[Samba] GPO Problem
Epsilon Minus
theepsilonminus at gmail.com
Tue Jun 13 14:17:01 UTC 2017
Thanks Elias.
But I run samba-tool ntacl sysvolreset and:
root at DC02:~# samba-tool ntacl sysvolreset
lp_load_ex: refreshing parameters
Initialising global parameters
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[sistemas]"
ldb_wrap open of idmap.ldb
lp_load_ex: refreshing parameters
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[sistemas]"
Module 'acl_xattr' loaded
Module 'dfs_samba4' loaded
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
'force unknown acl user = true' for service Unknown Service (snum == -1)
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
'force unknown acl user = true' for service Unknown Service (snum == -1)
lp_load_ex: refreshing parameters
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[sistemas]"
ldb_wrap open of idmap.ldb
ldb_wrap open of idmap.ldb
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
'force unknown acl user = true' for service sysvol
know that means?
2017-06-07 14:01 GMT-03:00 Elias Pereira <empbilly at gmail.com>:
> Maybe this link help.
> https://wiki.samba.org/index.php/Updating_Samba#Fixing_
> Incorrect_Sysvol_and_Directory_ACLs
>
> On Tue, Jun 6, 2017 at 4:09 PM, Epsilon Minus via samba <
> samba at lists.samba.org> wrote:
>
>> 2017-06-06 15:54 GMT-03:00 Rowland Penny via samba <samba at lists.samba.org
>> >:
>> > On Tue, 6 Jun 2017 15:35:42 -0300
>> > Epsilon Minus via samba <samba at lists.samba.org> wrote:
>> >
>> >> Hi. I have a problem applying GPO. I do not know where to look
>> >> Reviewing I found this:
>> >>
>> >> # samba-tool ntacl sysvolcheck
>> >> lp_load_ex: refreshing parameters
>> >> Initialising global parameters
>> >> Processing section "[global]"
>> >> Processing section "[netlogon]"
>> >> Processing section "[sysvol]"
>> >> Processing section "[sistemas]"
>> >> ldb_wrap open of idmap.ldb
>> >> Module 'acl_xattr' loaded
>> >> Module 'dfs_samba4' loaded
>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> >> and 'force unknown acl user = true' for service sysvol
>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> >> and 'force unknown acl user = true' for service sysvol
>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> >> and 'force unknown acl user = true' for service sysvol
>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> >> and 'force unknown acl user = true' for service sysvol
>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> >> and 'force unknown acl user = true' for service sysvol
>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> >> and 'force unknown acl user = true' for service sysvol
>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> >> and 'force unknown acl user = true' for service sysvol
>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> >> and 'force unknown acl user = true' for service sysvol
>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> >> and 'force unknown acl user = true' for service sysvol
>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> >> and 'force unknown acl user = true' for service sysvol
>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> >> and 'force unknown acl user = true' for service sysvol
>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> >> and 'force unknown acl user = true' for service sysvol
>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> >> and 'force unknown acl user = true' for service sysvol
>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> >> and 'force unknown acl user = true' for service sysvol
>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> >> and 'force unknown acl user = true' for service sysvol
>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> >> and 'force unknown acl user = true' for service sysvol
>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> >> and 'force unknown acl user = true' for service sysvol
>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> >> and 'force unknown acl user = true' for service sysvol
>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> >> and 'force unknown acl user = true' for service sysvol
>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> >> and 'force unknown acl user = true' for service sysvol
>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> >> and 'force unknown acl user = true' for service sysvol
>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> >> and 'force unknown acl user = true' for service sysvol
>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> >> and 'force unknown acl user = true' for service sysvol
>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> >> and 'force unknown acl user = true' for service sysvol
