[Samba] Problems with GPO
Marcio Demetrio Bacci
marciobacci at gmail.com
Sat Nov 5 03:54:34 UTC 2016
Hi,
Here is my configurations files (DC1, DC2 and FILE-SERVER)
*DC1*
/etc/nsswitch.conf
passwd: compat
group: compat
shadow: compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
/etc/resolv.conf
domain empresa.com.br
search empresa.com.br
nameserver 192.168.200.25
nameserver 192.168.200.10
/etc/hosts
/etc/hosts
127.0.0.1 localhost.localadmin localhost
192.168.200.25 dc1.empresa.com.br dc1
/opt/samba/etc/smb.conf
[global]
workgroup = EMPRESA
realm = EMPRESA.COM.BR
netbios name = DC1
server role = active directory domain controller
dns forwarder = 192.168.200.10
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /opt/samba/var/locks/sysvol/empresa.com.br/scripts
read only = No
[sysvol]
path = /opt/samba/var/locks/sysvol
read only = No
acl_xattr:ignore system acls = yes
##################################################
*DC2*
/etc/nsswitch.conf
passwd: compat
group: compat
shadow: compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
~
/etc/resolv.conf
domain empresa.com.br
search empresa.com.br
nameserver 192.168.200.4
nameserver 192.168.200.10
/etc/hosts
127.0.0.1 localhost.localadmin localhost
192.168.200.4 dc2.empresa.com.br dc2
/opt/samba/etc/smb.conf
[global]
workgroup = EMPRESA
realm = EMPRESA.COM.BR
netbios name = DC1
server role = active directory domain controller
dns forwarder = 192.168.200.10
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /opt/samba/var/locks/sysvol/empresa.com.br/scripts
read only = No
[sysvol]
path = /opt/samba/var/locks/sysvol
read only = No
acl_xattr:ignore system acls = yes
######################################################
*FILE-SERVER (DOMAIN MEMBER)*
/etc/nsswitch.conf
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
/etc/resolv.conf
domain empresa.com.br
search empresa.com.br
nameserver 192.168.200.25
nameserver 192.168.200.10
/etc/hosts
127.0.0.1 localhost
192.168.200.3 file-server.empresa.com.br file-server
192.168.200.25 dc1.empresa.com.br dc1
192.168.200.4 dc2.empresa.com.br dc2
/etc/samba/smb.conf (only a piece)
...
idmap config *:backend = tdb
idmap config *:range = 1000-3000
idmap config EMPRESA:backend = ad
idmap config EMPRESA:schema_mode = rfc2307
idmap config EMPRESA:range = 10000-9999999
winbind nss info = rfc2307
...
I copied idmap.ldb from DC1 to DC2, now uidNumber and gidNumber are the
same. But in File Server is still different of the DC.
I would like to remove without reference objects in my Domain. (Ex: SID:
S-1-22-33-55 "unknown"). Is Possible ?
*GPO List has still problems*
root at DC1:/opt/samba/private# samba-tool gpo list ferreira
ERROR(runtime): uncaught exception - ('Could not find a DC for domain',
RuntimeError('NT_STATUS_NETWORK_UNREACHABLE',))
File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py", line
349, in run
self.url = dc_url(self.lp, self.creds, H)
File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py", line
117, in dc_url
raise RuntimeError("Could not find a DC for domain", e)
In DC1 has 2 pastes in Sysvol\empresa.com.br: Policies and Scripts. But in
DC2, the Policies paste there isn't. Is this normal?
I'm using *INTERNAL Samba DNS*. Following my DNS tests:
root at dc1:~# host -t SRV _ldap._tcp.empresa.com.br.
_ldap._tcp.empresa.com.br has SRV record 0 100 389 dc1.empresa.com.br.
_ldap._tcp.empresa.com.br has SRV record 0 100 389 dc2.empresa.com.br.
root at dc1:~# host -t SRV _kerberos._udp.empresa.com.br.
_kerberos._udp.empresa.com.br has SRV record 0 100 88 dc1.empresa.com.br.
