[Samba] Permission Issues with GPO
Viktor Trojanovic
viktor at troja.ch
Tue Nov 17 17:33:13 UTC 2015
On 17.11.2015 18:05, Rowland Penny wrote:
> On 17/11/15 16:57, Viktor Trojanovic wrote:
>> Hi Mathias,
>>
>> Thanks for replying. It seems you're describing the situation on the
>> AD DC. Computer and user mode access to my DC works fine and without
>> any issues but I can't access the shares of my *member* server *in
>> computer mode*. In user mode, it all works just fine.
>>
>> Viktor
>>
>> On 17.11.2015 17:19, mathias dufresne wrote:
>>> Here are my (little) view regarding shares accesses. I write that to
>>> clarify things. And it could really be of-topic as Louis seems to
>>> have gave
>>> solution.
>>>
>>> There are 2 levels of authorisation for accessing shares: the share
>>> level
>>> and FS level.
>>>
>>> For Sysvol I would keep everyone or replace it by "authenticated
>>> users" in
>>> paranoid mode as the latter refuse non-authenticated users.
>>> They are ACLs placed on Shares.
>>>
>>> Doing that all users or only authenticated users can access the
>>> share (ie
>>> mount it).
>>>
>>> Now the FS level happens once the share is mounted (or accessed) and
>>> one
>>> system users tries to open some file or directory.
>>> They are ACLs on files and directories.
>>>
>>> Any users (or computer) must go across these two levels of ACLs to
>>> access
>>> files or directories.
>>>
>>> Now regarding GPO ACLs which are partly hosted on Sysvol the same
>>> concepts
>>> applies: Sysvol share ACLs + File on FS ACLs.
>>>
>>> Regarding ACLs for GPO files, if the GPO was created with GPMC.msc,
>>> the GPO
>>> is mainly stored in AD (don't ask me what resides on Sysvol) and in
>>> AD are
>>> also stored correct ACLs on GPO's files.
>>> I said that because I naively tried to modify ACLs on my
>>> GPMC.msc-created-GPO and these changes were automatically reset to
>>> the ones
>>> declared in AD.
>>>
>>> Perhaps that could help someone...
>>>
>>> Cheers,
>>>
>>> mathias
>>>
>>>
>>> 2015-11-17 16:44 GMT+01:00 L.P.H. van Belle <belle at bazuin.nl>:
>>>
>>>> Hai Viktor,
>>>>
>>>>> Before posting my share permissions, can you please elaborate what
>>>>> you
>>>>> mean with "have you removed authenticated users from your share"? I
>>>>> never had any rights for "authenticated users" on any of my shares.
>>>> Ah sorry, yes, that was "everybody" ( my error ) keep it
>>>>
>>>>> Maybe I'm setting up shares in the wrong way?
>>>>> .....
>>>>> [packages]
>>>>> path = /srv/samba/packages
>>>>> read only = no
>>>>> browsable = yes
>>>>> comment = "Software Packages"
>>>>>
>>>> Your config is ok, but i would add
>>>> acl_xattr:ignore system acls = yes
>>>> to the packages share.
>>>>
>>>> See man smb.conf for what it exact does, but for a "windows" only
>>>> share,
>>>> i would always set it.
>>>>
>>>> This is what i have for my distribution share.
>>>>
>>>> [public]
>>>> ## chmod 755 on /home/samba/public
>>>> ## rights root:root, but due to the ignore this is ignored..
>>>> ##
>>>> browseable = yes
>>>> path = /home/samba/public
>>>> read only = no
>>>> acl_xattr:ignore system acls = yes
>>>>
>>>>
>>>> and i added "veryfied users" to the security tab with read rights.
>>>> Which the domain computers also need.
>>>>
>>>>
>>>> Greetz,
>>>>
>>>> Louis
>>>>
>>>>
>>>>> -----Oorspronkelijk bericht-----
>>>>> Van: Viktor Trojanovic [mailto:viktor at troja.ch]
>>>>> Verzonden: dinsdag 17 november 2015 16:18
>>>>> Aan: L.P.H. van Belle; samba at lists.samba.org
>>>>> Onderwerp: Re: [Samba] Permission Issues with GPO
>>>>>
>>>>> Hi Louis,
>>>>>
>>>>> As I mentioned, but maybe not clear enough, there is no problem
>>>>> accessing my Domain Controller, it works fine, even without using the
>>>>> whole domain.
