[Samba] Permission Issues with GPO
Rowland Penny
rowlandpenny241155 at gmail.com
Tue Nov 17 17:05:42 UTC 2015
On 17/11/15 16:57, Viktor Trojanovic wrote:
> Hi Mathias,
>
> Thanks for replying. It seems you're describing the situation on the
> AD DC. Computer and user mode access to my DC works fine and without
> any issues but I can't access the shares of my *member* server *in
> computer mode*. In user mode, it all works just fine.
>
> Viktor
>
> On 17.11.2015 17:19, mathias dufresne wrote:
>> Here are my (little) view regarding shares accesses. I write that to
>> clarify things. And it could really be of-topic as Louis seems to
>> have gave
>> solution.
>>
>> There are 2 levels of authorisation for accessing shares: the share
>> level
>> and FS level.
>>
>> For Sysvol I would keep everyone or replace it by "authenticated
>> users" in
>> paranoid mode as the latter refuse non-authenticated users.
>> They are ACLs placed on Shares.
>>
>> Doing that all users or only authenticated users can access the share
>> (ie
>> mount it).
>>
>> Now the FS level happens once the share is mounted (or accessed) and one
>> system users tries to open some file or directory.
>> They are ACLs on files and directories.
>>
>> Any users (or computer) must go across these two levels of ACLs to
>> access
>> files or directories.
>>
>> Now regarding GPO ACLs which are partly hosted on Sysvol the same
>> concepts
>> applies: Sysvol share ACLs + File on FS ACLs.
>>
>> Regarding ACLs for GPO files, if the GPO was created with GPMC.msc,
>> the GPO
>> is mainly stored in AD (don't ask me what resides on Sysvol) and in
>> AD are
>> also stored correct ACLs on GPO's files.
>> I said that because I naively tried to modify ACLs on my
>> GPMC.msc-created-GPO and these changes were automatically reset to
>> the ones
>> declared in AD.
>>
>> Perhaps that could help someone...
>>
>> Cheers,
>>
>> mathias
>>
>>
>> 2015-11-17 16:44 GMT+01:00 L.P.H. van Belle <belle at bazuin.nl>:
>>
>>> Hai Viktor,
>>>
>>>> Before posting my share permissions, can you please elaborate what you
>>>> mean with "have you removed authenticated users from your share"? I
>>>> never had any rights for "authenticated users" on any of my shares.
>>> Ah sorry, yes, that was "everybody" ( my error ) keep it
>>>
>>>> Maybe I'm setting up shares in the wrong way?
>>>> .....
>>>> [packages]
>>>> path = /srv/samba/packages
>>>> read only = no
>>>> browsable = yes
>>>> comment = "Software Packages"
>>>>
>>> Your config is ok, but i would add
>>> acl_xattr:ignore system acls = yes
>>> to the packages share.
>>>
>>> See man smb.conf for what it exact does, but for a "windows" only
>>> share,
>>> i would always set it.
>>>
>>> This is what i have for my distribution share.
>>>
>>> [public]
>>> ## chmod 755 on /home/samba/public
>>> ## rights root:root, but due to the ignore this is ignored..
>>> ##
>>> browseable = yes
>>> path = /home/samba/public
>>> read only = no
>>> acl_xattr:ignore system acls = yes
>>>
>>>
>>> and i added "veryfied users" to the security tab with read rights.
>>> Which the domain computers also need.
>>>
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: Viktor Trojanovic [mailto:viktor at troja.ch]
>>>> Verzonden: dinsdag 17 november 2015 16:18
>>>> Aan: L.P.H. van Belle; samba at lists.samba.org
>>>> Onderwerp: Re: [Samba] Permission Issues with GPO
>>>>
>>>> Hi Louis,
>>>>
>>>> As I mentioned, but maybe not clear enough, there is no problem
>>>> accessing my Domain Controller, it works fine, even without using the
>>>> whole domain.
>>>>
>>>> Before posting my share permissions, can you please elaborate what you
>>>> mean with "have you removed authenticated users from your share"? I
>>>> never had any rights for "authenticated users" on any of my shares.
>>>>
>>>> Maybe I'm setting up shares in the wrong way?
>>>>
>>>> [global]
>>>>
>>>> netbios name = FILESERVER
>>>> workgroup = SAMDOM
>>>> security = ADS
>>>> realm = SAMDOM.EXAMPLE.COM
>>>> dedicated keytab file = /etc/krb5.keytab
>>>> kerberos method = secrets and keytab
>>>>
>>>> username map = /etc/samba/samba_usermap
>>>>
>>>> idmap config *:backend = tdb
>>>> idmap config *:range = 2000-9999
>>>> idmap config OFFICE:backend = ad
>>>> idmap config OFFICE:schema_mode = rfc2307
>>>> idmap config OFFICE:range = 10000-99999
>>>>
>>>> winbind nss info = rfc2307
>>>> winbind trusted domains only = no
>>>> winbind use default domain = yes
>>>> winbind enum users = yes
>>>> winbind enum groups = yes
>>>> winbind refresh tickets = Yes
>>>>
>>>> vfs objects = acl_xattr
>>>> map acl inherit = Yes
>>>> store dos attributes = yes
>>>>
>>>>
>>>> [packages]
>>>> path = /srv/samba/packages
>>>> read only = no
>>>> browsable = yes
>>>> comment = "Software Packages"
>>>>
>>>>
>>>>
>>>>
>>>> On 17.11.2015 15:30, L.P.H. van Belle wrote:
>>>>> Let me guess.
>>>>>
>>>>> You accessing your server like :
>>>>>
>>>>> \\servername\netlogon
>>>>> of
>>>>> \\servername\sysvol
>>>>>
>>>>> Well thats protected by windows these these days.