_kerberos._udp.empresa.com.br has SRV record 0 100 88 dc2.empresa.com.br.
root at dc1:~# host -t A dc1.empresa.com.br.
dc1.empresa.com.br has address 192.168.200.25
root at dc1:~# host -t A dc2.empresa.com.br.
dc2.empresa.com.br has address 192.168.200.4
Here is the result of command "samba-tool dns zonelist dc1.empresa.com.br
--primary -U administrator"
3 zone(s) found
pszZoneName : 200.168.192.in-addr.arpa
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.empresa.com.br
pszZoneName : empresa.com.br
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.empresa.com.br
pszZoneName : _msdcs.empresa.com.br
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : ForestDnsZones.empresa.com.br
samba-tool dns zoneinfo dc1.empresa.com.br empresa.com.br -U administrator
pszZoneName : empresa.com.br
dwZoneType : DNS_ZONE_TYPE_PRIMARY
fReverse : FALSE
fAllowUpdate : DNS_ZONE_UPDATE_SECURE
fPaused : FALSE
fShutdown : FALSE
fAutoCreated : FALSE
fUseDatabase : TRUE
pszDataFile : None
aipMasters : []
fSecureSecondaries : DNS_ZONE_SECSECURE_NO_XFER
fNotifyLevel : DNS_ZONE_NOTIFY_LIST_ONLY
aipSecondaries : []
aipNotify : []
fUseWins : FALSE
fUseNbstat : FALSE
fAging : FALSE
dwNoRefreshInterval : 168
dwRefreshInterval : 168
dwAvailForScavengeTime : 0
aipScavengeServers : []
dwRpcStructureVersion : 0x2
dwForwarderTimeout : 0
fForwarderSlave : 0
aipLocalMasters : []
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.empresa.com.br
pwszZoneDn : DC=empresa.com.br
,CN=MicrosoftDNS,DC=DomainDnsZones,DC=empresa,DC=com,DC=br
dwLastSuccessfulSoaCheck : 0
dwLastSuccessfulXfr : 0
fQueuedForBackgroundLoad : FALSE
fBackgroundLoadInProgress : FALSE
fReadOnlyZone : FALSE
dwLastXfrAttempt : 0
dwLastXfrResult : 0
PS: Now, in some users/computers, my GPO is working. I'm test only windows
7 professional workstations.
Regards,
Márcio
2016-11-04 7:10 GMT-02:00 L.P.H. van Belle <belle at bazuin.nl>:
> Just make it yourself a bit more easy.
>
> Setup sysvol like this.
>
> [sysvol]
> path = /home/samba/sysvol
> read only = No
> acl_xattr:ignore system acls = yes
>
> Restart samba, and set the SHARE RIGHTS and File/Folder rights again.
> Or atleast check them, the defaults should be ok.
>
> When thats done.
> Go here. :
> http://trekker.net/archives/group-policy-downloads/
> get the ADMX templates you need.
>
> Win 10 build 1607 is not on that site, found here :
> https://www.microsoft.com/en-us/download/details.aspx?id=53430
>
> and for otheres, install this in win 7 and copy the templates to the
> sysvol.
> ( located somewhere in programfiles )
>
> Extra usable templates here:
> http://winintro.com/
>
> now, when thats done, and this if more for you.
>
> Does the user bacci need Domain Admin.
> Like is it you replacement for user Administrator? Then thats ok.
> If its a normal user which needs todo GPO stuff. Then i suggest adding
> this user to "Group Policy Creator Owners" and dont abuse the domain admin
> group.
>
> So this is the basic stuff go a GPO setup.
>
>
> Now, about the error :
> ERROR(runtime): uncaught exception ...
> You can ignore it IF you use the parameter : acl_xattr:ignore system acls
> = yes
> Or, move all folder from sysvol, do the sysvol reset, and place the
> folders back, that can help.
>
> I do advice to setup GID for "Domain -" Users/Admins/Guest and most
> important. "Domain Computers" .. now we are getting to you problem.
>
> Due to all MS changes, how policies are applies has changes.
>
> The user setting is not applied anymore by the user, but by the computer.
> This is key to remember.
>
> So for every policy you set you need one the these groups.
>
> 1) authenticated users ( users and computer accounts ) ( preffered )
> 2) Domain users + any group this is a group for applying the GPO.
> 3) Domain computers/ any computer group
>
> In option 1, nothing special is needed.
> In option 2, you must set read GPO polices for domain users, and
> read+apply for the custom group.
