[Samba] GPO Problem

Epsilon Minus theepsilonminus at gmail.com
Wed Jun 14 16:27:21 UTC 2017


The firs awnser solved my problem.

Now i go for this!

Thanks you. !



2017-06-13 16:17 GMT-03:00 Elias Pereira <empbilly at gmail.com>:

> onnect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
>> 'force unknown acl user = true' for service Unknown Service (snum == -1)
>> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> and 'force unknown acl user = true' for service Unknown Service (snum == -1)
>> lp_load_ex: refreshing parameters
>
>
> What can understand about this error is that you are using permissions via
> posix and somehow this "unknown service" error is occurring.
>
> Remove "valid users = + systems" and set acls by windows
>
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
> On Tue, Jun 13, 2017 at 11:17 AM, Epsilon Minus <theepsilonminus at gmail.com
> > wrote:
>
>> Thanks Elias.
>>
>> But I run samba-tool ntacl sysvolreset and:
>>
>>
>> root at DC02:~# samba-tool ntacl sysvolreset
>> lp_load_ex: refreshing parameters
>> Initialising global parameters
>> Processing section "[global]"
>> Processing section "[netlogon]"
>> Processing section "[sysvol]"
>> Processing section "[sistemas]"
>> ldb_wrap open of idmap.ldb
>> lp_load_ex: refreshing parameters
>> Processing section "[global]"
>> Processing section "[netlogon]"
>> Processing section "[sysvol]"
>> Processing section "[sistemas]"
>> Module 'acl_xattr' loaded
>> Module 'dfs_samba4' loaded
>> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> and 'force unknown acl user = true' for service Unknown Service (snum == -1)
>> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> and 'force unknown acl user = true' for service Unknown Service (snum == -1)
>> lp_load_ex: refreshing parameters
>> Processing section "[global]"
>> Processing section "[netlogon]"
>> Processing section "[sysvol]"
>> Processing section "[sistemas]"
>> ldb_wrap open of idmap.ldb
>> ldb_wrap open of idmap.ldb
>>
>> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> and 'force unknown acl user = true' for service sysvol
>>
>>
>> know that means?
>>
>>
>>
>> 2017-06-07 14:01 GMT-03:00 Elias Pereira <empbilly at gmail.com>:
>>
>>> Maybe this link help.
>>> https://wiki.samba.org/index.php/Updating_Samba#Fixing_Incor
>>> rect_Sysvol_and_Directory_ACLs
>>>
>>> On Tue, Jun 6, 2017 at 4:09 PM, Epsilon Minus via samba <
>>> samba at lists.samba.org> wrote:
>>>
>>>> 2017-06-06 15:54 GMT-03:00 Rowland Penny via samba <
>>>> samba at lists.samba.org>:
>>>> > On Tue, 6 Jun 2017 15:35:42 -0300
>>>> > Epsilon Minus via samba <samba at lists.samba.org> wrote:
>>>> >
>>>> >> Hi. I have a problem applying GPO. I do not know where to look
>>>> >> Reviewing I found this:
>>>> >>
>>>> >> # samba-tool ntacl sysvolcheck
>>>> >> lp_load_ex: refreshing parameters
>>>> >> Initialising global parameters
>>>> >> Processing section "[global]"
>>>> >> Processing section "[netlogon]"
>>>> >> Processing section "[sysvol]"
>>>> >> Processing section "[sistemas]"
>>>> >> ldb_wrap open of idmap.ldb
>>>> >> Module 'acl_xattr' loaded
>>>> >> Module 'dfs_samba4' loaded
>>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
>>>> true'
>>>> >> and 'force unknown acl user = true' for service sysvol
>>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
>>>> true'
>>>> >> and 'force unknown acl user = true' for service sysvol
>>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
>>>> true'
>>>> >> and 'force unknown acl user = true' for service sysvol
>>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
>>>> true'
>>>> >> and 'force unknown acl user = true' for service sysvol
>>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
>>>> true'
>>>> >> and 'force unknown acl user = true' for service sysvol
>>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
>>>> true'
