[Samba] GPO Problem

Elias Pereira empbilly at gmail.com
Tue Jun 13 19:17:04 UTC 2017


>
> onnect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
> 'force unknown acl user = true' for service Unknown Service (snum == -1)
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
> 'force unknown acl user = true' for service Unknown Service (snum == -1)
> lp_load_ex: refreshing parameters


What can understand about this error is that you are using permissions via
posix and somehow this "unknown service" error is occurring.

Remove "valid users = + systems" and set acls by windows

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

On Tue, Jun 13, 2017 at 11:17 AM, Epsilon Minus <theepsilonminus at gmail.com>
wrote:

> Thanks Elias.
>
> But I run samba-tool ntacl sysvolreset and:
>
>
> root at DC02:~# samba-tool ntacl sysvolreset
> lp_load_ex: refreshing parameters
> Initialising global parameters
> Processing section "[global]"
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> Processing section "[sistemas]"
> ldb_wrap open of idmap.ldb
> lp_load_ex: refreshing parameters
> Processing section "[global]"
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> Processing section "[sistemas]"
> Module 'acl_xattr' loaded
> Module 'dfs_samba4' loaded
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
> 'force unknown acl user = true' for service Unknown Service (snum == -1)
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
> 'force unknown acl user = true' for service Unknown Service (snum == -1)
> lp_load_ex: refreshing parameters
> Processing section "[global]"
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> Processing section "[sistemas]"
> ldb_wrap open of idmap.ldb
> ldb_wrap open of idmap.ldb
>
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
> 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
> 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
> 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
> 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
> 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
> 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
> 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
> 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
> 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
> 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
> 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
> 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
> 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
> 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
> 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
> 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
> 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
> 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
> 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
> 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
> 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
> 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
> 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
> 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
> 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
> 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
> 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
> 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
> 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
> 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
> 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
> 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
> 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
> 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
> 'force unknown acl user = true' for service sysvol
>
>
> know that means?
>
>
>
> 2017-06-07 14:01 GMT-03:00 Elias Pereira <empbilly at gmail.com>:
>
>> Maybe this link help.
>> https://wiki.samba.org/index.php/Updating_Samba#Fixing_Incor
>> rect_Sysvol_and_Directory_ACLs
>>
>> On Tue, Jun 6, 2017 at 4:09 PM, Epsilon Minus via samba <
>> samba at lists.samba.org> wrote:
>>
>>> 2017-06-06 15:54 GMT-03:00 Rowland Penny via samba <
>>> samba at lists.samba.org>:
>>> > On Tue, 6 Jun 2017 15:35:42 -0300
>>> > Epsilon Minus via samba <samba at lists.samba.org> wrote:
>>> >
>>> >> Hi. I have a problem applying GPO. I do not know where to look
>>> >> Reviewing I found this:
>>> >>
>>> >> # samba-tool ntacl sysvolcheck
>>> >> lp_load_ex: refreshing parameters
>>> >> Initialising global parameters
>>> >> Processing section "[global]"
>>> >> Processing section "[netlogon]"
>>> >> Processing section "[sysvol]"
>>> >> Processing section "[sistemas]"
>>> >> ldb_wrap open of idmap.ldb
>>> >> Module 'acl_xattr' loaded
>>> >> Module 'dfs_samba4' loaded
>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>>> >> and 'force unknown acl user = true' for service sysvol
>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>>> >> and 'force unknown acl user = true' for service sysvol
>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>>> >> and 'force unknown acl user = true' for service sysvol
>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>>> >> and 'force unknown acl user = true' for service sysvol
>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>>> >> and 'force unknown acl user = true' for service sysvol
>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>>> >> and 'force unknown acl user = true' for service sysvol
>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>>> >> and 'force unknown acl user = true' for service sysvol
>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>>> >> and 'force unknown acl user = true' for service sysvol
>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>>> >> and 'force unknown acl user = true' for service sysvol
>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>>> >> and 'force unknown acl user = true' for service sysvol
>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>>> >> and 'force unknown acl user = true' for service sysvol
>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>>> >> and 'force unknown acl user = true' for service sysvol
>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>>> >> and 'force unknown acl user = true' for service sysvol
>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>>> >> and 'force unknown acl user = true' for service sysvol
