[Samba] Can't create/update Group Policy in Samba 4.6.5
Marcio Demetrio Bacci
marciobacci at gmail.com
Thu Jul 6 18:35:09 UTC 2017
Hi Rowland
> My DC doesn't know domains users and groups by name, only by uid/gid.
Sounds like you haven't set up the libnss_winbind.so links or
/etc/nsswitch.conf
I had not installed Winbind, but I installed it now. (winbind,
libnss-winbind and libpam-winbind packages).
I configured /etc/nsswitch as below:
passwd: compat winbind
group: compat winbind
shadow: compat
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
My /etc/pam.d/common-session looks like this:
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so
session optional pam_winbind.so
Below is my /usr/local/samba/etc/smb.conf of the DC
[global]
workgroup = EMPRESA
realm = EMPRESA.COM.BR
netbios name = EMPRESA
server role = active directory domain controller
dns forwarder = 192.168.0.88
idmap_ldb:use rfc2307 = yes
ldap server require strong auth = no
template shell = /bin/bash
template homedir = home/%U
[netlogon]
path = /usr/local/samba/var/locks/sysvol/empresa.com.br/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
acl_xattr:ignore system acls = yes
##########################################
wbinfo -u, wbinfo -g, wbinfo -a <user> commands are Ok, but "getent passwd"
only shows local users.
wbinfo --ping-dc doesn't show the short domain name, please see the output:
checking the NETLOGON dc connection to "" succeeded
id <user> command doesn't work too:
id marcio
id: marcio: no such user
Do I need set up smb.conf Domain Controller with the parameters below?
idmap config *:backend = tdb
idmap config *:range = 1000-3000
idmap config EMPRESA:backend = ad
idmap config EMPRESA:schema_mode = rfc2307
idmap config EMPRESA:range = 10000-9999999
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = yes
What else could be wrong?
Regards,
Márcio Bacci
2017-07-06 4:58 GMT-03:00 Rowland Penny via samba <samba at lists.samba.org>:
> On Thu, 6 Jul 2017 02:14:42 -0300
> Marcio Demetrio Bacci via samba <samba at lists.samba.org> wrote:
>
> > Hi,
> >
> > My DC doesn't know domains users and groups by name, only by uid/gid.
>
> Sounds like you haven't set up the libnss_winbind.so links
> or /etc/nsswitch.conf
>
> >
> > Ex: chmod mike:'EMPRESA\unix_admins' test
> > chown: invalid group mike:EMPRESA\\unix_admins
> >
> > if run with GID work properly
> > chmod mike:30059 test
> > drwxr-xr-x 2 root 30059 4096 Jul 6 00:17 test
>
> Where is 30059 coming from ?
> As standard I would expect numbers in the '3000000' range.
>
> >
> > There is unix_admins group
> > wbinfo --gid-info 30059
> > EMPRESA\unix_admins:x:30059:
> >
> > In File Server Domain Member "chown" command by users and groups
> > names is OK chmod mike:'EMPRESA\unix_admins' test
> > drwxr-xr-x 2 root unix_admins 4096 Jul 6 00:19 test
> >
> > I have performed the following steps:
> >
> > 1) cd /usr/local/samba/var/locks/sysvol
> > 2) mv empresa.com.br /root
> > 3) mkdir empresa.com.br
> > 4) samba-tool ntacl sysvolreset
> > 5) getfacl -R /usr/local/samba/var/locks/sysvol >
> > sysvol.permissions.acl 6) rmdir empresa.com.br
> > 7) mv /root/empresa.com.br .
> > 8) setfacl --restore=sysvol.permissions.acl
> > 9) samba-tool ntacl sysvolcheck
> >
> > 10) I went the GPO editor and fix incorrect rights.
> >
> > 11) I have opened computer manager, connected to the DC, went to the
> > security tab.
> > I have set up Sysvol security rights:
> > DOMAIN\Server Operators
> > Creator Owner
> > Authenticated Users
> > SYSTEM
> > DOMAIN\Administrators
> >
> > Note 1: I have changed sysvol folder owner to "unix_admins" too by MS
> > Windows properties but, when I checked in DC terminal, didn't change
> > (to be continued the same user and group).
> >
> > Note 2: I have already removed "Unix Attributes" of the
> > BUILTIN\Administrators, Group Policy creator Owner and others by
> > Windows RSAT Tools - Active Directory Users and Computers (changed
> > Domain NIS to None), but UID/GID remain (keep).
> >
> > For Example: the GID 3000275 still is of the BUILTIN\Administrators.
> >
> > Other notes:
> >
> > output of "samba-tool ntacl sysvolreset" command:
> > open: error=2 (No such file or directory)
> > ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined
> > error') File
> > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> > line 176, in _run
> > return self.run(*args, **kwargs)
> > File
> > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
> > line 239, in run
> > lp, use_ntvfs=use_ntvfs)
> > File
> > "/usr/local/samba/lib/python2.7/site-packages/samba/
> provision/__init__.py",
> > line 1609, in setsysvolacl
> > set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
> > use_ntvfs, passdb=s4_passdb)
> > File
> > "/usr/local/samba/lib/python2.7/site-packages/samba/
> provision/__init__.py",
> > line 1502, in set_gpos_acl
> > use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb,
> > service=SYSVOL_SERVICE)
> > File
> > "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py", line
> > 162, in setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER |
> > security.SECINFO_GROUP | security.SECINFO_DACL |
> > security.SECINFO_SACL, sd, service=service)
> >
> >
> > The command above (despite the mistakes) reset owner and group to
> > root and 3000275 (BUILTIN\Administrators) respectively.
> > ls -l
> > drwxr-xr-x 2 root 3000275 4096 Jul 6 00:50 empresa.com.br
> >
> >
> > output of "samba-tool ntacl sysvolcheck" command:
> > ERROR(<type 'exceptions.TypeError'>): uncaught exception - (2, 'No
> > such file or directory')
> > File
> > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> > line 176, in _run
> > return self.run(*args, **kwargs)
> > File
> > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
> > line 270, in run
> > lp)
> > File
> > "/usr/local/samba/lib/python2.7/site-packages/samba/
> provision/__init__.py",
> > line 1714, in checksysvolacl
> > fsacl = getntacl(lp, dir_path, direct_db_access=direct_db_access,
> > service=SYSVOL_SERVICE)
> > File
> > "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py", line
> > 81, in getntacl xattr.XATTR_NTACL_NAME)
> >
> > I'm already getting create and edit my GPOs, but I have many doubts:
> >
> > 1) Is there another way to remove UID / GID from the users and
> > groups ?
>
> Have you run 'net cache flush' on the DC ?
>
> >
> > 2) Why GID number of the BUILT\Administrators and other users and
> > groups still continue ?
>
> See above
>
> >
> > 3) Is normal DC does not identify user and group by name, but only by
> > UID / GID number ?
>
> Yes
>
> >
> > 4) What are the problems with "samba-tool ntacl sysvolreset" and
> > "samba-tool ntacl sysvolcheck" ?
>
> From my tests, to many to mention, but the main one is that sysvolreset
> does not set the correct ACEs.
>
> >
> > 5) When I change the users and groups from the sysvol folder by MS
> > Windows should I not reflect on the DC terminal?
> >
> > I would really like to solve these problems!
>
> So would I ;-)
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list