[Samba] GPO Problem

Rowland Penny rpenny at samba.org
Tue Jun 6 18:54:37 UTC 2017 

On Tue, 6 Jun 2017 15:35:42 -0300
Epsilon Minus via samba <samba at lists.samba.org> wrote:

> Hi. I have a problem applying GPO. I do not know where to look
> Reviewing I found this:
> 
> # samba-tool ntacl sysvolcheck
> lp_load_ex: refreshing parameters
> Initialising global parameters
> Processing section "[global]"
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> Processing section "[sistemas]"
> ldb_wrap open of idmap.ldb
> Module 'acl_xattr' loaded
> Module 'dfs_samba4' loaded
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service sysvol
> #
> 
> 
> My smb.conf:
> oot at DC02:~# cat /etc/samba/smb.conf
> 
> # Global parameters
> [global]
>     workgroup = CLINICAGUEMES
>     realm = CLINICAGUEMES.COM.AR
>     netbios name = DC02
>     server role = active directory domain controller
>     server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
>     idmap_ldb:use rfc2307 = yes
>     ldap server require strong auth = No
>     log level = 3
> 
>     #### Deshabilito error en los logs por las impresoras
>     load printers = no
>         printing = bsd
>         printcap name = /dev/null
>         disable spoolss = yes
> 
> 
> [netlogon]
>     path = /var/lib/samba/sysvol/clinicaguemes.com.ar/scripts
>     read only = No
> 
> [sysvol]
>     path = /var/lib/samba/sysvol
>     read only = No
> 
> [sistemas]
>     path = /datos/grupos/sistemas
>     read only = No
>     valid users = +sistemas
> 
> 
> Is ok this? :
> 
> root at DC02:/var/lib/samba# ls -l
> total 1404
> -rw-------   1 root root       421888 nov 21  2016 account_policy.tdb
> -rw-------   1 root root          696 nov 21  2016 group_mapping.tdb
> drwxr-x---   2 root root         4096 ene 24 21:04 ntp_signd
> drwxr-xr-x  10 root root         4096 nov 21  2016 printers
> drwxr-xr-x   7 root root         4096 jun  6 15:33 private
> -rw-------   1 root root       528384 nov 21  2016 registry.tdb
> -rw-------   1 root root       421888 nov 21  2016 share_info.tdb
> drwxrwx---+  3 root    3000000   4096 jun  6 15:19 sysvol
> <<<<----------  is okey ?
> drwxrwx--T   2 root sambashare   4096 nov 21  2016 usershares
> -rw-------   1 root root        32768 jun  5 22:54 winbindd_cache.tdb
> drwxr-x---   2 root root         4096 ene 24 21:04 winbindd_privileged
> 
> 
> 
> 
> 
> I do not know where to look for the logs to apply the GPOs
> 

Not sure about the GPO (I don't use them), but the owner:group on
sysvol is okay.

Also, you cannot use 'valid users' on a DC, you need to set the ACLs
from windows.

Rowland

More information about the samba mailing list