[Samba] Problems with GPO
Marcio Demetrio Bacci
marciobacci at gmail.com
Fri Nov 4 03:32:44 UTC 2016
Hi,
bacci user is Domain Admin, because 30049 group is Domain Admin member. I
use this user to create GPO.
Following are my configurations files:
*FILE-SERVER - SMB.CONF*
[global]
netbios name = file-server
workgroup = EMPRESA
security = ads
realm = EMPRESA.COM.BR
encrypt passwords = yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
preferred master = no
idmap config *:backend = tdb
idmap config *:range = 1000-3000
idmap config EMPRESA:backend = ad
idmap config EMPRESA:schema_mode = rfc2307
idmap config EMPRESA:range = 10000-9999999
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
username map = /etc/samba/user.map
*DC1 - SMB.CONF*
[global]
workgroup = EMPRESA
realm = EMPRESA.COM.BR
netbios name = DC1
server role = active directory domain controller
dns forwarder = 192.168.200.10
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /opt/samba/var/locks/sysvol/empresa.com.br/scripts
read only = No
[sysvol]
path = /opt/samba/var/locks/sysvol
read only = No
*DC2 - SMB.CONF*
[global]
workgroup = EMPRESA
realm = EMPRESA.COM.BR
netbios name = dc2
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /opt/samba/var/locks/sysvol/empresa.com.br/scripts
read only = No
[sysvol]
path = /opt/samba/var/locks/sysvol
read only = No
I'm using "samba-tool drs showrepl" command in DC2 and the result is
SUCCESS.
Do I have need to remove the Unix attributes of all builtin users
(Administrators, Accout Operators, Users, Guest, ...)? Do Domain Users,
Domain Admins, Domain Computers Groups also to need remove Unix Attributes?
Do I have just select the "None" option in the Unix Attributes tab (in the
RSAT) to remove it?
Have the accounts of the domain computers (joined in domain) must have the
Unix attribute ?
Is there way to remove null objects of Samba 4 ?
*Others Tests*
Result of "*testparm*" command:
Load smb config files from /opt/samba/etc/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC
Result of "*samba-tool gpo list bacci at empresa.com.br <bacci at empresa.com.br>*
"
ERROR(runtime): uncaught exception - ('Could not find a DC for domain',
RuntimeError('NT_STATUS_NETWORK_UNREACHABLE',))
File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py", line
349, in run
self.url = dc_url(self.lp, self.creds, H)
File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py", line
117, in dc_url
raise RuntimeError("Could not find a DC for domain", e)
Result of *samba-tool gpo listall*
ERROR(runtime): uncaught exception - ('Could not find a DC for domain',
RuntimeError('NT_STATUS_NETWORK_UNREACHABLE',))
File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py", line
311, in run
self.url = dc_url(self.lp, self.creds, H)
File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py", line
117, in dc_url
raise RuntimeError("Could not find a DC for domain", e
Regards,
Márcio
2016-11-03 20:10 GMT-02:00 Rowland Penny via samba <samba at lists.samba.org>:
>
> See inline comments:
>
> On Thu, 3 Nov 2016 19:17:58 -0200
> Marcio Demetrio Bacci <marciobacci at gmail.com> wrote:
>
> > Hi Rowland
> >
> > Following the results to:
> >
> > *USER:*
> > wbinfo --uid-info=10060:
> > bacci:*:10060:30049:bacci:/home/EMPRESA/bacci:/bin/false
> >
>
> It looks like 'bacci' is a normal user and the owner of the
> Policies GUID dir should be 'Domain Admins'
>
> > *GROUP:*
> > wbinfo --gid-info=30028: Domain Admins
>
> This is where one of the problems start, bit of a catch 22 problem, you
> need to give 'Domain Admins' a gidNumber to be visible to Unix, but if
> you do, it looses the 'ID_TYPE_BOTH' from idmap.ldb that means it can
> own dirs & files in sysvol.
>
> >
> > wbinfo --gid-info=30032: Domain Users
> >
> > wbinfo --gid-info=30033: Enterprise Admins
> >
> >
> > "I don't see user:3000003"
> >
> > root at dc1:~# wbinfo -G 3000003
> > S-1-5-11
> >
> > root at dc1:~# wbinfo -s S-1-5-11
> > failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
> > Could not lookup sid S-1-5-11
> >
>
> You will need to look inside idmap.ldb to find this.
>
> > I have in my network two DC (Samba 4) and one member File Server
> > (Samba 4). When I execute wbinfo -r <user>, I have different results:
> >
> > root at dc1:~# wbinfo -G 3000000
> > S-1-5-32-544
> >
> > root at dc1o:~# wbinfo -G 30002
> > S-1-5-32-544
> >
> > root at dc1:~# wbinfo -s S-1-5-32-544
> > BUILTIN\Administrators 4
> >
> > The SID to Administrators is 3000000 in DC. In File Server the same
> > group is 30002.
>
> Don't give the BUILTIN users & groups uidNumbers & gidNumbers, let
> samba do this on the DC and set up smb.conf correctly on the domain
> member. You do this by using 'idmap config * : backend = tdb'
>
>
> >
> > *Different Groups to the same user*
> > root@*dc1*:~# wbinfo -r bacci
> > 30011
> > 30025
> > 30029
> > 30030
> > 30035
> > 30049
> > 30052
> > 3000000
> >
> >
> > root@*server-file*:~# wbinfo -r bacci
> > 30002
> > 30003
> > 30025
> > 30028
> > 30029
> > 30030
> > 30032
> > 30035
> > 30049
> > 30052
> > 30053
> >
> >
> > Regards,
> >
> > Márcio
> >
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list