>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>>> >> and 'force unknown acl user = true' for service sysvol
>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>>> >> and 'force unknown acl user = true' for service sysvol
>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>>> >> and 'force unknown acl user = true' for service sysvol
>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>>> >> and 'force unknown acl user = true' for service sysvol
>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>>> >> and 'force unknown acl user = true' for service sysvol
>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>>> >> and 'force unknown acl user = true' for service sysvol
>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>>> >> and 'force unknown acl user = true' for service sysvol
>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>>> >> and 'force unknown acl user = true' for service sysvol
>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>>> >> and 'force unknown acl user = true' for service sysvol
>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>>> >> and 'force unknown acl user = true' for service sysvol
>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>>> >> and 'force unknown acl user = true' for service sysvol
>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>>> >> and 'force unknown acl user = true' for service sysvol
>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>>> >> and 'force unknown acl user = true' for service sysvol
>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>>> >> and 'force unknown acl user = true' for service sysvol
>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>>> >> and 'force unknown acl user = true' for service sysvol
>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>>> >> and 'force unknown acl user = true' for service sysvol
>>> >> #
>>> >>
>>> >>
>>> >> My smb.conf:
>>> >> oot at DC02:~# cat /etc/samba/smb.conf
>>> >>
>>> >> # Global parameters
>>> >> [global]
>>> >>     workgroup = CLINICAGUEMES
>>> >>     realm = CLINICAGUEMES.COM.AR
>>> >>     netbios name = DC02
>>> >>     server role = active directory domain controller
>>> >>     server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
>>> >> winbindd, ntp_signd, kcc, dnsupdate
>>> >>     idmap_ldb:use rfc2307 = yes
>>> >>     ldap server require strong auth = No
>>> >>     log level = 3
>>> >>
>>> >>     #### Deshabilito error en los logs por las impresoras
>>> >>     load printers = no
>>> >>         printing = bsd
>>> >>         printcap name = /dev/null
>>> >>         disable spoolss = yes
>>> >>
>>> >>
>>> >> [netlogon]
>>> >>     path = /var/lib/samba/sysvol/clinicaguemes.com.ar/scripts
>>> >>     read only = No
>>> >>
>>> >> [sysvol]
>>> >>     path = /var/lib/samba/sysvol
>>> >>     read only = No
>>> >>
>>> >> [sistemas]
>>> >>     path = /datos/grupos/sistemas
>>> >>     read only = No
>>> >>     valid users = +sistemas
>>> >>
>>> >>
>>> >> Is ok this? :
>>> >>
>>> >> root at DC02:/var/lib/samba# ls -l
>>> >> total 1404
>>> >> -rw-------   1 root root       421888 nov 21  2016 account_policy.tdb
>>> >> -rw-------   1 root root          696 nov 21  2016 group_mapping.tdb
>>> >> drwxr-x---   2 root root         4096 ene 24 21:04 ntp_signd
>>> >> drwxr-xr-x  10 root root         4096 nov 21  2016 printers
>>> >> drwxr-xr-x   7 root root         4096 jun  6 15:33 private
>>> >> -rw-------   1 root root       528384 nov 21  2016 registry.tdb
>>> >> -rw-------   1 root root       421888 nov 21  2016 share_info.tdb
>>> >> drwxrwx---+  3 root    3000000   4096 jun  6 15:19 sysvol
>>> >> <<<<----------  is okey ?
>>> >> drwxrwx--T   2 root sambashare   4096 nov 21  2016 usershares
>>> >> -rw-------   1 root root        32768 jun  5 22:54 winbindd_cache.tdb
>>> >> drwxr-x---   2 root root         4096 ene 24 21:04 winbindd_privileged
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >> I do not know where to look for the logs to apply the GPOs
>>> >>
>>> >
>>> > Not sure about the GPO (I don't use them), but the owner:group on
>>> > sysvol is okay.
>>> >
>>> > Also, you cannot use 'valid users' on a DC, you need to set the ACLs
>>> > from windows.
>>> >
>>> > Rowland
>>> >
>>> > --
>>> > To unsubscribe from this list go to the following URL and read the
>>> > instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>> Thanks you. I remove "valid user" but the error continius.
>>>
>>> Add new information:
>>>
>>> root at DC02:/var/lib/samba/sysvol/clinicaguemes.com.ar# samba-tool gpo
>>> aclcheck
>>> ldb_wrap open of secrets.ldb
>>> GENSEC backend 'gssapi_spnego' registered
>>> GENSEC backend 'gssapi_krb5' registered
>>> GENSEC backend 'gssapi_krb5_sasl' registered
>>> GENSEC backend 'spnego' registered
>>> GENSEC backend 'schannel' registered
>>> GENSEC backend 'naclrpc_as_system' registered
>>> GENSEC backend 'sasl-EXTERNAL' registered
>>> GENSEC backend 'ntlmssp' registered
>>> GENSEC backend 'ntlmssp_resume_ccache' registered
>>> GENSEC backend 'http_basic' registered
>>> GENSEC backend 'http_ntlm' registered
>>> GENSEC backend 'krb5' registered
>>> GENSEC backend 'fake_gssapi_krb5' registered
>>> resolve_lmhosts: Attempting lmhosts lookup for name
>>> _ldap._tcp.CLINICAGUEMES.COM.AR<0x0>
>>> resolve_lmhosts: Attempting lmhosts lookup for name
>>> _ldap._tcp.CLINICAGUEMES.COM.AR<0x0>
>>> resolve_lmhosts: Attempting lmhosts lookup for name
>>> dc01.clinicaguemes.com.ar<0x20>
>>> resolve_lmhosts: Attempting lmhosts lookup for name
>>> dc01.clinicaguemes.com.ar<0x20>
>>> ERROR(runtime): uncaught exception - (-1073741766, '{Path Not Found}
>>> The path %hs does not exist.')
>>>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>>> line 175, in _run
>>>     return self.run(*args, **kwargs)
>>>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/gpo.py", line
>>> 1148, in run
>>>     fs_sd = conn.get_acl(sharepath, security.SECINFO_OWNER |
>>> security.SECINFO_GROUP | security.SECINFO_DACL,
>>> security.SEC_FLAG_MAXIMUM_ALLOWED)
>>> root at DC02:/var/lib/samba/sysvol/clinicaguemes.com.ar#
>>> root at DC02:/var/lib/samba/sysvol/clinicaguemes.com.ar#
>>>
>>>
>>> Excuse me. I'm not mean those erros.
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>
>>
>>
>> --
>> Elias Pereira
>>
>
>


-- 
Elias Pereira


More information about the samba mailing list