[Samba] GPO Problem
Elias Pereira
empbilly at gmail.com
Wed Jun 7 17:01:23 UTC 2017
Maybe this link help.
https://wiki.samba.org/index.php/Updating_Samba#Fixing_Incorrect_Sysvol_and_Directory_ACLs
On Tue, Jun 6, 2017 at 4:09 PM, Epsilon Minus via samba <
samba at lists.samba.org> wrote:
> 2017-06-06 15:54 GMT-03:00 Rowland Penny via samba <samba at lists.samba.org
> >:
> > On Tue, 6 Jun 2017 15:35:42 -0300
> > Epsilon Minus via samba <samba at lists.samba.org> wrote:
> >
> >> Hi. I have a problem applying GPO. I do not know where to look
> >> Reviewing I found this:
> >>
> >> # samba-tool ntacl sysvolcheck
> >> lp_load_ex: refreshing parameters
> >> Initialising global parameters
> >> Processing section "[global]"
> >> Processing section "[netlogon]"
> >> Processing section "[sysvol]"
> >> Processing section "[sistemas]"
> >> ldb_wrap open of idmap.ldb
> >> Module 'acl_xattr' loaded
> >> Module 'dfs_samba4' loaded
> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> >> and 'force unknown acl user = true' for service sysvol
> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> >> and 'force unknown acl user = true' for service sysvol
> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> >> and 'force unknown acl user = true' for service sysvol
> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> >> and 'force unknown acl user = true' for service sysvol
> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> >> and 'force unknown acl user = true' for service sysvol
> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> >> and 'force unknown acl user = true' for service sysvol
> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> >> and 'force unknown acl user = true' for service sysvol
> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> >> and 'force unknown acl user = true' for service sysvol
> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> >> and 'force unknown acl user = true' for service sysvol
> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> >> and 'force unknown acl user = true' for service sysvol
> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> >> and 'force unknown acl user = true' for service sysvol
> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> >> and 'force unknown acl user = true' for service sysvol
> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> >> and 'force unknown acl user = true' for service sysvol
> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> >> and 'force unknown acl user = true' for service sysvol
> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> >> and 'force unknown acl user = true' for service sysvol
> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> >> and 'force unknown acl user = true' for service sysvol
> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> >> and 'force unknown acl user = true' for service sysvol
> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> >> and 'force unknown acl user = true' for service sysvol
> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> >> and 'force unknown acl user = true' for service sysvol
> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> >> and 'force unknown acl user = true' for service sysvol
> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> >> and 'force unknown acl user = true' for service sysvol
> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> >> and 'force unknown acl user = true' for service sysvol
> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> >> and 'force unknown acl user = true' for service sysvol
> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> >> and 'force unknown acl user = true' for service sysvol
> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> >> and 'force unknown acl user = true' for service sysvol
> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> >> and 'force unknown acl user = true' for service sysvol
> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> >> and 'force unknown acl user = true' for service sysvol
> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> >> and 'force unknown acl user = true' for service sysvol
> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> >> and 'force unknown acl user = true' for service sysvol
> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> >> and 'force unknown acl user = true' for service sysvol
> >> #
> >>
> >>
> >> My smb.conf:
> >> oot at DC02:~# cat /etc/samba/smb.conf
> >>
> >> # Global parameters
> >> [global]
> >> workgroup = CLINICAGUEMES
> >> realm = CLINICAGUEMES.COM.AR
> >> netbios name = DC02
> >> server role = active directory domain controller
> >> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> >> winbindd, ntp_signd, kcc, dnsupdate
> >> idmap_ldb:use rfc2307 = yes
> >> ldap server require strong auth = No
> >> log level = 3
> >>
> >> #### Deshabilito error en los logs por las impresoras
> >> load printers = no
> >> printing = bsd
> >> printcap name = /dev/null
> >> disable spoolss = yes
> >>
> >>
> >> [netlogon]
> >> path = /var/lib/samba/sysvol/clinicaguemes.com.ar/scripts
> >> read only = No
> >>
> >> [sysvol]
> >> path = /var/lib/samba/sysvol
> >> read only = No
> >>
> >> [sistemas]
> >> path = /datos/grupos/sistemas
> >> read only = No
> >> valid users = +sistemas
> >>
> >>
> >> Is ok this? :
> >>
> >> root at DC02:/var/lib/samba# ls -l
> >> total 1404
> >> -rw------- 1 root root 421888 nov 21 2016 account_policy.tdb
> >> -rw------- 1 root root 696 nov 21 2016 group_mapping.tdb
> >> drwxr-x--- 2 root root 4096 ene 24 21:04 ntp_signd
> >> drwxr-xr-x 10 root root 4096 nov 21 2016 printers
> >> drwxr-xr-x 7 root root 4096 jun 6 15:33 private
> >> -rw------- 1 root root 528384 nov 21 2016 registry.tdb
> >> -rw------- 1 root root 421888 nov 21 2016 share_info.tdb
> >> drwxrwx---+ 3 root 3000000 4096 jun 6 15:19 sysvol
> >> <<<<---------- is okey ?
> >> drwxrwx--T 2 root sambashare 4096 nov 21 2016 usershares
> >> -rw------- 1 root root 32768 jun 5 22:54 winbindd_cache.tdb
> >> drwxr-x--- 2 root root 4096 ene 24 21:04 winbindd_privileged
> >>
> >>
> >>
> >>
> >>
> >> I do not know where to look for the logs to apply the GPOs
> >>
> >
> > Not sure about the GPO (I don't use them), but the owner:group on
> > sysvol is okay.
> >
> > Also, you cannot use 'valid users' on a DC, you need to set the ACLs
> > from windows.
> >
> > Rowland
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
>
> Thanks you. I remove "valid user" but the error continius.
>
> Add new information:
>
> root at DC02:/var/lib/samba/sysvol/clinicaguemes.com.ar# samba-tool gpo
> aclcheck
> ldb_wrap open of secrets.ldb
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'ntlmssp_resume_ccache' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> resolve_lmhosts: Attempting lmhosts lookup for name
> _ldap._tcp.CLINICAGUEMES.COM.AR<0x0>
> resolve_lmhosts: Attempting lmhosts lookup for name
> _ldap._tcp.CLINICAGUEMES.COM.AR<0x0>
> resolve_lmhosts: Attempting lmhosts lookup for name
> dc01.clinicaguemes.com.ar<0x20>
> resolve_lmhosts: Attempting lmhosts lookup for name
> dc01.clinicaguemes.com.ar<0x20>
> ERROR(runtime): uncaught exception - (-1073741766, '{Path Not Found}
> The path %hs does not exist.')
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> line 175, in _run
> return self.run(*args, **kwargs)
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/gpo.py", line 1148,
> in run
> fs_sd = conn.get_acl(sharepath, security.SECINFO_OWNER |
> security.SECINFO_GROUP | security.SECINFO_DACL,
> security.SEC_FLAG_MAXIMUM_ALLOWED)
> root at DC02:/var/lib/samba/sysvol/clinicaguemes.com.ar#
> root at DC02:/var/lib/samba/sysvol/clinicaguemes.com.ar#
>
>
> Excuse me. I'm not mean those erros.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
Elias Pereira
More information about the samba
mailing list