> In option 3, same as option 2. but this is only for a computer policie.
>
> If you have problem like, GPO applies from one server, but the other dc.
> Run : net cache flush
> Stop samba on both DC's and copy the idmap.tdb from DC1 to DC2.
>
>
> About you setup and config, looks all fine to me, exept.
> > 117, in dc_url
> > raise RuntimeError("Could not find a DC for domain", e
>
> Please post you resolv.conf /etc/hosts /etc/nsswitch.conf
> And are you using bind_DLZ or internal samba DNS
>
> Greetz,
>
> Louis
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Marcio Demetrio
> > Bacci via samba
> > Verzonden: vrijdag 4 november 2016 4:33
> > Aan: Rowland Penny; samba at lists.samba.org
> > Onderwerp: Re: [Samba] Problems with GPO
> >
> > Hi,
> >
> > bacci user is Domain Admin, because 30049 group is Domain Admin member. I
> > use this user to create GPO.
> >
> > Following are my configurations files:
> >
> > *FILE-SERVER - SMB.CONF*
> > [global]
> > netbios name = file-server
> > workgroup = EMPRESA
> > security = ads
> > realm = EMPRESA.COM.BR
> > encrypt passwords = yes
> > dedicated keytab file = /etc/krb5.keytab
> > kerberos method = secrets and keytab
> > preferred master = no
> > idmap config *:backend = tdb
> > idmap config *:range = 1000-3000
> > idmap config EMPRESA:backend = ad
> > idmap config EMPRESA:schema_mode = rfc2307
> > idmap config EMPRESA:range = 10000-9999999
> >
> > winbind nss info = rfc2307
> > winbind trusted domains only = no
> > winbind use default domain = yes
> > winbind enum users = yes
> > winbind enum groups = yes
> > winbind refresh tickets = yes
> >
> > vfs objects = acl_xattr
> > map acl inherit = Yes
> > store dos attributes = Yes
> > username map = /etc/samba/user.map
> >
> >
> > *DC1 - SMB.CONF*
> > [global]
> > workgroup = EMPRESA
> > realm = EMPRESA.COM.BR
> > netbios name = DC1
> > server role = active directory domain controller
> > dns forwarder = 192.168.200.10
> > idmap_ldb:use rfc2307 = yes
> >
> > [netlogon]
> > path = /opt/samba/var/locks/sysvol/empresa.com.br/scripts
> > read only = No
> >
> > [sysvol]
> > path = /opt/samba/var/locks/sysvol
> > read only = No
> >
> >
> > *DC2 - SMB.CONF*
> > [global]
> > workgroup = EMPRESA
> > realm = EMPRESA.COM.BR
> > netbios name = dc2
> > server role = active directory domain controller
> > idmap_ldb:use rfc2307 = yes
> >
> > [netlogon]
> > path = /opt/samba/var/locks/sysvol/empresa.com.br/scripts
> > read only = No
> >
> > [sysvol]
> > path = /opt/samba/var/locks/sysvol
> > read only = No
> >
> >
> > I'm using "samba-tool drs showrepl" command in DC2 and the result is
> > SUCCESS.
> >
> > Do I have need to remove the Unix attributes of all builtin users
> > (Administrators, Accout Operators, Users, Guest, ...)? Do Domain Users,
> > Domain Admins, Domain Computers Groups also to need remove Unix
> > Attributes?
> >
> > Do I have just select the "None" option in the Unix Attributes tab (in
> the
> > RSAT) to remove it?
> >
> > Have the accounts of the domain computers (joined in domain) must have
> the
> > Unix attribute ?
> >
> > Is there way to remove null objects of Samba 4 ?
> >
> > *Others Tests*
> >
> > Result of "*testparm*" command:
> >
> > Load smb config files from /opt/samba/etc/smb.conf
> > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> > Processing section "[netlogon]"
> > Processing section "[sysvol]"
> > Loaded services file OK.
