[Samba] Can't create/update Group Policy in Samba 4.6.5
Marcio Demetrio Bacci
marciobacci at gmail.com
Sun Jul 2 14:30:32 UTC 2017
Hi,
I'm using Samba 4.6.5 and I have installed as follows:
wget -c https://download.samba.org/pub/samba/stable/samba-4.6.5.tar.gz
tar -xzvf samba-4.6.5.tar.gz
cd samba-4.6.5
./configure --enable-debug --enable-selftest
make
make install
It seems that is working properly, however I can't create or update GPO
with Windows Group Policy Management tool.
When I try, "Denied Access" message appear.
I'm using an user that is member of "Domain Admins", "Domain Computers",
"Domain Controllers", "Group Policy Creators Owners" and "Domain Users".
When I run "samba-tool ntacl sysvolreset" command, appear the following
errors:
root at dc1:/usr/local/samba/bin# ./samba-tool ntacl sysvolreset
open: error=2 (No such file or directory)
ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error')
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", line
239, in run
lp, use_ntvfs=use_ntvfs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1609, in setsysvolacl
set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
use_ntvfs, passdb=s4_passdb)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1502, in set_gpos_acl
use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb,
service=SYSVOL_SERVICE)
File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py", line
162, in setntacl
smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP |
security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)
I have verified that permissions on my files in
"/usr/local/samba/var/locks/" are like this:
ls -l /usr/local/samba/var/locks/
total 1384
-rw------- 1 root staff 421888 Mai 15 21:57 account_policy.tdb
-rw------- 1 root staff 528384 Mai 15 21:57 registry.tdb
-rw------- 1 root staff 421888 Mai 15 21:57 share_info.tdb
drwxr-sr-x 3 root 30056 4096 Jul 1 19:40 sysvol
-rw------- 1 root staff 32768 Jul 1 19:45 winbindd_cache.tdb
drwxr-s--- 2 root staff 4096 Jul 1 19:45 winbindd_privileged
Following are my fstab and smb.conf files:
/etc/fstab
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/disk2--vg-root / ext4 errors=remount-ro 0 1
UUID=400ad8c2-9c4c-4a08-883b-3aaddcb24850 /boot ext2
defaults 0 2
/dev/mapper/disk2--vg-swap_1 none swap sw 0 0
/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0
######################################################################
/usr/local/samba/etc/smb.conf
# Global parameters
[global]
workgroup = EMPRESA
realm = EMPREA.COM.BR
netbios name = DC1
server role = active directory domain controller
dns forwarder = 192.168.0.5
idmap_ldb:use rfc2307 = yes
ldap server require strong auth = no
[netlogon]
path = /usr/local/samba/var/locks/sysvol/empresa.com.br/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
acl_xattr:ignore system acls = yes
##################################################
Some tests with attr:
root at dc1:~# touch testando.txt
root at dc1:~# setfattr -n user.test -v test testando.txt
root at dc1:~# setfattr -n security.test -v test2 testando.txt
root at dc1:~# getfattr -d testando.txt
# file: testando.txt
user.test="test"
root at dc1:~# getfattr -n security.test -d testando.txt
# file: testando.txt
security.test="test2"
Anybody have an idea how solve this problem?
Regards,
Márcio Bacci
More information about the samba
mailing list