>>>>>
>>>>> Try with
>>>>>
>>>>> \\servername.domain.tld\netlogon
>>>>> or
>>>>> \\servername.domain.tld\sysvol
>>>>>
>>>>> Does that work? Yes,
>>>>>
>>>>> There is a whole chaper of this on the list somewhere..
>>>>> Best is to read howto override this.
>>>>> https://adsecurity.org/?p=1405
>>>>>
>>>>> and for you member server, how is you share setup.
>>>>> did you remove "authenticated users" ?
>>>>> if so best is that you add "domain computer" or authenticated users
>>>> back.
>>>>> And if you did not remove "authenticated users" from the share.
>>>>>
>>>>> Please post your share setup and rights for the shared folder.
>>>>> AND the rights of the folder below the shared folder.
>>>>>
>>>>>
>>>>> Greetz,
>>>>>
>>>>> Louis
>>>>>
>>>>>
>>>>>
>>>>>> -----Oorspronkelijk bericht-----
>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Viktor
>>>> Trojanovic
>>>>>> Verzonden: dinsdag 17 november 2015 15:01
>>>>>> Aan: mathias dufresne; samba at lists.samba.org
>>>>>> Onderwerp: Re: [Samba] Permission Issues with GPO
>>>>>>
>>>>>> Hi Mathias,
>>>>>>
>>>>>> The problem is not the GPO itself. The GPO containers are stored, as
>>>>>> they should be, in the file system under sysvol/AD-DOMAIN/Policies,
>>> and
>>>>>> they are being accessed correctly by the respective users and
>>>> computers.
>>>>>> Maybe my question isn't phrased perfectly but my problem is that any
>>>>>> *computer GPO* that is accessing my file server (Samba Member),
>>>>>> fails
>>>>>> with an access denied error. To give you an example. I might have a
>>>>>> startup script that is supposed to copy a file from the file server,
>>>>>> let's say an MS Word template, to the AD computer. The GPO itself is
>>>>>> saved on the DC and it is called correctly but the access to my file
>>>>>> server is being denied, the copy transaction is not happening.
>>>>>>
>>>>>> There is a permission problem and I'm trying to figure out what
>>>>>> it is.
>>>>>> The reason I'm posting this here is because I assume there is a link
>>>>>> between my Samba settings on the file server, and their
>>>>>> connection to
>>>>>> the Samba DC that are responsible for this problem as this is not
>>>>>> standard behavior.
>>>>>>
>>>>>> Viktor
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 17.11.2015 13:30, mathias dufresne wrote:
>>>>>>> Hey,
>>>>>>>
>>>>>>> If your GPO are stored in AD (they are not template GPO with all
>>>>>>> GPO
>>>>>>> information in some file, I think this kind of non-pure-AD GPO are
>>>>>> stored
>>>>>>> in ADMX files, not sure).
>>>>>>> In GPMC.msc you have to define which entities would receive the
>>>>>>> GPO.
>>>>>> Once
>>>>>>> created the GPO, once it is set up, you have in the right panel two
>>>>>> parts.
>>>>>>> The bottom part is to define to whom this GPO would be applied.
>>>>>>>
>>>>>>> In that case, GPO ownership should be reset by AD (don't asked me
>>>> which
>>>>>>> part of AD) if you modify GPO ACLs manually.
>>>>>>>
>>>>>>> In clear: you must use GPMC.msc to manage GPO ACLs. This if they
>>>>>>> are
>>>> not
>>>>>>> template.
>>>>>>>
>>>>>>> Hoping this could help to find a solution.
>>>>>>>
>>>>>>> mathias
>>>>>>>
>>>>>>> 2015-11-17 4:04 GMT+01:00 Viktor Trojanovic <viktor at troja.ch>:
>>>>>>>
>>>>>>>> I was experiencing problems with Group Policy Objects. The Windows
>>>>>> Event
>>>>>>>> Viewer spits out so many different errors, most of them less than
>>>>>> helpful,
>>>>>>>> so Iwas seeking help here with some of those messages.
>>>>>>>>
>>>>>>>> In the end, and after many hours and even days of researching this
>>>>>>>> problem, I seem to have pin-pointed the main issue to some simple
>>>>>>>> permission irregularities that I don't know how to solve.
>>>>>>>>
>>>>>>>> In my setup, I have an AD DC and a member server, the latter in
>>>>>>>> the
>>>>>>>> function of a file server. Both are a Samba-only implementation
>>> based
>>>>>> on
>>>>>>>> version 4.3.1 of the server.
>>>>>>>>
>>>>>>>> Everything seems to work well enough, I never noticed any issue
>>>>>>>> when
>>>>>>>> working in a user context - I can authenticate, and I can use the
>>>> file
>>>>>>>> server as intended. But evidently, any policies that require
>>>>>>>> access
>>>> to
>>>>>> the
>>>>>>>> file server in a machine context (computer configuration node
>>>>>>>> of the
>>>>>> GPO),
>>>>>>>> fail. I was able to confirm that in multiple tests.
>>>>>>>>
>>>>>>>> I'm at my wit's end as it seems to me that all the necessary share
>>>>>>>> permissions and NTACLs are in place. I even followed the advice I
>>>> could
>>>>>>>> find on some forum pages to add the group "domain computers" to
>>>>>>>> the
>>>>>> share
>>>>>>>> permissions but that didn't help either.
>>>>>>>>
>>>>>>>> Any advice or best practices? I can't imagine this should be so
>>>>>>>> complicated.
>>>>>>>>
>>>>>>>> Viktor
>>>>>>>>
>>>>>>>> --
>>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>>>
>>>>>> --
>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>
>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>
>
Can we have a look at your smb.conf from your domain member
Rowland
More information about the samba
mailing list