[Samba] Can't create/update Group Policy in Samba 4.6.5

L.P.H. van Belle belle at bazuin.nl
Tue Jul 4 13:25:48 UTC 2017

Hai, the steps are (basily) good, only this one can be better. 
>To solve, I executed the following commands:
>Chown 10060: 30028 -R sysvol
>Chmod 775 -R sysvol
If you use acl_xattr:ignore system acls = yes on the sysvol share, you must configur the share from withing windows.  (* or use smbcalcs , but i never used it. ) 
This is what i see: 
ls -al  sysvol
total 24
drwxrwx---+ 3 root root                   4096 Nov 17  2016 .
drwxrwxr-x+ 5 root BUILTIN\administrators 4096 Apr 21 13:22 ..
drwxrwx---+ 5 root BUILTIN\administrators 4096 Feb 29  2016  internal.domain.tld

You notice the + behind the drwx.. ,  to see that use : getfacl /var/lib/samba/sysvol

getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol
# owner: root
# group: root
the numbers are explained a bit below. ( see security tab ) 
Take notice that : "NTDOM\Domain Admins" is member of BUILDIN\Administrators.
( above is not the samba default but a same setup as on a window 2008R2 server. ) 
A good tip to restore the defaults with samba-tool without errors. 
move you domain folder out of the /var/lib/samba/sysvol folder. 
mv /var/lib/samba/sysvol/intern.domain.tld to_somewhere else.
run samba-tool ntacl sysvolreset 
Since there is not domain folder and policies folder, you dont get errors. 
test with samba-tool ntacl sysvolcheck, if you dont have errors, backup these settings. 
getfacl -R /var/lib/samba/sysvol > sysvol.permissions.acl
(and a restore option : setfacl --restore=sysvol.permissions.acl ) 
Now move you domain folder back. 
Next, login with a user account that has domain admin rights. ( is member of ) 
goto the GPO editor, en klik on every GPO object. You will get some messages about incorrect rights, and if it wants to fix it, thats ok. 
( forgot the artical but you can find this one on MS support, minor thing, wont affect you GPOs) 
open de computer manager, connect to the DC, goto the security tab. 
Sysvol security rights should be. 
DOMAIN\Server Operators ( or BUILDIN\Server Operators ) 
Creator Owner
Authenticated Users
DOMAIN\Administrators  ( or BUILDIN\Administrators ) 

DOMAIN\Administrators contains : "Domain Admins",Adminstrator and "Enterprise Admins"  
And the "DOMAIN\Adminstrators" is in the Buildin OU.  ( could also be BUILDIN\Administrators )

And same for "DOMAIN\Users"  (could also be BUILDIN\Users) contains: Authenticated Users, Domain Users, INTERACTIVE) 
ignore the DOMAIN\ and BUILDIN differences here. both are correct.
And if you done everything right, now you should be able to use the newAdmin and/or NTDOM\Administrator user to setup you GPO. 

Van: Marcio Demetrio Bacci [mailto:marciobacci at gmail.com] 
Verzonden: dinsdag 4 juli 2017 14:00
Aan: L.P.H. van Belle
Onderwerp: Re: [Samba] Can't create/update Group Policy in Samba 4.6.5



I have re-applied "acl_xattr:ignore system acls = yes", and followed all the guidelines, including those of the link: https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller 

When I have removed the Unix attributes from the "Administrator" user the permissions on the sysvol folder were broken.

To solve, I executed the following commands:

Chown 10060: 30028 -R sysvol
Chmod 775 -R sysvol

(Where 10060 is my user and 30028 is Domain Admins group)

root at dc1:/usr/local/samba/var/locks# ls -l
total 1392
-rw-------  1 root  root  421888 Mai 15 21:57 account_policy.tdb
-rw-------  1 root  root  528384 Mai 15 21:57 registry.tdb
-rw-------  1 root  root  421888 Mai 15 21:57 share_info.tdb
drwxrwxr-x  3 10060 30028   4096 Jul  4 01:15 sysvol
-rw-------  1 root  root   32768 Jul  4 08:34 winbindd_cache.tdb
drwxr-s---  2 root  root    4096 Jul  4 01:17 winbindd_privileged

Then I have performed a "net cache flush" command and restarted the Samba 4 service.

Now I can create and edit the GPOs normally.

Are the above procedures correct? Is there any problem?


Márcio Bacci

2017-07-03 4:29 GMT-03:00 L.P.H. van Belle via samba <samba at lists.samba.org>:

In reponse to the why i recommend that.

Since this is a "windows" only share, i recomment to set it up for that usage, with results in better matching for windows rights.
Resulting in better working policies.
The current POSIX rights did not match to my needs and resulted in inconsistant policies.
This is why i use these for profiles and sysvol.

And this is my setup order:

setup the sysvol share with : acl_xattr:ignore system acls = yes

Setup SeDiskOperatorPrivilege. For sysvol, setup 2 ! Groups.
net rpc rights grant "SAMDOM\Domain Admins" SeDiskOperatorPrivilege -U "SAMDOM\administrator"
net rpc rights grant "SAMDOM\Group Policy Creator Owners" SeDiskOperatorPrivilege -U "SAMDOM\administrator"
  And use the default windows group for extra users: "Group Policy Creator Owners"

Setup Share rights, (you must re-apply them if you use "ignore system acls" )

Setup Security rights, but since your using, "ignore system acls" the default sysvol rights are now ok.
But check if creator group also on the security rights.

Check from with GPO manament tools, you wil get some messages about rights to fix, do that.
And dont run samba-tools sysvolreset, if you do, then you wil have to repeat above again.

Now you GPO should work as normal.

Try it out and report your result.



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Stefan G. Weichinger via samba
> Verzonden: zondag 2 juli 2017 20:41
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Can't create/update Group Policy in Samba 4.6.5
> Am 2017-07-02 um 17:26 schrieb Rowland Penny via samba:
> >> [sysvol]
> >>   path = /usr/local/samba/var/locks/sysvol
> >>   read only = No
> >>   acl_xattr:ignore system acls = yes
> >
> > You should remove the above line, it isn't required.
> Louis recommended that one to me a few weeks ago.
> Could you explain?
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list