>>>>>
>>>>> Before posting my share permissions, can you please elaborate what
>>>>> you
>>>>> mean with "have you removed authenticated users from your share"? I
>>>>> never had any rights for "authenticated users" on any of my shares.
>>>>>
>>>>> Maybe I'm setting up shares in the wrong way?
>>>>>
>>>>> [global]
>>>>>
>>>>> netbios name = FILESERVER
>>>>> workgroup = SAMDOM
>>>>> security = ADS
>>>>> realm = SAMDOM.EXAMPLE.COM
>>>>> dedicated keytab file = /etc/krb5.keytab
>>>>> kerberos method = secrets and keytab
>>>>>
>>>>> username map = /etc/samba/samba_usermap
>>>>>
>>>>> idmap config *:backend = tdb
>>>>> idmap config *:range = 2000-9999
>>>>> idmap config OFFICE:backend = ad
>>>>> idmap config OFFICE:schema_mode = rfc2307
>>>>> idmap config OFFICE:range = 10000-99999
>>>>>
>>>>> winbind nss info = rfc2307
>>>>> winbind trusted domains only = no
>>>>> winbind use default domain = yes
>>>>> winbind enum users = yes
>>>>> winbind enum groups = yes
>>>>> winbind refresh tickets = Yes
>>>>>
>>>>> vfs objects = acl_xattr
>>>>> map acl inherit = Yes
>>>>> store dos attributes = yes
>>>>>
>>>>>
>>>>> [packages]
>>>>> path = /srv/samba/packages
>>>>> read only = no
>>>>> browsable = yes
>>>>> comment = "Software Packages"
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On 17.11.2015 15:30, L.P.H. van Belle wrote:
>>>>>> Let me guess.
>>>>>>
>>>>>> You accessing your server like :
>>>>>>
>>>>>> \\servername\netlogon
>>>>>> of
>>>>>> \\servername\sysvol
>>>>>>
>>>>>> Well thats protected by windows these these days.
>>>>>>
>>>>>> Try with
>>>>>>
>>>>>> \\servername.domain.tld\netlogon
>>>>>> or
>>>>>> \\servername.domain.tld\sysvol
>>>>>>
>>>>>> Does that work? Yes,
>>>>>>
>>>>>> There is a whole chaper of this on the list somewhere..
>>>>>> Best is to read howto override this.
>>>>>> https://adsecurity.org/?p=1405
>>>>>>
>>>>>> and for you member server, how is you share setup.
>>>>>> did you remove "authenticated users" ?
>>>>>> if so best is that you add "domain computer" or authenticated users
>>>>> back.
>>>>>> And if you did not remove "authenticated users" from the share.
>>>>>>
>>>>>> Please post your share setup and rights for the shared folder.
>>>>>> AND the rights of the folder below the shared folder.
>>>>>>
>>>>>>
>>>>>> Greetz,
>>>>>>
>>>>>> Louis
>>>>>>
>>>>>>
>>>>>>
>>>>>>> -----Oorspronkelijk bericht-----
>>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Viktor
>>>>> Trojanovic
>>>>>>> Verzonden: dinsdag 17 november 2015 15:01
>>>>>>> Aan: mathias dufresne; samba at lists.samba.org
>>>>>>> Onderwerp: Re: [Samba] Permission Issues with GPO
>>>>>>>
>>>>>>> Hi Mathias,
>>>>>>>
>>>>>>> The problem is not the GPO itself. The GPO containers are
>>>>>>> stored, as
>>>>>>> they should be, in the file system under sysvol/AD-DOMAIN/Policies,
>>>> and
>>>>>>> they are being accessed correctly by the respective users and
>>>>> computers.
>>>>>>> Maybe my question isn't phrased perfectly but my problem is that
>>>>>>> any
>>>>>>> *computer GPO* that is accessing my file server (Samba Member),
>>>>>>> fails
>>>>>>> with an access denied error. To give you an example. I might have a
>>>>>>> startup script that is supposed to copy a file from the file
>>>>>>> server,
>>>>>>> let's say an MS Word template, to the AD computer. The GPO
>>>>>>> itself is
>>>>>>> saved on the DC and it is called correctly but the access to my
>>>>>>> file
>>>>>>> server is being denied, the copy transaction is not happening.
>>>>>>>
>>>>>>> There is a permission problem and I'm trying to figure out what
>>>>>>> it is.
