[Samba] Can't create/update Group Policy in Samba 4.6.5

Rowland Penny rpenny at samba.org
Mon Jul 3 06:50:19 UTC 2017 

On Sun, 2 Jul 2017 18:52:36 -0300
Marcio Demetrio Bacci <marciobacci at gmail.com> wrote:

> Hi Rowland
> 
> Now, I set up my PATH
> adding /usr/local/samba/bin:/usr/local/samba/sbin:
> 
> echo $PATH
> /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/samba/bin:/usr/local/samba/sbin
> 

Wrong way round, it should START with: 
/usr/local/samba/bin:/usr/local/samba/sbin

> 
>  ls -l /usr/local/samba/var/locks/
> > total 1384
> > -rw------- 1 root staff 421888 Mai 15 21:57 account_policy.tdb
> > -rw------- 1 root staff 528384 Mai 15 21:57 registry.tdb
> > -rw------- 1 root staff 421888 Mai 15 21:57 share_info.tdb
> > drwxr-sr-x 3 root 30056   4096 Jul  1 19:40 sysvol
> > -rw------- 1 root staff  32768 Jul  1 19:45 winbindd_cache.tdb
> > drwxr-s--- 2 root staff   4096 Jul  1 19:45 winbindd_privileged
> 
> 1) Who is '30056' ? 30056 is the Administrator user.
> 2) Have you given 'Administrator' a uidNumber ? Yes, I set up Unix
> Attribute to Administrator and "Domain Admins", "Domain Controllers"
> and others groups.

You should remove them, you have, in my opinion, borked your AD.
The only groups you should give a gidNumber to are 'Domain Users' &
'Domain Admins'
 
> 3) Have you given 'Domain Admins' the 'SeDiskOperatorPrivilege' ? No.
> Is necessary?

Yes

> 
> Now, I excluded "acl_xattr:ignore system acls = yes" line in the
> "/usr/local/samba/etc/smb.conf"

I do not use this line, but, after doing what I tell
people to do and reading the manpage for 'vfs_acl_xattr' (a case of not
practising what I preach), I now think that a) it doesn't have anything
to do with your problem and b)It is probably a good idea to have it. So
you can put it back, sorry ;-)

> 
> I have executed "chown root:root -R /usr/local/samba/var/locks"
> command, and now I can create and update GPOs, but I don't know if is
> correct? What is the better way to correct files permissions on
> sysvol?
> 
> The "samba-tool ntacl sysvolreset" command continues display errors:
> open: error=2 (No such file or directory)
> ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined
> error') File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 176, in _run
>     return self.run(*args, **kwargs)
>   File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
> line 239, in run
>     lp, use_ntvfs=use_ntvfs)
>   File
> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> line 1609, in setsysvolacl
>     set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
> use_ntvfs, passdb=s4_passdb)
>   File
> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> line 1502, in set_gpos_acl
>     use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb,
> service=SYSVOL_SERVICE)
>   File
> "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py", line
> 162, in setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER |
> security.SECINFO_GROUP | security.SECINFO_DACL |
> security.SECINFO_SACL, sd, service=service)
> 

The best is to not use sysvolreset or sysvolcheck and do everything
from windows.

> I have created Wsus GPO and I typed "gpupdate /force" in prompt of the
> Winsows Stations a error appears.
> 
> "Group Policy was not processed. Windows can not apply the
> registry-based policy settings to the Group Policy object
> LDAP://CN=User, CN={31B2F340-016D-11D2-945F-00C04FB984F9},
> CN=policies, CN=System,DC=empresa,DC=com,DC=br. The Group Policy
> settings will not be resolved until this event is resolved."
> 
> How could I solve this problem?
> 

By doing what I have suggested above.


Rowland

More information about the samba mailing list