[Samba] Problems with GPO

Marcio Demetrio Bacci marciobacci at gmail.com
Thu Nov 3 21:17:58 UTC 2016 

Hi Rowland

Following the results to:

*USER:*
wbinfo --uid-info=10060:
bacci:*:10060:30049:bacci:/home/EMPRESA/bacci:/bin/false

*GROUP:*
wbinfo --gid-info=30028: Domain Admins

wbinfo --gid-info=30032: Domain Users

wbinfo --gid-info=30033: Enterprise Admins


"I don't see user:3000003"

root at dc1:~# wbinfo -G 3000003
S-1-5-11

root at dc1:~# wbinfo -s S-1-5-11
failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup sid S-1-5-11

I have in my network two DC (Samba 4) and one member File Server (Samba 4).
When I execute wbinfo -r <user>, I have different results:

root at dc1:~# wbinfo -G 3000000
S-1-5-32-544

root at dc1o:~# wbinfo -G 30002
S-1-5-32-544

root at dc1:~# wbinfo -s S-1-5-32-544
BUILTIN\Administrators 4

The SID to Administrators is 3000000 in DC. In File Server the same group
is 30002.

*Different Groups to the same user*
root@*dc1*:~# wbinfo -r bacci
30011
30025
30029
30030
30035
30049
30052
3000000


root@*server-file*:~# wbinfo -r bacci
30002
30003
30025
30028
30029
30030
30032
30035
30049
30052
30053


Regards,

Márcio

2016-11-03 13:59 GMT-02:00 Rowland Penny via samba <samba at lists.samba.org>:

> On Thu, 3 Nov 2016 10:25:00 -0400
> lingpanda101 via samba <samba at lists.samba.org> wrote:
>
> > On 11/3/2016 9:59 AM, Marcio Demetrio Bacci wrote:
> > > Thanks Lingpanda101
> > >
> > > Following the result of command:
> > >
> > > # file: Policies/{0F1E5B10-3640-4FFE-AA6B-5DE4CFF73625}
> > > # owner: 10060
> > > # group: 30028
> > > user::rwx
> > > user:10060:rwx
> > > user:3000002:rwx
> > > user:3000010:r-x
> > > group::rwx
> > > group:30028:rwx
> > > group:30032:r-x
> > > group:30033:rwx
> > > group:3000002:rwx
> > > group:3000010:r-x
> > > mask::rwx
> > > other::---
> > > default:user::rwx
> > > default:user:10060:rwx
> > > default:user:3000002:rwx
> > > default:user:3000010:r-x
> > > default:group::---
> > > default:group:30028:rwx
> > > default:group:30032:r-x
> > > default:group:30033:rwx
> > > default:group:3000002:rwx
> > > default:group:3000010:r-x
> > > default:mask::rwx
> > > default:other::---
> > >
> > >
> > >
> > > Regards,
> > >
> > > Márcio
> > >
> > > 2016-11-03 11:46 GMT-02:00 lingpanda101 via samba
> > > <samba at lists.samba.org <mailto:samba at lists.samba.org>>:
> > >
> > >     On 11/2/2016 5:51 PM, Marcio Demetrio Bacci via samba wrote:
> > >
> > >         I'm having problems with GPO in Samba 4.2.1
> > >
> > >         I created a GPO to Block Control Panel and applied in my
> > >         Domain OU.
> > >
> > >         In desktop client I typed "gpupdate /force" and appear a
> > >         success message
> > >         that to ask reboot my system. After rebuot the GPO don't
> > > work.
> > >
> > >         Other GPOs as WSUS update, Wallpaper and others, don't work
> > > too.
> > >
> > >
> > >         Following is the result of command: GPRESULT /H
> > > GPResult.html
> > >
> > >         GPOs Applied
> > >         Name            Location Link    Revision
> > >         Default Domain Policy empresa.com.br
> > > <http://empresa.com.br> AD (1), Sysvol (65535)
> > >
> > >         GPOs Denied
> > >         Name                    Location Link Denial Reason
> > >         Local Group Policies             Location   EMPTY
> > >         {0F1E5B10-3640-4FFE-AA6B-5DE4CFF73625} empresa.com.br
> > >         <http://empresa.com.br>
> > >         Inacessible
> > >         {D65C5B66-A380-48AD-AC8A-DE417173E293}
> > >         empresa.comb.br/EMPRESA/SecInfor
> > >         <http://empresa.comb.br/EMPRESA/SecInfor>
> > >         Inacessible
> > >         Wallpaper empresa.comb.br/EMPRESA/SecInfor
> > >         <http://empresa.comb.br/EMPRESA/SecInfor>   Inacessible
> > >
> > >         How can I debug this problem ?
> > >
> > >         Regards,
> > >
> > >         Márcio
> > >
> > >
> > >     The denial reason Inaccessible usually refers to a permissions
> > >     problem. Verify your user and or computer the GPO applies to has
> > >     the correct permissions. Can you run 'getfacl
> > >     /Policies/{0F1E5B10-3640-4FFE-AA6B-5DE4CFF73625}' and post the
> > >     results?
> > >
> > >     --
> > >     - James
> > >
> > >
> > >     --
> > >     To unsubscribe from this list go to the following URL and read
> > > the instructions: https://lists.samba.org/mailman/options/samba
> > >     <https://lists.samba.org/mailman/options/samba>
> > >
> > >
> > I see you have given some users and groups a UID. Can you tell me the
> > results of
> >
> > wbinfo --uid-info=10060
> > wbinfo --uid-info=30028
> > wbinfo --uid-info=30032
> > wbinfo --uid-info=10060
> > wbinfo --uid-info=30033
> >
> > I don't see user:3000003 which I believe is Authenticated Users. Did
> > you give this group a UID?
> >
> >
> >
>
> Seeing as this is not one of the two std GPOs, you have a problem. When
> you create a GPO, the owners are Domain Admins and the group is Domain
> Admins, so who is '10060' and what is '30028' ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list