>>>> >> and 'force unknown acl user = true' for service sysvol
>>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
>>>> true'
>>>> >> and 'force unknown acl user = true' for service sysvol
>>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
>>>> true'
>>>> >> and 'force unknown acl user = true' for service sysvol
>>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
>>>> true'
>>>> >> and 'force unknown acl user = true' for service sysvol
>>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
>>>> true'
>>>> >> and 'force unknown acl user = true' for service sysvol
>>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
>>>> true'
>>>> >> and 'force unknown acl user = true' for service sysvol
>>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
>>>> true'
>>>> >> and 'force unknown acl user = true' for service sysvol
>>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
>>>> true'
>>>> >> and 'force unknown acl user = true' for service sysvol
>>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
>>>> true'
>>>> >> and 'force unknown acl user = true' for service sysvol
>>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
>>>> true'
>>>> >> and 'force unknown acl user = true' for service sysvol
>>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
>>>> true'
>>>> >> and 'force unknown acl user = true' for service sysvol
>>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
>>>> true'
>>>> >> and 'force unknown acl user = true' for service sysvol
>>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
>>>> true'
>>>> >> and 'force unknown acl user = true' for service sysvol
>>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
>>>> true'
>>>> >> and 'force unknown acl user = true' for service sysvol
>>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
>>>> true'
>>>> >> and 'force unknown acl user = true' for service sysvol
>>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
>>>> true'
>>>> >> and 'force unknown acl user = true' for service sysvol
>>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
>>>> true'
>>>> >> and 'force unknown acl user = true' for service sysvol
>>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
>>>> true'
>>>> >> and 'force unknown acl user = true' for service sysvol
>>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
>>>> true'
>>>> >> and 'force unknown acl user = true' for service sysvol
>>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
>>>> true'
>>>> >> and 'force unknown acl user = true' for service sysvol
>>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
>>>> true'
>>>> >> and 'force unknown acl user = true' for service sysvol
>>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
>>>> true'
>>>> >> and 'force unknown acl user = true' for service sysvol
>>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
>>>> true'
>>>> >> and 'force unknown acl user = true' for service sysvol
>>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
>>>> true'
>>>> >> and 'force unknown acl user = true' for service sysvol
>>>> >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
>>>> true'
>>>> >> and 'force unknown acl user = true' for service sysvol
>>>> >> #
>>>> >>
>>>> >>
>>>> >> My smb.conf:
>>>> >> oot at DC02:~# cat /etc/samba/smb.conf
>>>> >>
>>>> >> # Global parameters
>>>> >> [global]
>>>> >>     workgroup = CLINICAGUEMES
>>>> >>     realm = CLINICAGUEMES.COM.AR
>>>> >>     netbios name = DC02
>>>> >>     server role = active directory domain controller
>>>> >>     server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
>>>> >> winbindd, ntp_signd, kcc, dnsupdate
>>>> >>     idmap_ldb:use rfc2307 = yes
>>>> >>     ldap server require strong auth = No
>>>> >>     log level = 3
>>>> >>
>>>> >>     #### Deshabilito error en los logs por las impresoras
>>>> >>     load printers = no
>>>> >>         printing = bsd
>>>> >>         printcap name = /dev/null
