[Samba] Can't create/update Group Policy in Samba 4.6.5

Marcio Demetrio Bacci marciobacci at gmail.com
Thu Jul 6 05:18:40 UTC 2017 

* Sorry, is not "chmod mike:'EMPRESA\unix_admins' test".  I wanted to say
"chown mike:'EMPRESA\unix_admins' test"

I'm tired!

2017-07-06 2:14 GMT-03:00 Marcio Demetrio Bacci <marciobacci at gmail.com>:

> Hi,
>
> My DC doesn't know domains users and groups by name, only by uid/gid.
>
> Ex: chmod mike:'EMPRESA\unix_admins' test
> chown: invalid group mike:EMPRESA\\unix_admins
>
> if run with GID work properly
> chmod mike:30059 test
> drwxr-xr-x 2 root 30059 4096 Jul  6 00:17 test
>
> There is unix_admins group
> wbinfo --gid-info 30059
> EMPRESA\unix_admins:x:30059:
>
> In File Server Domain Member "chown" command by users and groups names is
> OK
> chmod mike:'EMPRESA\unix_admins' test
> drwxr-xr-x 2 root unix_admins 4096 Jul  6 00:19 test
>
> I have performed the following steps:
>
> 1) cd /usr/local/samba/var/locks/sysvol
> 2) mv empresa.com.br /root
> 3) mkdir empresa.com.br
> 4) samba-tool ntacl sysvolreset
> 5) getfacl -R /usr/local/samba/var/locks/sysvol > sysvol.permissions.acl
> 6) rmdir empresa.com.br
> 7) mv /root/empresa.com.br .
> 8) setfacl --restore=sysvol.permissions.acl
> 9) samba-tool ntacl sysvolcheck
>
> 10) I went the GPO editor and fix incorrect rights.
>
> 11) I have opened computer manager, connected to the DC, went to the
> security tab.
> I have set up Sysvol security rights:
> DOMAIN\Server Operators
> Creator Owner
> Authenticated Users
> SYSTEM
> DOMAIN\Administrators
>
> Note 1: I have changed sysvol folder owner to "unix_admins" too by MS
> Windows properties but, when I checked in DC terminal, didn't change (to be
> continued the same user and group).
>
> Note 2: I have already removed "Unix Attributes" of the
> BUILTIN\Administrators, Group Policy creator Owner and others by Windows
> RSAT Tools - Active Directory Users and Computers (changed  Domain NIS  to
> None), but UID/GID remain (keep).
>
> For Example: the GID 3000275 still is of the BUILTIN\Administrators.
>
> Other notes:
>
> output of "samba-tool ntacl sysvolreset" command:
> open: error=2 (No such file or directory)
> ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error')
>   File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 176, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
> line 239, in run
>     lp, use_ntvfs=use_ntvfs)
>   File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> line 1609, in setsysvolacl
>     set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
> use_ntvfs, passdb=s4_passdb)
>   File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> line 1502, in set_gpos_acl
>     use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb,
> service=SYSVOL_SERVICE)
>   File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py",
> line 162, in setntacl
>     smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP
> | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)
>
>
> The command above (despite the mistakes) reset owner and group to root and
> 3000275 (BUILTIN\Administrators) respectively.
> ls -l
> drwxr-xr-x 2 root 3000275 4096 Jul  6 00:50 empresa.com.br
>
>
> output of "samba-tool ntacl sysvolcheck" command:
> ERROR(<type 'exceptions.TypeError'>): uncaught exception - (2, 'No such
> file or directory')
>   File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 176, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
> line 270, in run
>     lp)
>   File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> line 1714, in checksysvolacl
>     fsacl = getntacl(lp, dir_path, direct_db_access=direct_db_access,
> service=SYSVOL_SERVICE)
>   File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py",
> line 81, in getntacl
>     xattr.XATTR_NTACL_NAME)
>
> I'm already getting create and edit my GPOs, but I have many doubts:
>
> 1) Is there another way to remove UID / GID from the users and groups ?
>
> 2) Why GID number of the BUILT\Administrators and other users and groups
> still continue ?
>
> 3) Is normal DC does not identify user and group by name, but only by UID
> / GID number ?
>
> 4) What are the problems with "samba-tool ntacl sysvolreset" and
> "samba-tool ntacl sysvolcheck" ?
>
> 5) When I change the users and groups from the sysvol folder by MS Windows
> should I not reflect on the DC terminal?
>
> I would really like to solve these problems!
>
> Regards,
>
> Márcio Bacci
>
> 2017-07-05 3:07 GMT-03:00 L.P.H. van Belle via samba <
> samba at lists.samba.org>:
>
>> Sorry, my error, you need an "empty domain" directory in sysvol then
>> reset.
>> Then copy the rights, re-apply them .. Etc.
>>
>>
>> And good point Rowland.
>> Greetz,
>>
>> Louis
>>
>>
>> > -----Oorspronkelijk bericht-----
>> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> > Rowland Penny via samba
>> > Verzonden: dinsdag 4 juli 2017 21:51
>> > Aan: samba at lists.samba.org
>> > Onderwerp: Re: [Samba] Can't create/update Group Policy in Samba 4.6.5
>> >
>> > On Tue, 4 Jul 2017 16:04:20 -0300
>> > Marcio Demetrio Bacci via samba <samba at lists.samba.org> wrote:
>> >
>> > > Hi Louis
>> > >
>> > >
>> > > I have moved "empresa.com.br" folder to /root. After I run
>> > samba-tool
>> > > ntacl sysvolreset, but some errors appear:
>> >
>> > Please put it back.
>> >
>> > Also which DC is this on, your first DC or the second one ?
>> > and if it is the second one, have you followed the wiki page
>> > I pointed you to, on your other post ?
>> >
>> > Or to put it another way, do both of your DCs sysvol directories (and
>> > sub-directories) match and have you synced idmap.ldb from the
>> > first DC to the second DC.
>> >
>> > I know what Louis told you to do, but you should only give
>> > 'Domain Users' a gidNumber attribute, you can also give
>> > 'Domain Admins' a gidNumber, but I personally think it is
>> > better to create a group called 'Unix Admins', make this
>> > group a member of 'Domain Admins' and then give this new
>> > group a gidNumber. Now use this group when setting
>> > permissions from Windows. My reasoning behind this: 'Domain Admins'
>> > needs to own policies in sysvol, it cannot do this if it has
>> > a gidNumber attribute.
>> > Do not give any other user or group from the well known sids
>> > a uidNumber or gidNumber, see here for the well known sids:
>> >
>> > https://support.microsoft.com/en-us/help/243330/well-known-sec
>> > urity-identifiers-in-windows-operating-systems
>> >
>> > Rowland
>> >
>> > --
>> > To unsubscribe from this list go to the following URL and read the
>> > instructions:  https://lists.samba.org/mailman/options/samba
>> >
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>

More information about the samba mailing list