[Samba] Can't create/update Group Policy in Samba 4.6.5

Marcio Demetrio Bacci marciobacci at gmail.com
Sun Jul 2 14:30:32 UTC 2017


Hi,

I'm using Samba 4.6.5 and I have installed as follows:

wget -c https://download.samba.org/pub/samba/stable/samba-4.6.5.tar.gz

tar -xzvf samba-4.6.5.tar.gz

cd samba-4.6.5

./configure --enable-debug --enable-selftest

make

make install

It seems that is working properly, however I can't create or update GPO
with Windows Group Policy Management tool.

When I try, "Denied Access" message appear.

I'm using an user that is member of "Domain Admins", "Domain Computers",
"Domain Controllers", "Group Policy Creators Owners" and "Domain Users".

When I run "samba-tool ntacl sysvolreset" command, appear the following
errors:

root at dc1:/usr/local/samba/bin# ./samba-tool ntacl sysvolreset
open: error=2 (No such file or directory)
ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error')
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", line
239, in run
    lp, use_ntvfs=use_ntvfs)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1609, in setsysvolacl
    set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
use_ntvfs, passdb=s4_passdb)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1502, in set_gpos_acl
    use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb,
service=SYSVOL_SERVICE)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py", line
162, in setntacl
    smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP |
security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)


I have verified that permissions on my files in
"/usr/local/samba/var/locks/" are like this:

ls -l /usr/local/samba/var/locks/
total 1384
-rw------- 1 root staff 421888 Mai 15 21:57 account_policy.tdb
-rw------- 1 root staff 528384 Mai 15 21:57 registry.tdb
-rw------- 1 root staff 421888 Mai 15 21:57 share_info.tdb
drwxr-sr-x 3 root 30056   4096 Jul  1 19:40 sysvol
-rw------- 1 root staff  32768 Jul  1 19:45 winbindd_cache.tdb
drwxr-s--- 2 root staff   4096 Jul  1 19:45 winbindd_privileged

Following are my  fstab and smb.conf files:

/etc/fstab
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
/dev/mapper/disk2--vg-root /           ext4    errors=remount-ro 0       1
UUID=400ad8c2-9c4c-4a08-883b-3aaddcb24850 /boot           ext2
defaults        0       2
/dev/mapper/disk2--vg-swap_1 none      swap    sw              0       0
/dev/sr0     /media/cdrom0   udf,iso9660 user,noauto     0       0
######################################################################

/usr/local/samba/etc/smb.conf

# Global parameters
[global]
 workgroup = EMPRESA
 realm = EMPREA.COM.BR
 netbios name = DC1
 server role = active directory domain controller
 dns forwarder = 192.168.0.5
 idmap_ldb:use rfc2307 = yes
 ldap server require strong auth = no

[netlogon]
 path = /usr/local/samba/var/locks/sysvol/empresa.com.br/scripts
 read only = No

[sysvol]
 path = /usr/local/samba/var/locks/sysvol
 read only = No
 acl_xattr:ignore system acls = yes
##################################################

Some tests with attr:

root at dc1:~# touch testando.txt
root at dc1:~# setfattr -n user.test -v test testando.txt
root at dc1:~# setfattr -n security.test -v test2 testando.txt

root at dc1:~# getfattr -d testando.txt
# file: testando.txt
user.test="test"

root at dc1:~# getfattr -n security.test -d testando.txt
# file: testando.txt
security.test="test2"

Anybody have an idea how solve this problem?


Regards,

Márcio Bacci


More information about the samba mailing list