>> permissions and NTACLs are in place. I even followed the advice I
> could
> >>>> find on some forum pages to add the group "domain computers" to the
> >> share
> >>>> permissions but that didn't help either.
> >>>>
> >>>> Any advice or best practices? I can't imagine this should be so
> >>>> complicated.
> >>>>
> >>>> Viktor
> >>>>
> >>>> --
> >>>> To unsubscribe from this list go to the following URL and read the
> >>>> instructions:  https://lists.samba.org/mailman/options/samba
> >>>>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >
> >

More information about the samba mailing list