[Samba] Problems with GPO

L.P.H. van Belle belle at bazuin.nl
Wed Jul 19 07:01:11 UTC 2017 

Hai, 

Yes, all i see is correct so far.

But you showing system acl, dont look there, because ... acl_xattr:ignore system acls = Yes
Your ignoring the system acls.

[sysvol]
	path = /var/lib/samba/sysvol
	read only = No
	acl_xattr:ignore system acls = Yes

And yes, once set from within windows, you can forget your system acls. 
It does not matter if you have on you folders, drwxrwxr-x or drwxrws---+

acl_xattr:ignore system acls = yes., can emulate the full NT ACL model without affecting the POSIX permissions
Now, run :  man vfs_acl_xattr and see what this exact do.

Best pointers i can give.

Root = Adminsitrator, but it's best not to use them. 
Create a new admin user, add that in "domain admins" 
Set all needed SE privileges for the DC, this involves multiple windows groups.

If you run : net rpc rights list accounts -U Administrator you get a list of privileges. 
This is my setup for SePrivileges on a AD DC. ( which is a copy of a win 2008R2 server setup ) 

NTDOM\Domain Admins
SeDiskOperatorPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeSecurityPrivilege
SeSystemtimePrivilege
SeShutdownPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeLoadDriverPrivilege
SeCreatePagefilePrivilege
SeIncreaseQuotaPrivilege
SeChangeNotifyPrivilege
SeUndockPrivilege
SeManageVolumePrivilege
SeImpersonatePrivilege
SeCreateGlobalPrivilege
SeEnableDelegationPrivilege
SeMachineAccountPrivilege

BUILTIN\Print Operators
SeLoadDriverPrivilege
SeShutdownPrivilege
SeInteractiveLogonRight

BUILTIN\Account Operators
SeInteractiveLogonRight

BUILTIN\Backup Operators
SeBackupPrivilege
SeRestorePrivilege
SeShutdownPrivilege
SeInteractiveLogonRight

BUILTIN\Administrators
SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeSystemtimePrivilege
SeShutdownPrivilege
SeRemoteShutdownPrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeLoadDriverPrivilege
SeCreatePagefilePrivilege
SeIncreaseQuotaPrivilege
SeChangeNotifyPrivilege
SeUndockPrivilege
SeManageVolumePrivilege
SeImpersonatePrivilege
SeCreateGlobalPrivilege
SeEnableDelegationPrivilege
SeInteractiveLogonRight
SeNetworkLogonRight
SeRemoteInteractiveLogonRight
SeDiskOperatorPrivilege

BUILTIN\Server Operators
SeBackupPrivilege
SeSystemtimePrivilege
SeRemoteShutdownPrivilege
SeRestorePrivilege
SeShutdownPrivilege
SeInteractiveLogonRight

BUILTIN\Pre-Windows 2000 Compatible Access
SeRemoteInteractiveLogonRight
SeChangeNotifyPrivilege


Now learn which groups are in the "BUILDIN\...." 
Example, BUILDIN\Administrators is a local system group, and "NTDOMAIN\Domain Admins" is member of BUILDIN\Administrators
Things like that. 

Your GPO's work.. What i expected ;-). 
A good read is : 
https://blogs.technet.microsoft.com/askds/2016/06/22/deploying-group-policy-security-update-ms16-072-kb3163622/ 
That explains why you need "authenticated users" for example.

Just dont get fooled by the rights you seen in linux. 
For DC's its very simple, if you DC is DC only ( so only sysvol and netlogon shares )
Setup you DC, check its logs for some time, setup and automated backup of samba. 
And forget it.... ;-)  when do i login on my DC's. ( through linux ) 
When :
1) users on the list have questions. ;-p 
2) when i need to reboot the server. 

My server installs updates automatic, it just dont reboot on its self. 
Everthing else is done from within windows.

Greetz, 

Louis





> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Stefan G. Weichinger via samba
> Verzonden: dinsdag 18 juli 2017 21:11
> Aan: Rowland Penny; samba at lists.samba.org
> Onderwerp: Re: [Samba] Problems with GPO
> 
> Am 2017-07-18 um 21:01 schrieb Rowland Penny:
> 
> > OK, I normally use 'ls -la', but it boils down to this:
> > 
> > You have lines that start 'drwxrwxr-x', I have 'drwxrws---+'
> > 
> > Note the '+' on the end, this means that there are ACLs set on the 
> > directory, you don't seem to have the ACLs.
> > 
> > Can you also explain why the owner of some of the Policies 
> seems to be 
> > a normal user ?
> 
> me? no! ;-)
> 
> LPH told me not to chown ... I would like to have that *right*
> 
> Right now my GPOs work as planned. So: minimal invasive or no touch.
> 
> :-)
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list