[Samba] Problems with GPO
L.P.H. van Belle
belle at bazuin.nl
Mon Nov 7 08:41:33 UTC 2016
Looking at you config setup, i noticed a few things.
DC1.
/etc/resolv.conf
domain empresa.com.br
search empresa.com.br
nameserver 192.168.200.25 (=dc1)
nameserver 192.168.200.10
/etc/resolv.conf
domain empresa.com.br
search empresa.com.br
nameserver 192.168.200.4 (dc=2)
nameserver 192.168.200.10
/etc/resolv.conf
domain empresa.com.br
search empresa.com.br
nameserver 192.168.200.25
nameserver 192.168.200.10
I suggest you change you DC resolv.conf setup first and change the following.
DC1.
nameserver 192.168.200.4
nameserver 192.168.200.25
DC2
nameserver 192.168.200.25
nameserver 192.168.200.4
Fileserver
nameserver 192.168.200.4
nameserver 192.168.200.25
and to make sure run this script, to check on database replication errors.
http://downloads.van-belle.nl/samba4/samba-check-db-repl.sh
This compaires the samba AD DC databases. ( up to 10 DC.s )
Its no need to configure anything in the script.
And based on you config below i guessing you AD DC servers are runing backend RID and the file server backend AD.
A mixed setup is, as far as I know not supported.
Please reread :
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Setting_up_the_AD_DNS_back_end
start and the second blue part after ?Provisioning a Samba Active Directory?
.....
However, to enable them in an existing domain requires to manually extend the AD schema. For further details about Unix attributes in AD, see::
* Setting up RFC2307 in AD
* idmap config = ad
Greetz,
Louis
Van: Marcio Demetrio Bacci [mailto:marciobacci at gmail.com]
Verzonden: zaterdag 5 november 2016 4:55
Aan: L.P.H. van Belle; samba at lists.samba.org
Onderwerp: Re: [Samba] Problems with GPO
Hi,
Here is my configurations files (DC1, DC2 and FILE-SERVER)
DC1
/etc/nsswitch.conf
passwd: compat
group: compat
shadow: compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
/etc/resolv.conf
domain empresa.com.br
search empresa.com.br
nameserver 192.168.200.25
nameserver 192.168.200.10
/etc/hosts
/etc/hosts
127.0.0.1 localhost.localadmin localhost
192.168.200.25 dc1.empresa.com.br dc1
/opt/samba/etc/smb.conf
[global]
workgroup = EMPRESA
realm = EMPRESA.COM.BR
netbios name = DC1
server role = active directory domain controller
dns forwarder = 192.168.200.10
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /opt/samba/var/locks/sysvol/empresa.com.br/scripts
read only = No
[sysvol]
path = /opt/samba/var/locks/sysvol
read only = No
acl_xattr:ignore system acls = yes
##################################################
DC2
/etc/nsswitch.conf
passwd: compat
group: compat
shadow: compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
~
/etc/resolv.conf
domain empresa.com.br
search empresa.com.br
nameserver 192.168.200.4
nameserver 192.168.200.10
/etc/hosts
127.0.0.1 localhost.localadmin localhost
192.168.200.4 dc2.empresa.com.br dc2
/opt/samba/etc/smb.conf
[global]
workgroup = EMPRESA
realm = EMPRESA.COM.BR
netbios name = DC1
server role = active directory domain controller
dns forwarder = 192.168.200.10
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /opt/samba/var/locks/sysvol/empresa.com.br/scripts
read only = No
[sysvol]
path = /opt/samba/var/locks/sysvol
read only = No
acl_xattr:ignore system acls = yes
######################################################
FILE-SERVER (DOMAIN MEMBER)
/etc/nsswitch.conf
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
/etc/resolv.conf
domain empresa.com.br
search empresa.com.br
nameserver 192.168.200.25
nameserver 192.168.200.10
/etc/hosts
127.0.0.1 localhost
192.168.200.3 file-server.empresa.com.br file-server
192.168.200.25 dc1.empresa.com.br dc1
192.168.200.4 dc2.empresa.com.br dc2
/etc/samba/smb.conf (only a piece)
...
idmap config *:backend = tdb
idmap config *:range = 1000-3000
idmap config EMPRESA:backend = ad
idmap config EMPRESA:schema_mode = rfc2307
idmap config EMPRESA:range = 10000-9999999
winbind nss info = rfc2307
...
