[Samba] Can't create/update Group Policy in Samba 4.6.5
L.P.H. van Belle
belle at bazuin.nl
Thu Jul 6 06:46:38 UTC 2017
Hai Marcio,
Now, this looks good.
Normaly i switch step 10 and 11.
After you remove the uid/gid, run : net cache flush
> I'm already getting create and edit my GPOs, but I have many doubts:
remove you doubts, setup some gpo's and test. You wil see everything works.
> 1) Is there another way to remove UID / GID from the users and groups ?
net cache flush >
> 2) Why GID number of the BUILT\Administrators and other users and groups still continue ?
id's are still in idmap and these are default groups in the AD.
>
> 3) Is normal DC does not identify user and group by name, but only by UID / GID number ?
I dont understand this question to be exact, but try to forget chmod/chown, getfacl and setfacl is what you need.
>
> 4) What are the problems with "samba-tool ntacl sysvolreset" and "samba-tool ntacl sysvolcheck" ?
Few small bugs, but you can safely ignore this. solution her is simple, dont run samba-tool ntacl sysvolreset and samba-tool ntacl sysvolcheck
after you did setup the rights from within windows.
>
> 5) When I change the users and groups from the sysvol folder by MS Windows should I not reflect on the DC terminal?
hm, i dont understand this question.
>The command above (despite the mistakes) reset owner and group to root and 3000275 (BUILTIN\Administrators) respectively.
>ls -l
>drwxr-xr-x 2 root 3000275 4096 Jul 6 00:50 empresa.com.br
Now, this isnt right, you changed with chown, not setfacl.
look this is my line
drwxrwx---+ 5 root BUILTIN\administrators 4096 Feb 29 2016 xxxxxxx.bazuin.nl
and getfacl /home/samba/sysvol/
getfacl: Removing leading '/' from absolute path names
# file: home/samba/sysvol/
# owner: root
# group: root
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:BUILTIN\134administrators:rwx
group:BUILTIN\134server\040operators:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134server\040operators:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---
i suggest, to make sure, redo you 3 steps outlined below, in this order.
8, 11, 10 .
Then when thats done, dont touch the sysvol folders from console.
but you getting there, its always hard in the beginning.. ;-)
Greetz,
Louis
Van: Marcio Demetrio Bacci [mailto:marciobacci at gmail.com]
Verzonden: donderdag 6 juli 2017 7:19
Aan: L.P.H. van Belle; samba at lists.samba.org
Onderwerp: Re: [Samba] Can't create/update Group Policy in Samba 4.6.5
* Sorry, is not "chmod mike:'EMPRESA\unix_admins' test". I wanted to say "chown mike:'EMPRESA\unix_admins' test"
I'm tired!
2017-07-06 2:14 GMT-03:00 Marcio Demetrio Bacci <marciobacci at gmail.com>:
Hi,
My DC doesn't know domains users and groups by name, only by uid/gid.
Ex: chmod mike:'EMPRESA\unix_admins' test
chown: invalid group mike:EMPRESA\\unix_admins
if run with GID work properly
chmod mike:30059 test
drwxr-xr-x 2 root 30059 4096 Jul 6 00:17 test
There is unix_admins group
wbinfo --gid-info 30059
EMPRESA\unix_admins:x:30059:
In File Server Domain Member "chown" command by users and groups names is OK
chmod mike:'EMPRESA\unix_admins' test
drwxr-xr-x 2 root unix_admins 4096 Jul 6 00:19 test
I have performed the following steps:
1) cd /usr/local/samba/var/locks/sysvol
2) mv empresa.com.br /root
3) mkdir empresa.com.br
4) samba-tool ntacl sysvolreset
5) getfacl -R /usr/local/samba/var/locks/sysvol > sysvol.permissions.acl
6) rmdir empresa.com.br
7) mv /root/empresa.com.br .
8) setfacl --restore=sysvol.permissions.acl
9) samba-tool ntacl sysvolcheck
10) I went the GPO editor and fix incorrect rights.
11) I have opened computer manager, connected to the DC, went to the security tab.