>>>> >>         disable spoolss = yes
>>>> >>
>>>> >>
>>>> >> [netlogon]
>>>> >>     path = /var/lib/samba/sysvol/clinicaguemes.com.ar/scripts
>>>> >>     read only = No
>>>> >>
>>>> >> [sysvol]
>>>> >>     path = /var/lib/samba/sysvol
>>>> >>     read only = No
>>>> >>
>>>> >> [sistemas]
>>>> >>     path = /datos/grupos/sistemas
>>>> >>     read only = No
>>>> >>     valid users = +sistemas
>>>> >>
>>>> >>
>>>> >> Is ok this? :
>>>> >>
>>>> >> root at DC02:/var/lib/samba# ls -l
>>>> >> total 1404
>>>> >> -rw-------   1 root root       421888 nov 21  2016 account_policy.tdb
>>>> >> -rw-------   1 root root          696 nov 21  2016 group_mapping.tdb
>>>> >> drwxr-x---   2 root root         4096 ene 24 21:04 ntp_signd
>>>> >> drwxr-xr-x  10 root root         4096 nov 21  2016 printers
>>>> >> drwxr-xr-x   7 root root         4096 jun  6 15:33 private
>>>> >> -rw-------   1 root root       528384 nov 21  2016 registry.tdb
>>>> >> -rw-------   1 root root       421888 nov 21  2016 share_info.tdb
>>>> >> drwxrwx---+  3 root    3000000   4096 jun  6 15:19 sysvol
>>>> >> <<<<----------  is okey ?
>>>> >> drwxrwx--T   2 root sambashare   4096 nov 21  2016 usershares
>>>> >> -rw-------   1 root root        32768 jun  5 22:54 winbindd_cache.tdb
>>>> >> drwxr-x---   2 root root         4096 ene 24 21:04
>>>> winbindd_privileged
>>>> >>
>>>> >>
>>>> >>
>>>> >>
>>>> >>
>>>> >> I do not know where to look for the logs to apply the GPOs
>>>> >>
>>>> >
>>>> > Not sure about the GPO (I don't use them), but the owner:group on
>>>> > sysvol is okay.
>>>> >
>>>> > Also, you cannot use 'valid users' on a DC, you need to set the ACLs
>>>> > from windows.
>>>> >
>>>> > Rowland
>>>> >
>>>> > --
>>>> > To unsubscribe from this list go to the following URL and read the
>>>> > instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>>> Thanks you. I remove "valid user" but the error continius.
>>>>
>>>> Add new information:
>>>>
>>>> root at DC02:/var/lib/samba/sysvol/clinicaguemes.com.ar# samba-tool gpo
>>>> aclcheck
>>>> ldb_wrap open of secrets.ldb
>>>> GENSEC backend 'gssapi_spnego' registered
>>>> GENSEC backend 'gssapi_krb5' registered
>>>> GENSEC backend 'gssapi_krb5_sasl' registered
>>>> GENSEC backend 'spnego' registered
>>>> GENSEC backend 'schannel' registered
>>>> GENSEC backend 'naclrpc_as_system' registered
>>>> GENSEC backend 'sasl-EXTERNAL' registered
>>>> GENSEC backend 'ntlmssp' registered
>>>> GENSEC backend 'ntlmssp_resume_ccache' registered
>>>> GENSEC backend 'http_basic' registered
>>>> GENSEC backend 'http_ntlm' registered
>>>> GENSEC backend 'krb5' registered
>>>> GENSEC backend 'fake_gssapi_krb5' registered
>>>> resolve_lmhosts: Attempting lmhosts lookup for name
>>>> _ldap._tcp.CLINICAGUEMES.COM.AR<0x0>
>>>> resolve_lmhosts: Attempting lmhosts lookup for name
>>>> _ldap._tcp.CLINICAGUEMES.COM.AR<0x0>
>>>> resolve_lmhosts: Attempting lmhosts lookup for name
>>>> dc01.clinicaguemes.com.ar<0x20>
>>>> resolve_lmhosts: Attempting lmhosts lookup for name
>>>> dc01.clinicaguemes.com.ar<0x20>
>>>> ERROR(runtime): uncaught exception - (-1073741766, '{Path Not Found}
>>>> The path %hs does not exist.')
>>>>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>>>> line 175, in _run
>>>>     return self.run(*args, **kwargs)
>>>>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/gpo.py", line
>>>> 1148, in run
>>>>     fs_sd = conn.get_acl(sharepath, security.SECINFO_OWNER |
>>>> security.SECINFO_GROUP | security.SECINFO_DACL,
>>>> security.SEC_FLAG_MAXIMUM_ALLOWED)
>>>> root at DC02:/var/lib/samba/sysvol/clinicaguemes.com.ar#
>>>> root at DC02:/var/lib/samba/sysvol/clinicaguemes.com.ar#
>>>>
>>>>
>>>> Excuse me. I'm not mean those erros.
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>>
>>>
>>>
>>> --
>>> Elias Pereira
>>>
>>
>>
>
>
> --
> Elias Pereira
>


More information about the samba mailing list