I copied idmap.ldb from DC1 to DC2, now uidNumber and gidNumber are the same. But in File Server is still different of the DC.
I would like to remove without reference objects in my Domain. (Ex: SID: S-1-22-33-55 "unknown"). Is Possible ?
GPO List has still problems
root at DC1:/opt/samba/private# samba-tool gpo list ferreira
ERROR(runtime): uncaught exception - ('Could not find a DC for domain', RuntimeError('NT_STATUS_NETWORK_UNREACHABLE',))
File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run
return self.run(*args, **kwargs)
File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py", line 349, in run
self.url = dc_url(self.lp, self.creds, H)
File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py", line 117, in dc_url
raise RuntimeError("Could not find a DC for domain", e)
In DC1 has 2 pastes in Sysvol\empresa.com.br: Policies and Scripts. But in DC2, the Policies paste there isn't. Is this normal?
I'm using INTERNAL Samba DNS. Following my DNS tests:
root at dc1:~# host -t SRV _ldap._tcp.empresa.com.br.
_ldap._tcp.empresa.com.br has SRV record 0 100 389 dc1.empresa.com.br.
_ldap._tcp.empresa.com.br has SRV record 0 100 389 dc2.empresa.com.br.
root at dc1:~# host -t SRV _kerberos._udp.empresa.com.br.
_kerberos._udp.empresa.com.br has SRV record 0 100 88 dc1.empresa.com.br.
_kerberos._udp.empresa.com.br has SRV record 0 100 88 dc2.empresa.com.br.
root at dc1:~# host -t A dc1.empresa.com.br.
dc1.empresa.com.br has address 192.168.200.25
root at dc1:~# host -t A dc2.empresa.com.br.
dc2.empresa.com.br has address 192.168.200.4
Here is the result of command "samba-tool dns zonelist dc1.empresa.com.br --primary -U administrator"
3 zone(s) found
pszZoneName : 200.168.192.in-addr.arpa
Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.empresa.com.br
pszZoneName : empresa.com.br
Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.empresa.com.br
pszZoneName : _msdcs.empresa.com.br
Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
pszDpFqdn : ForestDnsZones.empresa.com.br
samba-tool dns zoneinfo dc1.empresa.com.br empresa.com.br -U administrator
pszZoneName : empresa.com.br
dwZoneType : DNS_ZONE_TYPE_PRIMARY
fReverse : FALSE
fAllowUpdate : DNS_ZONE_UPDATE_SECURE
fPaused : FALSE
fShutdown : FALSE
fAutoCreated : FALSE
fUseDatabase : TRUE
pszDataFile : None
aipMasters : []
fSecureSecondaries : DNS_ZONE_SECSECURE_NO_XFER
fNotifyLevel : DNS_ZONE_NOTIFY_LIST_ONLY
aipSecondaries : []
aipNotify : []
fUseWins : FALSE
fUseNbstat : FALSE
fAging : FALSE
dwNoRefreshInterval : 168
dwRefreshInterval : 168
dwAvailForScavengeTime : 0
aipScavengeServers : []
dwRpcStructureVersion : 0x2
dwForwarderTimeout : 0
fForwarderSlave : 0
aipLocalMasters : []
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.empresa.com.br
pwszZoneDn : DC=empresa.com.br,CN=MicrosoftDNS,DC=DomainDnsZones,DC=empresa,DC=com,DC=br
dwLastSuccessfulSoaCheck : 0
dwLastSuccessfulXfr : 0
fQueuedForBackgroundLoad : FALSE
fBackgroundLoadInProgress : FALSE
fReadOnlyZone : FALSE
dwLastXfrAttempt : 0
dwLastXfrResult : 0
PS: Now, in some users/computers, my GPO is working. I'm test only windows 7 professional workstations.
Regards,
Márcio
2016-11-04 7:10 GMT-02:00 L.P.H. van Belle <belle at bazuin.nl>:
Just make it yourself a bit more easy.
Setup sysvol like this.
[sysvol]
path = /home/samba/sysvol
read only = No
acl_xattr:ignore system acls = yes
Restart samba, and set the SHARE RIGHTS and File/Folder rights again.
Or atleast check them, the defaults should be ok.
When thats done.
Go here. :
http://trekker.net/archives/group-policy-downloads/
get the ADMX templates you need.
