[Samba] Problems with GPO

L.P.H. van Belle belle at bazuin.nl
Fri Nov 4 09:10:46 UTC 2016 

Just make it yourself a bit more easy. 

Setup sysvol like this. 

[sysvol]
        path = /home/samba/sysvol
        read only = No
        acl_xattr:ignore system acls = yes

Restart samba, and set the SHARE RIGHTS and File/Folder rights again. 
Or atleast check them, the defaults should be ok. 

When thats done. 
Go here. : 
http://trekker.net/archives/group-policy-downloads/ 
get the ADMX templates you need. 

Win 10 build 1607 is not on that site, found here : 
https://www.microsoft.com/en-us/download/details.aspx?id=53430

and for otheres, install this in win 7 and copy the templates to the sysvol.
( located somewhere in programfiles ) 

Extra usable templates here:
http://winintro.com/ 

now, when thats done, and this if more for you. 

Does the user bacci need Domain Admin. 
Like is it you replacement for user Administrator?  Then thats ok. 
If its a normal user which needs todo GPO stuff. Then i suggest adding this user to "Group Policy Creator Owners" and dont abuse the domain admin group. 

So this is the basic stuff go a GPO setup. 


Now, about the error : 
ERROR(runtime): uncaught exception  ... 
You can ignore it IF you use the parameter : acl_xattr:ignore system acls = yes 
Or, move all folder from sysvol, do the sysvol reset, and place the folders back, that can help. 

I do advice to setup GID for "Domain -" Users/Admins/Guest and most important. "Domain Computers" .. now we are getting to you problem. 

Due to all MS changes, how policies are applies has changes. 

The user setting is not applied anymore by the user, but by the computer.
This is key to remember. 

So for every policy you set you need one the these groups. 

1) authenticated users  ( users and computer accounts ) ( preffered ) 
2) Domain users + any group  this is a group for applying the GPO. 
3) Domain computers/ any computer group 

In option 1, nothing special is needed.
In option 2, you must set read GPO polices for domain users, and read+apply for the custom group.
In option 3, same as option 2. but this is only for a computer policie. 

If you have problem like, GPO applies from one server, but the other dc. 
Run : net cache flush 
Stop samba on both DC's and copy the idmap.tdb from DC1 to DC2. 


About you setup and config, looks all fine to me, exept. 
> 117, in dc_url
>     raise RuntimeError("Could not find a DC for domain", e

Please post you resolv.conf /etc/hosts /etc/nsswitch.conf
And are you using bind_DLZ or internal samba DNS

Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Marcio Demetrio
> Bacci via samba
> Verzonden: vrijdag 4 november 2016 4:33
> Aan: Rowland Penny; samba at lists.samba.org
> Onderwerp: Re: [Samba] Problems with GPO
> 
> Hi,
> 
> bacci user is Domain Admin, because 30049 group is Domain Admin member. I
> use this user to create GPO.
> 
> Following are my configurations files:
> 
> *FILE-SERVER - SMB.CONF*
> [global]
>   netbios name = file-server
>   workgroup = EMPRESA
>   security = ads
>   realm = EMPRESA.COM.BR
>   encrypt passwords = yes
>   dedicated keytab file = /etc/krb5.keytab
>   kerberos method = secrets and keytab
>   preferred master = no
>   idmap config *:backend = tdb
>   idmap config *:range = 1000-3000
>   idmap config EMPRESA:backend = ad
>   idmap config EMPRESA:schema_mode = rfc2307
>   idmap config EMPRESA:range = 10000-9999999
> 
>   winbind nss info = rfc2307
>   winbind trusted domains only = no
>   winbind use default domain = yes
>   winbind enum users = yes
>   winbind enum groups = yes
>   winbind refresh tickets = yes
> 
>   vfs objects = acl_xattr
>   map acl inherit = Yes
>   store dos attributes = Yes
>   username map = /etc/samba/user.map
> 
> 
> *DC1 - SMB.CONF*
> [global]
>     workgroup = EMPRESA
>     realm = EMPRESA.COM.BR
>     netbios name = DC1
>     server role = active directory domain controller
>     dns forwarder = 192.168.200.10
>     idmap_ldb:use rfc2307 = yes
> 
> [netlogon]
>     path = /opt/samba/var/locks/sysvol/empresa.com.br/scripts
>     read only = No
> 
> [sysvol]
>     path = /opt/samba/var/locks/sysvol
>     read only = No
> 
> 
> *DC2 - SMB.CONF*
> [global]
>     workgroup = EMPRESA
>     realm = EMPRESA.COM.BR
>     netbios name = dc2
>     server role = active directory domain controller
>     idmap_ldb:use rfc2307 = yes
> 
> [netlogon]
>     path = /opt/samba/var/locks/sysvol/empresa.com.br/scripts
>     read only = No
> 
> [sysvol]
>     path = /opt/samba/var/locks/sysvol
>     read only = No
> 
> 
> I'm using "samba-tool drs showrepl" command in DC2 and the result is
> SUCCESS.
> 
> Do I have need to remove the Unix attributes of all builtin users
> (Administrators, Accout Operators, Users, Guest, ...)? Do Domain Users,
> Domain Admins, Domain Computers Groups also to need remove Unix
> Attributes?
> 
> Do I have just select the "None" option in the Unix Attributes tab (in the
> RSAT) to remove it?
> 
> Have the accounts of the domain computers (joined in domain) must have the
> Unix attribute ?
> 
> Is there way to remove null objects of Samba 4 ?
> 
> *Others Tests*
> 
> Result of "*testparm*" command:
> 
> Load smb config files from /opt/samba/etc/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> Loaded services file OK.
> Server role: ROLE_ACTIVE_DIRECTORY_DC
> 
> Result of "*samba-tool gpo list bacci at empresa.com.br
> <bacci at empresa.com.br>*
> "
> 
> ERROR(runtime): uncaught exception - ('Could not find a DC for domain',
> RuntimeError('NT_STATUS_NETWORK_UNREACHABLE',))
>   File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
>     return self.run(*args, **kwargs)
>   File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py", line
> 349, in run
>     self.url = dc_url(self.lp, self.creds, H)
>   File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py", line
> 117, in dc_url
>     raise RuntimeError("Could not find a DC for domain", e)
> 
> Result of *samba-tool gpo listall*
> ERROR(runtime): uncaught exception - ('Could not find a DC for domain',
> RuntimeError('NT_STATUS_NETWORK_UNREACHABLE',))
>   File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
>     return self.run(*args, **kwargs)
>   File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py", line
> 311, in run
>     self.url = dc_url(self.lp, self.creds, H)
>   File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py", line
> 117, in dc_url
>     raise RuntimeError("Could not find a DC for domain", e
> 
> 
> Regards,
> 
> Márcio
> 
> 2016-11-03 20:10 GMT-02:00 Rowland Penny via samba
> <samba at lists.samba.org>:
> 
> >
> > See inline comments:
> >
> > On Thu, 3 Nov 2016 19:17:58 -0200
> > Marcio Demetrio Bacci <marciobacci at gmail.com> wrote:
> >
> > > Hi Rowland
> > >
> > > Following the results to:
> > >
> > > *USER:*
> > > wbinfo --uid-info=10060:
> > > bacci:*:10060:30049:bacci:/home/EMPRESA/bacci:/bin/false
> > >
> >
> > It looks like 'bacci' is a normal user and the owner of the
> > Policies GUID dir should be 'Domain Admins'
> >
> > > *GROUP:*
> > > wbinfo --gid-info=30028: Domain Admins
> >
> > This is where one of the problems start, bit of a catch 22 problem, you
> > need to give 'Domain Admins' a gidNumber to be visible to Unix, but if
> > you do, it looses the 'ID_TYPE_BOTH' from idmap.ldb that means it can
> > own dirs & files in sysvol.
> >
> > >
> > > wbinfo --gid-info=30032: Domain Users
> > >
> > > wbinfo --gid-info=30033: Enterprise Admins
> > >
> > >
> > > "I don't see user:3000003"
> > >
> > > root at dc1:~# wbinfo -G 3000003
> > > S-1-5-11
> > >
> > > root at dc1:~# wbinfo -s S-1-5-11
> > > failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
> > > Could not lookup sid S-1-5-11
> > >
> >
> > You will need to look inside idmap.ldb to find this.
> >
> > > I have in my network two DC (Samba 4) and one member File Server
> > > (Samba 4). When I execute wbinfo -r <user>, I have different results:
> > >
> > > root at dc1:~# wbinfo -G 3000000
> > > S-1-5-32-544
> > >
> > > root at dc1o:~# wbinfo -G 30002
> > > S-1-5-32-544
> > >
> > > root at dc1:~# wbinfo -s S-1-5-32-544
> > > BUILTIN\Administrators 4
> > >
> > > The SID to Administrators is 3000000 in DC. In File Server the same
> > > group is 30002.
> >
> > Don't give the BUILTIN users & groups uidNumbers & gidNumbers, let
> > samba do this on the DC and set up smb.conf correctly on the domain
> > member. You do this by using 'idmap config * : backend = tdb'
> >
> >
> > >
> > > *Different Groups to the same user*
> > > root@*dc1*:~# wbinfo -r bacci
> > > 30011
> > > 30025
> > > 30029
> > > 30030
> > > 30035
> > > 30049
> > > 30052
> > > 3000000
> > >
> > >
> > > root@*server-file*:~# wbinfo -r bacci
> > > 30002
> > > 30003
> > > 30025
> > > 30028
> > > 30029
> > > 30030
> > > 30032
> > > 30035
> > > 30049
> > > 30052
> > > 30053
> > >
> > >
> > > Regards,
> > >
> > > Márcio
> > >
> >
> > Rowland
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list