>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> >> and 'force unknown acl user = true' for service sysvol
>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> >> and 'force unknown acl user = true' for service sysvol
>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> >> and 'force unknown acl user = true' for service sysvol
>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> >> and 'force unknown acl user = true' for service sysvol
>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> >> and 'force unknown acl user = true' for service sysvol
>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> >> and 'force unknown acl user = true' for service sysvol
>> >> #
>> >>
>> >>
>> >> My smb.conf:
>> >> oot at DC02:~# cat /etc/samba/smb.conf
>> >>
>> >> # Global parameters
>> >> [global]
>> >> workgroup = CLINICAGUEMES
>> >> realm = CLINICAGUEMES.COM.AR
>> >> netbios name = DC02
>> >> server role = active directory domain controller
>> >> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
>> >> winbindd, ntp_signd, kcc, dnsupdate
>> >> idmap_ldb:use rfc2307 = yes
>> >> ldap server require strong auth = No
>> >> log level = 3
>> >>
>> >> #### Deshabilito error en los logs por las impresoras
>> >> load printers = no
>> >> printing = bsd
>> >> printcap name = /dev/null
>> >> disable spoolss = yes
>> >>
>> >>
>> >> [netlogon]
>> >> path = /var/lib/samba/sysvol/clinicaguemes.com.ar/scripts
>> >> read only = No
>> >>
>> >> [sysvol]
>> >> path = /var/lib/samba/sysvol
>> >> read only = No
>> >>
>> >> [sistemas]
>> >> path = /datos/grupos/sistemas
>> >> read only = No
>> >> valid users = +sistemas
>> >>
>> >>
>> >> Is ok this? :
>> >>
>> >> root at DC02:/var/lib/samba# ls -l
>> >> total 1404
>> >> -rw------- 1 root root 421888 nov 21 2016 account_policy.tdb
>> >> -rw------- 1 root root 696 nov 21 2016 group_mapping.tdb
>> >> drwxr-x--- 2 root root 4096 ene 24 21:04 ntp_signd
>> >> drwxr-xr-x 10 root root 4096 nov 21 2016 printers
>> >> drwxr-xr-x 7 root root 4096 jun 6 15:33 private
>> >> -rw------- 1 root root 528384 nov 21 2016 registry.tdb
>> >> -rw------- 1 root root 421888 nov 21 2016 share_info.tdb
>> >> drwxrwx---+ 3 root 3000000 4096 jun 6 15:19 sysvol
>> >> <<<<---------- is okey ?
>> >> drwxrwx--T 2 root sambashare 4096 nov 21 2016 usershares
>> >> -rw------- 1 root root 32768 jun 5 22:54 winbindd_cache.tdb
>> >> drwxr-x--- 2 root root 4096 ene 24 21:04 winbindd_privileged
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> I do not know where to look for the logs to apply the GPOs
>> >>
>> >
>> > Not sure about the GPO (I don't use them), but the owner:group on
>> > sysvol is okay.
>> >
>> > Also, you cannot use 'valid users' on a DC, you need to set the ACLs
>> > from windows.
>> >
>> > Rowland
>> >
>> > --
>> > To unsubscribe from this list go to the following URL and read the
>> > instructions: https://lists.samba.org/mailman/options/samba
>>
>> Thanks you. I remove "valid user" but the error continius.
>>
>> Add new information:
>>
>> root at DC02:/var/lib/samba/sysvol/clinicaguemes.com.ar# samba-tool gpo
>> aclcheck
>> ldb_wrap open of secrets.ldb
>> GENSEC backend 'gssapi_spnego' registered
>> GENSEC backend 'gssapi_krb5' registered
>> GENSEC backend 'gssapi_krb5_sasl' registered
>> GENSEC backend 'spnego' registered
>> GENSEC backend 'schannel' registered
>> GENSEC backend 'naclrpc_as_system' registered
>> GENSEC backend 'sasl-EXTERNAL' registered
>> GENSEC backend 'ntlmssp' registered
>> GENSEC backend 'ntlmssp_resume_ccache' registered
>> GENSEC backend 'http_basic' registered
>> GENSEC backend 'http_ntlm' registered
>> GENSEC backend 'krb5' registered
>> GENSEC backend 'fake_gssapi_krb5' registered
>> resolve_lmhosts: Attempting lmhosts lookup for name
>> _ldap._tcp.CLINICAGUEMES.COM.AR<0x0>
>> resolve_lmhosts: Attempting lmhosts lookup for name
>> _ldap._tcp.CLINICAGUEMES.COM.AR<0x0>
>> resolve_lmhosts: Attempting lmhosts lookup for name
>> dc01.clinicaguemes.com.ar<0x20>
>> resolve_lmhosts: Attempting lmhosts lookup for name
>> dc01.clinicaguemes.com.ar<0x20>
>> ERROR(runtime): uncaught exception - (-1073741766, '{Path Not Found}
>> The path %hs does not exist.')
>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>> line 175, in _run
>> return self.run(*args, **kwargs)
>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/gpo.py", line
>> 1148, in run
>> fs_sd = conn.get_acl(sharepath, security.SECINFO_OWNER |
>> security.SECINFO_GROUP | security.SECINFO_DACL,
>> security.SEC_FLAG_MAXIMUM_ALLOWED)
>> root at DC02:/var/lib/samba/sysvol/clinicaguemes.com.ar#
>> root at DC02:/var/lib/samba/sysvol/clinicaguemes.com.ar#
>>
>>
>> Excuse me. I'm not mean those erros.
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
>
>
> --
> Elias Pereira
>
More information about the samba
mailing list