Win 10 build 1607 is not on that site, found here :
https://www.microsoft.com/en-us/download/details.aspx?id=53430
and for otheres, install this in win 7 and copy the templates to the sysvol.
( located somewhere in programfiles )
Extra usable templates here:
http://winintro.com/
now, when thats done, and this if more for you.
Does the user bacci need Domain Admin.
Like is it you replacement for user Administrator? Then thats ok.
If its a normal user which needs todo GPO stuff. Then i suggest adding this user to "Group Policy Creator Owners" and dont abuse the domain admin group.
So this is the basic stuff go a GPO setup.
Now, about the error :
ERROR(runtime): uncaught exception ...
You can ignore it IF you use the parameter : acl_xattr:ignore system acls = yes
Or, move all folder from sysvol, do the sysvol reset, and place the folders back, that can help.
I do advice to setup GID for "Domain -" Users/Admins/Guest and most important. "Domain Computers" .. now we are getting to you problem.
Due to all MS changes, how policies are applies has changes.
The user setting is not applied anymore by the user, but by the computer.
This is key to remember.
So for every policy you set you need one the these groups.
1) authenticated users ( users and computer accounts ) ( preffered )
2) Domain users + any group this is a group for applying the GPO.
3) Domain computers/ any computer group
In option 1, nothing special is needed.
In option 2, you must set read GPO polices for domain users, and read+apply for the custom group.
In option 3, same as option 2. but this is only for a computer policie.
If you have problem like, GPO applies from one server, but the other dc.
Run : net cache flush
Stop samba on both DC's and copy the idmap.tdb from DC1 to DC2.
About you setup and config, looks all fine to me, exept.
> 117, in dc_url
> raise RuntimeError("Could not find a DC for domain", e
Please post you resolv.conf /etc/hosts /etc/nsswitch.conf
And are you using bind_DLZ or internal samba DNS
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Marcio Demetrio
> Bacci via samba
> Verzonden: vrijdag 4 november 2016 4:33
> Aan: Rowland Penny; samba at lists.samba.org
> Onderwerp: Re: [Samba] Problems with GPO
>
> Hi,
>
> bacci user is Domain Admin, because 30049 group is Domain Admin member. I
> use this user to create GPO.
>
> Following are my configurations files:
>
> *FILE-SERVER - SMB.CONF*
> [global]
> netbios name = file-server
> workgroup = EMPRESA
> security = ads
> realm = EMPRESA.COM.BR
> encrypt passwords = yes
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> preferred master = no
> idmap config *:backend = tdb
> idmap config *:range = 1000-3000
> idmap config EMPRESA:backend = ad
> idmap config EMPRESA:schema_mode = rfc2307
> idmap config EMPRESA:range = 10000-9999999
>
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind refresh tickets = yes
>
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
> username map = /etc/samba/user.map
>
>
> *DC1 - SMB.CONF*
> [global]
> workgroup = EMPRESA
> realm = EMPRESA.COM.BR
> netbios name = DC1
> server role = active directory domain controller
> dns forwarder = 192.168.200.10
> idmap_ldb:use rfc2307 = yes
>
> [netlogon]
> path = /opt/samba/var/locks/sysvol/empresa.com.br/scripts
> read only = No
>
> [sysvol]
> path = /opt/samba/var/locks/sysvol
> read only = No
>
>
> *DC2 - SMB.CONF*
> [global]
> workgroup = EMPRESA
> realm = EMPRESA.COM.BR
> netbios name = dc2
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
>
> [netlogon]
> path = /opt/samba/var/locks/sysvol/empresa.com.br/scripts
> read only = No
>
> [sysvol]
> path = /opt/samba/var/locks/sysvol
> read only = No
>
>
> I'm using "samba-tool drs showrepl" command in DC2 and the result is
> SUCCESS.
>
> Do I have need to remove the Unix attributes of all builtin users
> (Administrators, Accout Operators, Users, Guest, ...)? Do Domain Users,
> Domain Admins, Domain Computers Groups also to need remove Unix
> Attributes?
>
> Do I have just select the "None" option in the Unix Attributes tab (in the
> RSAT) to remove it?
>
> Have the accounts of the domain computers (joined in domain) must have the
> Unix attribute ?
>
> Is there way to remove null objects of Samba 4 ?