> > Server role: ROLE_ACTIVE_DIRECTORY_DC
> >
> > Result of "*samba-tool gpo list bacci at empresa.com.br
> > <bacci at empresa.com.br>*
> > "
> >
> > ERROR(runtime): uncaught exception - ('Could not find a DC for domain',
> > RuntimeError('NT_STATUS_NETWORK_UNREACHABLE',))
> > File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/__
> init__.py",
> > line 175, in _run
> > return self.run(*args, **kwargs)
> > File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py",
> line
> > 349, in run
> > self.url = dc_url(self.lp, self.creds, H)
> > File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py",
> line
> > 117, in dc_url
> > raise RuntimeError("Could not find a DC for domain", e)
> >
> > Result of *samba-tool gpo listall*
> > ERROR(runtime): uncaught exception - ('Could not find a DC for domain',
> > RuntimeError('NT_STATUS_NETWORK_UNREACHABLE',))
> > File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/__
> init__.py",
> > line 175, in _run
> > return self.run(*args, **kwargs)
> > File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py",
> line
> > 311, in run
> > self.url = dc_url(self.lp, self.creds, H)
> > File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py",
> line
> > 117, in dc_url
> > raise RuntimeError("Could not find a DC for domain", e
> >
> >
> > Regards,
> >
> > Márcio
> >
> > 2016-11-03 20:10 GMT-02:00 Rowland Penny via samba
> > <samba at lists.samba.org>:
> >
> > >
> > > See inline comments:
> > >
> > > On Thu, 3 Nov 2016 19:17:58 -0200
> > > Marcio Demetrio Bacci <marciobacci at gmail.com> wrote:
> > >
> > > > Hi Rowland
> > > >
> > > > Following the results to:
> > > >
> > > > *USER:*
> > > > wbinfo --uid-info=10060:
> > > > bacci:*:10060:30049:bacci:/home/EMPRESA/bacci:/bin/false
> > > >
> > >
> > > It looks like 'bacci' is a normal user and the owner of the
> > > Policies GUID dir should be 'Domain Admins'
> > >
> > > > *GROUP:*
> > > > wbinfo --gid-info=30028: Domain Admins
> > >
> > > This is where one of the problems start, bit of a catch 22 problem, you
> > > need to give 'Domain Admins' a gidNumber to be visible to Unix, but if
> > > you do, it looses the 'ID_TYPE_BOTH' from idmap.ldb that means it can
> > > own dirs & files in sysvol.
> > >
> > > >
> > > > wbinfo --gid-info=30032: Domain Users
> > > >
> > > > wbinfo --gid-info=30033: Enterprise Admins
> > > >
> > > >
> > > > "I don't see user:3000003"
> > > >
> > > > root at dc1:~# wbinfo -G 3000003
> > > > S-1-5-11
> > > >
> > > > root at dc1:~# wbinfo -s S-1-5-11
> > > > failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
> > > > Could not lookup sid S-1-5-11
> > > >
> > >
> > > You will need to look inside idmap.ldb to find this.
> > >
> > > > I have in my network two DC (Samba 4) and one member File Server
> > > > (Samba 4). When I execute wbinfo -r <user>, I have different results:
> > > >
> > > > root at dc1:~# wbinfo -G 3000000
> > > > S-1-5-32-544
> > > >
> > > > root at dc1o:~# wbinfo -G 30002
> > > > S-1-5-32-544
> > > >
> > > > root at dc1:~# wbinfo -s S-1-5-32-544
> > > > BUILTIN\Administrators 4
> > > >
> > > > The SID to Administrators is 3000000 in DC. In File Server the same
> > > > group is 30002.
> > >
> > > Don't give the BUILTIN users & groups uidNumbers & gidNumbers, let
> > > samba do this on the DC and set up smb.conf correctly on the domain
> > > member. You do this by using 'idmap config * : backend = tdb'
> > >
> > >
> > > >
> > > > *Different Groups to the same user*
> > > > root@*dc1*:~# wbinfo -r bacci
> > > > 30011
> > > > 30025
> > > > 30029
> > > > 30030
> > > > 30035
> > > > 30049
> > > > 30052
> > > > 3000000
> > > >
> > > >
> > > > root@*server-file*:~# wbinfo -r bacci
> > > > 30002
> > > > 30003
> > > > 30025
> > > > 30028
> > > > 30029
> > > > 30030
> > > > 30032
> > > > 30035
> > > > 30049
> > > > 30052
> > > > 30053
> > > >
> > > >
> > > > Regards,
> > > >
> > > > Márcio
> > > >
> > >
> > > Rowland
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions: https://lists.samba.org/mailman/options/samba
> > >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list