I have set up Sysvol security rights:
DOMAIN\Server Operators
Creator Owner
Authenticated Users
SYSTEM
DOMAIN\Administrators
Note 1: I have changed sysvol folder owner to "unix_admins" too by MS Windows properties but, when I checked in DC terminal, didn't change (to be continued the same user and group).
Note 2: I have already removed "Unix Attributes" of the BUILTIN\Administrators, Group Policy creator Owner and others by Windows RSAT Tools - Active Directory Users and Computers (changed Domain NIS to None), but UID/GID remain (keep).
For Example: the GID 3000275 still is of the BUILTIN\Administrators.
Other notes:
output of "samba-tool ntacl sysvolreset" command:
open: error=2 (No such file or directory)
ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error')
File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
return self.run(*args, **kwargs)
File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", line 239, in run
lp, use_ntvfs=use_ntvfs)
File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1609, in setsysvolacl
set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb)
File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1502, in set_gpos_acl
use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=SYSVOL_SERVICE)
File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py", line 162, in setntacl
smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)
The command above (despite the mistakes) reset owner and group to root and 3000275 (BUILTIN\Administrators) respectively.
ls -l
drwxr-xr-x 2 root 3000275 4096 Jul 6 00:50 empresa.com.br
output of "samba-tool ntacl sysvolcheck" command:
ERROR(<type 'exceptions.TypeError'>): uncaught exception - (2, 'No such file or directory')
File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
return self.run(*args, **kwargs)
File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", line 270, in run
lp)
File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1714, in checksysvolacl
fsacl = getntacl(lp, dir_path, direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py", line 81, in getntacl
xattr.XATTR_NTACL_NAME)
I'm already getting create and edit my GPOs, but I have many doubts:
1) Is there another way to remove UID / GID from the users and groups ?
2) Why GID number of the BUILT\Administrators and other users and groups still continue ?
3) Is normal DC does not identify user and group by name, but only by UID / GID number ?
4) What are the problems with "samba-tool ntacl sysvolreset" and "samba-tool ntacl sysvolcheck" ?
5) When I change the users and groups from the sysvol folder by MS Windows should I not reflect on the DC terminal?
I would really like to solve these problems!
Regards,
Márcio Bacci
2017-07-05 3:07 GMT-03:00 L.P.H. van Belle via samba <samba at lists.samba.org>:
Sorry, my error, you need an "empty domain" directory in sysvol then reset.
Then copy the rights, re-apply them .. Etc.
And good point Rowland.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Rowland Penny via samba
> Verzonden: dinsdag 4 juli 2017 21:51
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Can't create/update Group Policy in Samba 4.6.5
>
> On Tue, 4 Jul 2017 16:04:20 -0300
> Marcio Demetrio Bacci via samba <samba at lists.samba.org> wrote:
>
> > Hi Louis
> >
> >
> > I have moved "empresa.com.br" folder to /root. After I run
> samba-tool
> > ntacl sysvolreset, but some errors appear:
>
> Please put it back.
>
> Also which DC is this on, your first DC or the second one ?
> and if it is the second one, have you followed the wiki page
> I pointed you to, on your other post ?
>
> Or to put it another way, do both of your DCs sysvol directories (and
> sub-directories) match and have you synced idmap.ldb from the
> first DC to the second DC.
>
> I know what Louis told you to do, but you should only give
> 'Domain Users' a gidNumber attribute, you can also give
> 'Domain Admins' a gidNumber, but I personally think it is
> better to create a group called 'Unix Admins', make this
> group a member of 'Domain Admins' and then give this new
> group a gidNumber. Now use this group when setting
> permissions from Windows. My reasoning behind this: 'Domain Admins'
> needs to own policies in sysvol, it cannot do this if it has
> a gidNumber attribute.
> Do not give any other user or group from the well known sids
> a uidNumber or gidNumber, see here for the well known sids:
>
> https://support.microsoft.com/en-us/help/243330/well-known-sec
> urity-identifiers-in-windows-operating-systems
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list