>
> *Others Tests*
>
> Result of "*testparm*" command:
>
> Load smb config files from /opt/samba/etc/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> Loaded services file OK.
> Server role: ROLE_ACTIVE_DIRECTORY_DC
>
> Result of "*samba-tool gpo list bacci at empresa.com.br
> <bacci at empresa.com.br>*
> "
>
> ERROR(runtime): uncaught exception - ('Could not find a DC for domain',
> RuntimeError('NT_STATUS_NETWORK_UNREACHABLE',))
> File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
> return self.run(*args, **kwargs)
> File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py", line
> 349, in run
> self.url = dc_url(self.lp, self.creds, H)
> File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py", line
> 117, in dc_url
> raise RuntimeError("Could not find a DC for domain", e)
>
> Result of *samba-tool gpo listall*
> ERROR(runtime): uncaught exception - ('Could not find a DC for domain',
> RuntimeError('NT_STATUS_NETWORK_UNREACHABLE',))
> File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
> return self.run(*args, **kwargs)
> File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py", line
> 311, in run
> self.url = dc_url(self.lp, self.creds, H)
> File "/opt/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py", line
> 117, in dc_url
> raise RuntimeError("Could not find a DC for domain", e
>
>
> Regards,
>
> Márcio
>
> 2016-11-03 20:10 GMT-02:00 Rowland Penny via samba
> <samba at lists.samba.org>:
>
> >
> > See inline comments:
> >
> > On Thu, 3 Nov 2016 19:17:58 -0200
> > Marcio Demetrio Bacci <marciobacci at gmail.com> wrote:
> >
> > > Hi Rowland
> > >
> > > Following the results to:
> > >
> > > *USER:*
> > > wbinfo --uid-info=10060:
> > > bacci:*:10060:30049:bacci:/home/EMPRESA/bacci:/bin/false
> > >
> >
> > It looks like 'bacci' is a normal user and the owner of the
> > Policies GUID dir should be 'Domain Admins'
> >
> > > *GROUP:*
> > > wbinfo --gid-info=30028: Domain Admins
> >
> > This is where one of the problems start, bit of a catch 22 problem, you
> > need to give 'Domain Admins' a gidNumber to be visible to Unix, but if
> > you do, it looses the 'ID_TYPE_BOTH' from idmap.ldb that means it can
> > own dirs & files in sysvol.
> >
> > >
> > > wbinfo --gid-info=30032: Domain Users
> > >
> > > wbinfo --gid-info=30033: Enterprise Admins
> > >
> > >
> > > "I don't see user:3000003"
> > >
> > > root at dc1:~# wbinfo -G 3000003
> > > S-1-5-11
> > >
> > > root at dc1:~# wbinfo -s S-1-5-11
> > > failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
> > > Could not lookup sid S-1-5-11
> > >
> >
> > You will need to look inside idmap.ldb to find this.
> >
> > > I have in my network two DC (Samba 4) and one member File Server
> > > (Samba 4). When I execute wbinfo -r <user>, I have different results:
> > >
> > > root at dc1:~# wbinfo -G 3000000
> > > S-1-5-32-544
> > >
> > > root at dc1o:~# wbinfo -G 30002
> > > S-1-5-32-544
> > >
> > > root at dc1:~# wbinfo -s S-1-5-32-544
> > > BUILTIN\Administrators 4
> > >
> > > The SID to Administrators is 3000000 in DC. In File Server the same
> > > group is 30002.
> >
> > Don't give the BUILTIN users & groups uidNumbers & gidNumbers, let
> > samba do this on the DC and set up smb.conf correctly on the domain
> > member. You do this by using 'idmap config * : backend = tdb'
> >
> >
> > >
> > > *Different Groups to the same user*
> > > root@*dc1*:~# wbinfo -r bacci
> > > 30011
> > > 30025
> > > 30029
> > > 30030
> > > 30035
> > > 30049
> > > 30052
> > > 3000000
> > >
> > >
> > > root@*server-file*:~# wbinfo -r bacci
> > > 30002
> > > 30003
> > > 30025
> > > 30028
> > > 30029
> > > 30030
> > > 30032
> > > 30035
> > > 30049
> > > 30052
> > > 30053
> > >
> > >
> > > Regards,
> > >
> > > Márcio
> > >
> >
> > Rowland
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list