>>>>>>> The reason I'm posting this here is because I assume there is a
>>>>>>> link
>>>>>>> between my Samba settings on the file server, and their
>>>>>>> connection to
>>>>>>> the Samba DC that are responsible for this problem as this is not
>>>>>>> standard behavior.
>>>>>>>
>>>>>>> Viktor
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On 17.11.2015 13:30, mathias dufresne wrote:
>>>>>>>> Hey,
>>>>>>>>
>>>>>>>> If your GPO are stored in AD (they are not template GPO with
>>>>>>>> all GPO
>>>>>>>> information in some file, I think this kind of non-pure-AD GPO are
>>>>>>> stored
>>>>>>>> in ADMX files, not sure).
>>>>>>>> In GPMC.msc you have to define which entities would receive the
>>>>>>>> GPO.
>>>>>>> Once
>>>>>>>> created the GPO, once it is set up, you have in the right panel
>>>>>>>> two
>>>>>>> parts.
>>>>>>>> The bottom part is to define to whom this GPO would be applied.
>>>>>>>>
>>>>>>>> In that case, GPO ownership should be reset by AD (don't asked me
>>>>> which
>>>>>>>> part of AD) if you modify GPO ACLs manually.
>>>>>>>>
>>>>>>>> In clear: you must use GPMC.msc to manage GPO ACLs. This if
>>>>>>>> they are
>>>>> not
>>>>>>>> template.
>>>>>>>>
>>>>>>>> Hoping this could help to find a solution.
>>>>>>>>
>>>>>>>> mathias
>>>>>>>>
>>>>>>>> 2015-11-17 4:04 GMT+01:00 Viktor Trojanovic <viktor at troja.ch>:
>>>>>>>>
>>>>>>>>> I was experiencing problems with Group Policy Objects. The
>>>>>>>>> Windows
>>>>>>> Event
>>>>>>>>> Viewer spits out so many different errors, most of them less than
>>>>>>> helpful,
>>>>>>>>> so Iwas seeking help here with some of those messages.
>>>>>>>>>
>>>>>>>>> In the end, and after many hours and even days of researching
>>>>>>>>> this
>>>>>>>>> problem, I seem to have pin-pointed the main issue to some simple
>>>>>>>>> permission irregularities that I don't know how to solve.
>>>>>>>>>
>>>>>>>>> In my setup, I have an AD DC and a member server, the latter
>>>>>>>>> in the
>>>>>>>>> function of a file server. Both are a Samba-only implementation
>>>> based
>>>>>>> on
>>>>>>>>> version 4.3.1 of the server.
>>>>>>>>>
>>>>>>>>> Everything seems to work well enough, I never noticed any
>>>>>>>>> issue when
>>>>>>>>> working in a user context - I can authenticate, and I can use the
>>>>> file
>>>>>>>>> server as intended. But evidently, any policies that require
>>>>>>>>> access
>>>>> to
>>>>>>> the
>>>>>>>>> file server in a machine context (computer configuration node
>>>>>>>>> of the
>>>>>>> GPO),
>>>>>>>>> fail. I was able to confirm that in multiple tests.
>>>>>>>>>
>>>>>>>>> I'm at my wit's end as it seems to me that all the necessary
>>>>>>>>> share
>>>>>>>>> permissions and NTACLs are in place. I even followed the advice I
>>>>> could
>>>>>>>>> find on some forum pages to add the group "domain computers"
>>>>>>>>> to the
>>>>>>> share
>>>>>>>>> permissions but that didn't help either.
>>>>>>>>>
>>>>>>>>> Any advice or best practices? I can't imagine this should be so
>>>>>>>>> complicated.
>>>>>>>>>
>>>>>>>>> Viktor
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> To unsubscribe from this list go to the following URL and read
>>>>>>>>> the
>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>>>>
>>>>>>> --
>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>
>>>>
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>
>>
>
> Can we have a look at your smb.conf from your domain member
>
> Rowland
>
Hi Rowland,
I posted it just before in answer to Louis' email, here it is again:
[global]
netbios name = FILESERVER
workgroup = SAMDOM
security = ADS
realm = SAMDOM.EXAMPLE.COM
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
username map = /etc/samba/samba_usermap
idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config OFFICE:backend = ad
idmap config OFFICE:schema_mode = rfc2307
idmap config OFFICE:range = 10000-99999
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = Yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = yes
[packages]
path = /srv/samba/packages
read only = no
browsable = yes
comment = "Software Packages"
Viktor
More information about the samba
mailing list