[Samba] Permission Issues with GPO
L.P.H. van Belle
belle at bazuin.nl
Tue Nov 17 15:44:20 UTC 2015
Hai Viktor,
>
> Before posting my share permissions, can you please elaborate what you
> mean with "have you removed authenticated users from your share"? I
> never had any rights for "authenticated users" on any of my shares.
Ah sorry, yes, that was "everybody" ( my error ) keep it
>
> Maybe I'm setting up shares in the wrong way?
> .....
> [packages]
> path = /srv/samba/packages
> read only = no
> browsable = yes
> comment = "Software Packages"
>
Your config is ok, but i would add
acl_xattr:ignore system acls = yes
to the packages share.
See man smb.conf for what it exact does, but for a "windows" only share,
i would always set it.
This is what i have for my distribution share.
[public]
## chmod 755 on /home/samba/public
## rights root:root, but due to the ignore this is ignored..
##
browseable = yes
path = /home/samba/public
read only = no
acl_xattr:ignore system acls = yes
and i added "veryfied users" to the security tab with read rights.
Which the domain computers also need.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: Viktor Trojanovic [mailto:viktor at troja.ch]
> Verzonden: dinsdag 17 november 2015 16:18
> Aan: L.P.H. van Belle; samba at lists.samba.org
> Onderwerp: Re: [Samba] Permission Issues with GPO
>
> Hi Louis,
>
> As I mentioned, but maybe not clear enough, there is no problem
> accessing my Domain Controller, it works fine, even without using the
> whole domain.
>
> Before posting my share permissions, can you please elaborate what you
> mean with "have you removed authenticated users from your share"? I
> never had any rights for "authenticated users" on any of my shares.
>
> Maybe I'm setting up shares in the wrong way?
>
> [global]
>
> netbios name = FILESERVER
> workgroup = SAMDOM
> security = ADS
> realm = SAMDOM.EXAMPLE.COM
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
> username map = /etc/samba/samba_usermap
>
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
> idmap config OFFICE:backend = ad
> idmap config OFFICE:schema_mode = rfc2307
> idmap config OFFICE:range = 10000-99999
>
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind refresh tickets = Yes
>
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = yes
>
>
> [packages]
> path = /srv/samba/packages
> read only = no
> browsable = yes
> comment = "Software Packages"
>
>
>
>
> On 17.11.2015 15:30, L.P.H. van Belle wrote:
> > Let me guess.
> >
> > You accessing your server like :
> >
> > \\servername\netlogon
> > of
> > \\servername\sysvol
> >
> > Well thats protected by windows these these days.
> >
> > Try with
> >
> > \\servername.domain.tld\netlogon
> > or
> > \\servername.domain.tld\sysvol
> >
> > Does that work? Yes,
> >
> > There is a whole chaper of this on the list somewhere..
> > Best is to read howto override this.
> > https://adsecurity.org/?p=1405
> >
> > and for you member server, how is you share setup.
> > did you remove "authenticated users" ?
> > if so best is that you add "domain computer" or authenticated users
> back.
> > And if you did not remove "authenticated users" from the share.
> >
> > Please post your share setup and rights for the shared folder.
> > AND the rights of the folder below the shared folder.
> >
> >
> > Greetz,
> >
> > Louis
> >
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Viktor
> Trojanovic
> >> Verzonden: dinsdag 17 november 2015 15:01
> >> Aan: mathias dufresne; samba at lists.samba.org
> >> Onderwerp: Re: [Samba] Permission Issues with GPO
> >>
> >> Hi Mathias,
> >>
> >> The problem is not the GPO itself. The GPO containers are stored, as
> >> they should be, in the file system under sysvol/AD-DOMAIN/Policies, and
> >> they are being accessed correctly by the respective users and
> computers.
> >>
> >> Maybe my question isn't phrased perfectly but my problem is that any
> >> *computer GPO* that is accessing my file server (Samba Member), fails
> >> with an access denied error. To give you an example. I might have a
> >> startup script that is supposed to copy a file from the file server,
> >> let's say an MS Word template, to the AD computer. The GPO itself is
> >> saved on the DC and it is called correctly but the access to my file
> >> server is being denied, the copy transaction is not happening.
> >>
> >> There is a permission problem and I'm trying to figure out what it is.
> >> The reason I'm posting this here is because I assume there is a link
> >> between my Samba settings on the file server, and their connection to
> >> the Samba DC that are responsible for this problem as this is not
> >> standard behavior.
> >>
> >> Viktor
> >>
> >>
> >>
> >> On 17.11.2015 13:30, mathias dufresne wrote:
> >>> Hey,
> >>>
> >>> If your GPO are stored in AD (they are not template GPO with all GPO
> >>> information in some file, I think this kind of non-pure-AD GPO are
> >> stored
> >>> in ADMX files, not sure).
> >>> In GPMC.msc you have to define which entities would receive the GPO.
> >> Once
> >>> created the GPO, once it is set up, you have in the right panel two
> >> parts.
> >>> The bottom part is to define to whom this GPO would be applied.
> >>>
> >>> In that case, GPO ownership should be reset by AD (don't asked me
> which
> >>> part of AD) if you modify GPO ACLs manually.
> >>>
> >>> In clear: you must use GPMC.msc to manage GPO ACLs. This if they are
> not
> >>> template.
> >>>
> >>> Hoping this could help to find a solution.
> >>>
> >>> mathias
> >>>
> >>> 2015-11-17 4:04 GMT+01:00 Viktor Trojanovic <viktor at troja.ch>:
> >>>
> >>>> I was experiencing problems with Group Policy Objects. The Windows
> >> Event
> >>>> Viewer spits out so many different errors, most of them less than
> >> helpful,
> >>>> so Iwas seeking help here with some of those messages.
> >>>>
> >>>> In the end, and after many hours and even days of researching this
> >>>> problem, I seem to have pin-pointed the main issue to some simple
> >>>> permission irregularities that I don't know how to solve.
> >>>>
> >>>> In my setup, I have an AD DC and a member server, the latter in the
> >>>> function of a file server. Both are a Samba-only implementation based
> >> on
> >>>> version 4.3.1 of the server.
> >>>>
> >>>> Everything seems to work well enough, I never noticed any issue when
> >>>> working in a user context - I can authenticate, and I can use the
> file
> >>>> server as intended. But evidently, any policies that require access
> to
> >> the
> >>>> file server in a machine context (computer configuration node of the
> >> GPO),
> >>>> fail. I was able to confirm that in multiple tests.
> >>>>
> >>>> I'm at my wit's end as it seems to me that all the necessary share
> >>>> permissions and NTACLs are in place. I even followed the advice I
> could
> >>>> find on some forum pages to add the group "domain computers" to the
> >> share
> >>>> permissions but that didn't help either.
> >>>>
> >>>> Any advice or best practices? I can't imagine this should be so
> >>>> complicated.
> >>>>
> >>>> Viktor
> >>>>
> >>>> --
> >>>> To unsubscribe from this list go to the following URL and read the
> >>>> instructions: https://lists.samba.org/mailman/options/samba
> >>>>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >
> >
More information about the samba
mailing list