[Samba] Problems with GPO
Rowland Penny
rpenny at samba.org
Fri Nov 4 08:53:55 UTC 2016
On Fri, 4 Nov 2016 01:32:44 -0200
Marcio Demetrio Bacci <marciobacci at gmail.com> wrote:
> Hi,
>
> bacci user is Domain Admin, because 30049 group is Domain Admin
> member. I use this user to create GPO.
>
> Following are my configurations files:
>
> *FILE-SERVER - SMB.CONF*
> [global]
> netbios name = file-server
> workgroup = EMPRESA
> security = ads
> realm = EMPRESA.COM.BR
> encrypt passwords = yes
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> preferred master = no
> idmap config *:backend = tdb
> idmap config *:range = 1000-3000
> idmap config EMPRESA:backend = ad
> idmap config EMPRESA:schema_mode = rfc2307
> idmap config EMPRESA:range = 10000-9999999
>
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind refresh tickets = yes
>
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
> username map = /etc/samba/user.map
>
>
> *DC1 - SMB.CONF*
> [global]
> workgroup = EMPRESA
> realm = EMPRESA.COM.BR
> netbios name = DC1
> server role = active directory domain controller
> dns forwarder = 192.168.200.10
> idmap_ldb:use rfc2307 = yes
>
> [netlogon]
> path = /opt/samba/var/locks/sysvol/empresa.com.br/scripts
> read only = No
>
> [sysvol]
> path = /opt/samba/var/locks/sysvol
> read only = No
>
>
> *DC2 - SMB.CONF*
> [global]
> workgroup = EMPRESA
> realm = EMPRESA.COM.BR
> netbios name = dc2
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
>
> [netlogon]
> path = /opt/samba/var/locks/sysvol/empresa.com.br/scripts
> read only = No
>
> [sysvol]
> path = /opt/samba/var/locks/sysvol
> read only = No
>
>
The only possible problem with your smb.conf files (and it doesn't have
anything to do with your problem) is the second DC doesn't have a
forwarder.
> I'm using "samba-tool drs showrepl" command in DC2 and the result is
> SUCCESS.
>
> Do I have need to remove the Unix attributes of all builtin users
> (Administrators, Accout Operators, Users, Guest, ...)? Do Domain
> Users, Domain Admins, Domain Computers Groups also to need remove
> Unix Attributes?
The only Group that may need a gidNumber is Domain Admins, the only
only group that must have a gidNumber is Domain Users and then only if
you use the winbind 'ad' backend on a domain member.
>
> Do I have just select the "None" option in the Unix Attributes tab
> (in the RSAT) to remove it?
Yes, this should remove them
>
> Have the accounts of the domain computers (joined in domain) must
> have the Unix attribute ?
No, I have never added them
>
> Is there way to remove null objects of Samba 4 ?
Sorry, I don't understand what you mean by 'null objects'
>
> *Others Tests*
>
> Result of "*testparm*" command:
>
> Load smb config files from /opt/samba/etc/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> (16384) Processing section "[netlogon]"
> Processing section "[sysvol]"
> Loaded services file OK.
> Server role: ROLE_ACTIVE_DIRECTORY_DC
>
> Result of "*samba-tool gpo list bacci at empresa.com.br
> <bacci at empresa.com.br>* "
>
> ERROR(runtime): uncaught exception - ('Could not find a DC for
> domain', RuntimeError('NT_STATUS_NETWORK_UNREACHABLE',))
> File
> "/opt/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run return self.run(*args, **kwargs)
> File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py",
> line 349, in run
> self.url = dc_url(self.lp, self.creds, H)
> File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py",
> line 117, in dc_url
> raise RuntimeError("Could not find a DC for domain", e)
This looks like a dns problem, plus the command should be:
samba-tool gpo list bacci
>
> Result of *samba-tool gpo listall*
> ERROR(runtime): uncaught exception - ('Could not find a DC for
> domain', RuntimeError('NT_STATUS_NETWORK_UNREACHABLE',))
> File
> "/opt/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run return self.run(*args, **kwargs)
> File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py",
> line 311, in run
> self.url = dc_url(self.lp, self.creds, H)
> File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py",
> line 117, in dc_url
> raise RuntimeError("Could not find a DC for domain", e
>
>
This is definitely a dns problem
Rowland
More information about the samba
mailing list